CN102217239B - Method, apparatus and system for updating group transient key - Google Patents
Method, apparatus and system for updating group transient key Download PDFInfo
- Publication number
- CN102217239B CN102217239B CN201080003437.0A CN201080003437A CN102217239B CN 102217239 B CN102217239 B CN 102217239B CN 201080003437 A CN201080003437 A CN 201080003437A CN 102217239 B CN102217239 B CN 102217239B
- Authority
- CN
- China
- Prior art keywords
- access point
- temporary key
- virtual access
- group
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/065—Network architectures or network communication protocols for network security for supporting key management in a packet data network for group communications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/083—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
- H04L9/0833—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key
Abstract
A method, apparatus and system for updating Group Transient Key (GTK) are provided. Said method includes the following steps: separating an Access Point (AP) into several Virtual Access Points (VAP) according to the service configuration request sent from Access Control point (AC), wherein each VAP has a Service Set IDentifier (SSID); calculating the GTK based on granularity of the VAP and saving the GTK; receiving a GTK update deputizing request sent from the AC and updating the GTK for Stations (STA) within the range of the VAP. The method, apparatus and system provided by the embodiments of the present invention not only change the position of the GTK management from AC to AP, which highly releases the burden of AC under the network mode of thin AC centralized management, but also change the range of GTK update from the level of Extended Service Set (ESS) to that of VAP, which reduces the range of update and the network flow of the whole system, and lessens the shake of the system.
Description
Technical field
The present invention relates to WLAN (wireless local area network), relate in particular to a kind of group temporary key update method, device and system.
Background technology
WLAN(Wireless Local Area Network, WLAN (wireless local area network)) be the product that 20th century, the nineties, computer combined with wireless communication technology, it carrys out access network with wireless channel, for the mobile of communication, individualized and multimedia application provides potential means, and becomes one of effective means of broadband access.
The WLAN standard that the 802.11st, IEEE formulates, the composition of its architecture comprises: wireless site STA(station), wireless access point AP (access point), independent basic service group IBSS(independent basic service set), basic service sets BSS(basic service set), distributed system DS(distribution system) and expansion service group ESS(extended service set).Wherein, wireless site STA conventionally adds lastblock wireless network card by a PC or notebook and forms, and can be also the embedded device that wireless connections can be provided on non-terminal, for example, support 802.11 mobile phone.Wireless access point AP can be regarded a wireless Hub as, and its effect is to provide the bridge joint between STA and existing backbone network (wired or wireless), for wireless user provides the access to wired or wireless network.
In 802.11 networks, for the security consideration to spatial information communications, meeting employing group temporary key (Group Transient Key, GTK) encryption and decryption broadcast and multicast message, for security consideration, also need regular and irregular renewal group temporary key equally, in existing thin AP scheme, group temporary key is at access control point AC(Access Control) upper upgrade based on ESS granularity, the renewal of triggering group temporary key at present have following some:
1, user's (wireless site STA) group temporary key in the ESS of its management of AC regular update;
The request of the renewal group temporary key that 2, in AC response ESS, user triggers, for all users in this ESS upgrade multicast key.
Above renewal operation, all need on access control point AC, complete, due to the feature of wlan network, each ESS managing on AC comprises a lot of users, and reaching the standard grade, rolling off the production line of user is phenomenon very frequently, the therefore renewal of often triggering group temporary key operation, trigger thus AC system and frequently process these messages, cause the inefficiency of system, hydraulic performance decline, even paralysis.
Summary of the invention
The embodiment of the present invention provides a kind of group temporary key update method, device and system, to avoid the renewal of being carried out centralized frequent processed group temporary key by AC to operate the systematic function bottleneck problem of bringing.
The above-mentioned purpose of the embodiment of the present invention is achieved by the following technical solution:
A kind of group temporary key update method, described method comprises: access point is divided into multiple virtual access point by the business configuration request issuing according to access control point, each virtual access point has a service groups identifier; Based on virtual access point Granular Computing preservation group temporary key; Receive the group key management proxy requests that access control point issues, the wireless site within the scope of virtual access point is carried out to group key management.
A kind of access device, divides and has multiple virtual access point on described device, and described device comprises: whether detecting unit, need renewal group temporary key for detection of particular virtual access point; Determining unit, when detecting that at described detecting unit described particular virtual access point need to renewal group temporary key, determine the new group of temporary key that this particular virtual access point is to be updated, this particular virtual access point is a virtual access point in described multiple virtual access point; Updating block, for sending to described new group of temporary key all online wireless site within the scope of described particular virtual access point to upgrade to organize temporary key.
A kind of communication system, described system comprises access point and wireless site, and described access point connects described wireless site, on described access point, divides and has multiple virtual access point, described access point comprises: whether detecting unit, need renewal group temporary key for detection of particular virtual access point; Determining unit, when detecting that at described detecting unit described particular virtual access point need to renewal group temporary key, determine the new group of temporary key that this particular virtual access point is to be updated, this particular virtual access point is a virtual access point in described multiple virtual access point; Updating block, for sending to described new group of temporary key all online wireless site within the scope of described particular virtual access point to upgrade to organize temporary key.
The methods, devices and systems that provide by the embodiment of the present invention, not only change the position of the management of group key, transfer to AP by AC, under the network model of thin AP centralized management, alleviate greatly the burden of AC, also change the scope of group key management, drop to VAP level by ESS level, dwindle the scope of upgrading, reduced the flow of whole system network, the concussion that has alleviated system.
Brief description of the drawings
Accompanying drawing described herein is used to provide a further understanding of the present invention, forms the application's a part, does not form limitation of the invention.In the accompanying drawings:
Fig. 1 is the method flow diagram of the embodiment of the present invention;
Fig. 2 is thin AC schematic network structure;
Fig. 3 is the STA of one embodiment of the invention accesses AC flow chart by AP;
Fig. 4 is the link establishment flow chart of one embodiment of the invention;
Fig. 5 is the authentification of message flow chart of one embodiment of the invention;
Fig. 6 is a kind of GTK update method flow chart of the embodiment of the present invention;
Fig. 7 is another GTK update method flow chart of the embodiment of the present invention;
Fig. 8 is another GTK update method flow chart of the embodiment of the present invention;
Fig. 9 is another GTK update method flow chart of the embodiment of the present invention;
Figure 10 is another GTK update method flow chart of the embodiment of the present invention;
Figure 11 is the installation composition block diagram of the embodiment of the present invention;
Figure 12 is the block diagram of system of the embodiment of the present invention.
Embodiment
For making object, technical scheme and the advantage of the embodiment of the present invention clearer, below in conjunction with embodiment and accompanying drawing, the embodiment of the present invention is described in further details.At this, schematic description and description of the present invention is used for explaining the present invention, but not as a limitation of the invention.
The flow chart of a kind of group of temporary key update method that Fig. 1 provides for the embodiment of the present invention, the method can be applied to access point AP in WLAN WLAN, please refer to Fig. 1, and the method comprises:
Step 101: access point AP is divided into multiple virtual access point.
The method of the present embodiment can be applied to the thin AP network architecture, Fig. 2 is thin AP schematic network structure, please refer to Fig. 2, this network architecture comprises access control point AC, by the wireless site equipment STA connecting under each access point AP connecting under the central controlled AC of AC and each access point.
In the present embodiment, dividing that VAP processes can be that AP receives access control point AC and triggers after AP issuing service configuring request.Access point AP, according to type of service, the business configuration parameter etc. of carrying in this business configuration request, divides multiple virtual AP on AP, i.e. VAP, and the corresponding service groups identifier SSID of each VAP, by a SSID mark.AP determines the type of service that needs configuration according to business configuration request, this type of service is added in existing one or more VAP.The processing of the upper division of AP VAP can be also that business support system passes through management interface Remote configuration as required, can certainly be that Operation and Maintenance personnel are by configuration order row or human-computer interaction interface configuration etc.Wherein, in multiple VAP of the upper division of AP, each VAP can comprise one or more business, such as being divided into 3 VAPs on AP, i.e. VAP1, VAP2 and VAP3, wherein, VAP1 only provides service on net, VAP2 only provides Video service, and VAP3 not only provides online but also provide Video service etc., and the present embodiment is not using this as restriction.Because each VAP is independent in logic, between multiple VAP, be independent of each other, be convenient to service operation, maintenance and management.
In the present embodiment, the SSID of VAP is used for identifying VAP, so that wireless site scans after SSID by wireless network card, can be linked into expediently the VAP corresponding with this SSID in the upper multiple VAP of AP, so as with AC carry out associated so that STA is linked into network.
Step 102: on AP based on VAP Granular Computing group temporary key;
In the present embodiment, the upper multiple VAP of AP calculate each self-corresponding group of temporary key, a corresponding VAP of group temporary key, public this group temporary key of all STA under this VAP, the upper GMK(Group Master Key that can no longer preserve based on ESS of AC, group master key), GTK information, but calculate and preserve based on VAP granularity on AP, be also that AP is that each VAP calculates and preserve a GMK, GTK information.If have user's (wireless site) to roll off the production line under this VAP or when other reason need to renewal group temporary key, only need to upgrade the group temporary key (GTK) of this VAP, noticing all online users under this VAP simultaneously.Whole like this renewal process does not just need AC to participate in, and each renewal simultaneously also only relates to the user of maximum 100 left and right.
Step 103:AP sends all online users under corresponding VAP to upgrade the group temporary key of this VAP by the group temporary key calculating.
For example, AP receives the group key management proxy requests that AC issues, and responds this group key management proxy requests, determines the VAP that needs renewal group temporary key in multiple VAP, and all online STA within the scope of definite VAP is carried out to group key management.
In the present embodiment, on AP, detect and whether need for specific VAP renewal group temporary key on this AP, to trigger the processing of upgrading this specific VAP.
In one embodiment of this invention, detect whether need for the upper specific VAP renewal group temporary key of this AP be to detect by AP group key management proxy requests realization that AC sends.AP detects the group key management proxy requests that AC sends, and determines the VAP that needs renewal group temporary key, organizes the renewal of temporary key within the scope of definite VAP.
In another embodiment of the present invention, detect whether need for the upper specific VAP renewal group temporary key of this AP be that the connection status that detects the STA in its overlay area by AP realizes.AP detects that in its overlay area, specific STA becomes down status from presence, if determine need to be VAP renewal group temporary key under this STA, organizes the renewal of temporary key within the scope of VAP under this STA.
Participate in because whole renewal process does not just need AC, alleviated the processing load of AC; In addition, the ESS of former AC management comprises its lower all AP that connect, and the ESS level of in the embodiment of the present invention, the scope of renewal being managed by AC drops to the VAP level of AP, has dwindled the scope of upgrading, and has therefore reduced the flow of whole system network, the concussion that has alleviated system.
Fig. 3 is STA while passing through AP access network, and the process chart of the method that AP provides according to the embodiment of the present invention, please refer to Fig. 3, and this access process comprises:
Step 301:STA, by near the wireless signal wireless network card scanning on it, obtains one group of wireless access list, is also that the one group of service groups identifier SSID providing after VAP is being provided the AP of the present embodiment, and this wireless site STA selects one of them to connect;
In the present embodiment, according to the difference of authentication mode, need to input password, provide the modes such as certificate to prove legal access, these can be realized by the mode of prior art, do not repeat them here.
In the present embodiment, a SSID of STA selection carries out wireless connections can be completed by the step shown in Fig. 4, but the present embodiment is not using this as restriction, please refer to Fig. 4, and the method comprises:
Step 401:STA sends link verification request (Authentication request-open system) to AP;
Wherein, in this link verification request, also can carry the SSID of VAP and the user ID of STA of selection.
Step 402:AP receives described link verification request, carries out link verification and to STA return link authentication response;
Step 403: receive after the link authentication response that AP returns, STA sends associated request (Association request) via AP to AC;
Wherein, in this association request, can carry the SSID of VAP and the user ID of STA that STA selects.
When this STA of step 404:AC decision-making can access, on AC, set up the incidence relation of VAP and described STA, return to associated response (Association response) to described STA, allow this STA access of radio network, AC records the related information of STA simultaneously, as the MAC Address of STA, VAP, SSID etc.
Wherein, in associated response, can carry the incidence relation of STA and VAP, as the correspondence relationship information of SSID and STA.Because message mutual between STA and AC all forwards via AP, AP can intercept associated response, if determine that AC, to STA authentication success, sets up the associated of STA and VAP according to the incidence relation of the VAP in associated response and STA on AP.So far, also preserved the correspondence relationship information such as MAC and VAP, SSID of STA on AP, now wireless link is connected.
Step 302: after wireless link is connected, STA carries out authentification of message via AP and AC;
In the present embodiment, this authentification of message process can be passed through 4-Way Handshake process implementation, and in this 4-Way Handshake process, AC does not send to STA by GTK information, please refer to Fig. 5, and this process comprises the steps:
Step 501:AC sends message 1 to STA;
Wherein, this message 1 comprises a random value A-nonce, is first message in four-way handshake messages, identical with existing four-way handshake messages (4-Way Handshake Message), does not repeat them here.
In the present embodiment, STA, according to this A-nonce, returns to some authentication informations to AC, and this is the content of prior art, does not repeat them here.
Wherein, nonce is the random value in order to take precautions against Replay Attack, and A-nonce represents that AC sends to the random number of STA.
Step 502:STA sends message 2 via AP to AC;
Wherein, MAC Address, Message Authentication Code MIC and S-nonce that this message 2 comprises STA, wherein, MIC is a Message Authentication Code that this message 2 of protection is not tampered, S-nonce represents that STA sends to the random number of AC.Same, this message 2 is second message in four-way handshake messages, identical with existing four-way handshake messages (4-Way Handshake Message), does not repeat them here.
In the present embodiment, AC calculates PTK(Pairwise Transient Key according to the MAC Address of the MAC Address of the STA in this message 2 and S-nonce and AC and A-nonce, pair temporal key), calculate MIC according to this PTK, MIC in the MIC calculating and message 2 is compared, whether legal to verify this STA, can realize by the means of prior art here, do not repeat them here.
In the present embodiment, identical with the MIC in message 2 if the result of checking is the MIC that calculates, this STA is legal.
Step 503:AC sends message 3 via AP to STA;
Wherein, the MIC check value that this message 3 comprises AC and the encrypted state of AC, same, this message 3 is the 3rd message in four-way handshake messages, the 3rd message shows that AC examines STA and whether knows PMK, and notice STA AC preparation installation and usage data encryption key, identical with existing four-way handshake messages (4-Way Handshake Message), do not repeat them here.
In the present embodiment, STA, according to the MIC check value in this message 3, compares with the MIC of oneself, to determine that whether AC is as credible either party, and according to the encrypted state of the AC in this message 3, determine whether this AC has prepared to install and usage data encryption key.
Step 504:STA sends message 4 via AP to AC;
Wherein, this message 4 has comprised key verified information, same, and this message 4 is the 4th message in four-way handshake messages, identical with existing four-way handshake messages (4-Way Handshake Message), does not repeat them here.
In the present embodiment, AC is according to this message 4, determines that key is just being prepared to install and started to encrypt, and determines that handshake procedure finishes according to this message 4 simultaneously.
Step 303: after authentification of message success, access control point AC issues PTK after VAP, preserves PKT information by VAP, is used for unicast message to be encrypted and to decipher, and starts the renewal of GTK simultaneously.
In the present embodiment, through the 4-Way Handshake process of STA and AC, AC sends to VAP by calculating the pair temporal key PTK obtaining, and is received after PTK startup group temporary key renewal process by VAP.
In the present embodiment, VAP starts the renewal of GTK, can realize by twice handshake procedure, and continue referring to Fig. 5, this process comprises:
Step 505:AP sends message 5 to STA;
Wherein, this message 5 has comprised group temporary key, and it is group key handshake information 1(Group Key Handshake Message1).
In the present embodiment, AP issues group temporary key with the granularity of VAP, also in the scope of VAP, issues group temporary key to all online STA of VAP scope.
Step 506:STA sends message 6 to AP;
Wherein, message 6 is the response message of message 5, and it is group key handshake information 2(Group Key Handshake Message2).
In the present embodiment, STA receives after group temporary key, organizes the renewal of temporary key, and returns to AP the complete information of upgrading by message 6.
In the present embodiment, the message of handshake procedure can be EAPOL-Key(Extensible Authentication Protocol over LAN-Key, Extensible Authentication Protocol key based on local area network (LAN)) message, form is the same with the message format of existing EAPOL-Key message, comprise: describe type, key information, key length, device reclocks, Key Nonce, EAPOL-Key IV, key homing sequence, cipher key flag symbol, key MIC(16), key data length (2), key data (0 ... the field such as n), wherein, describing type field is 254, indicate that this message is the message of WPA1, describing type field is 2, indicate that this message is the message of WPA2, key information field has comprised several fields, and the information that Key Tpe is provided and how uses also comprises the various control bits relevant to handshake procedure, the key length of byte representation for key length field, mainly for pairwise key, although actual PTK does not send in this cipher key frame, this is the length of PTK, it is target cipher key, the value of the device field that reclocks increases to survey any to repeat the attack attempt of old message along with each message, in the time that this message is the response of an ACK request, make an exception, and in this situation, that is inserted into this field by the repetition values of " reply ", the currency of Key Nonce field is used for deriving interim pairwise key and group key, when EAPOL-Key IV field, for the transmission for group key, GTK uses EAPOL-Key encrypted word to be encrypted together with this IV value, and this GTK encrypting is placed on key data district, key homing sequence field, after key is installed, wishes that this sequence number of sequence number of first frame of receiving is for preventing repeat attack, cipher key flag symbol field is not in WPA, and in future, it may be used for enabling to set up in advance multiple keys, key MIC field is an integrity check value, and the scope of calculating is to finish (computational process, this field sets to 0) from EAPOL protocol version field to key material, key data length field taking byte as unit definition the length of key data field, key data field can be different from actual key itself, key data field is to need the secret data that transmit, and for example, in group key situation, this is the GTK encrypting, under some pairwise key information states, this field has been carried an information element.
Wherein, key information explanation of field is as shown in Table 1:
Table one
Wherein, 4~9 bits illustrate as shown in Table 2:
Table two
The method of Fig. 6 for providing according to the embodiment of the present invention, AP carries out the flow chart of group key management to all STA within the scope of the VAP of this STA access according to the active request of STA, please refer to Fig. 6, and the method comprises:
Step 601:AP receives the group temporary key update request of STA, and in the key information field in table one, the 12 bit is used for showing whether be group key management message;
Step 602:AP upgrades the group temporary key of the VAP of described STA access;
AP can, according to the mac address information in group temporary key update request message, find the VAP of this STA association, searches corresponding group temporary key according to VAP again; This be stored in local and this VAP identify corresponding group temporary key be AP before receiving group temporary key update request, self calculate and preserve, organize the content that interim computational methods are prior aries, repeat no more.
Step 603:AP sends the message of the group temporary key after upgrading to all online STA within the scope of the VAP of described STA access.
The method of Fig. 7 for providing according to the embodiment of the present invention, AP carries out the flow chart of group key management in the time that STA normally rolls off the production line to all STA within the scope of the VAP of the original access of this STA, please refer to Fig. 7, and the method comprises:
Step 701:AP receives associated request of going of STA: STA leaves after VAP, can send and go associated message, AP to receive the information of first deleting upper this STA of AP after message to AP, and reinform AC and delete the STA information of preserving before, as the MAC of STA, VAP, SSID etc.,
Step 702:AP upgrades the group temporary key of the VAP of the original access of described STA;
AP can, according to the mac address information going in associated request message, find the VAP of this STA association, searches corresponding group temporary key according to VAP again; This be stored in local and this VAP identify corresponding group temporary key be AP before receiving group temporary key update request, self calculate and preserve, organize the content that interim computational methods are prior aries, repeat no more.
Step 703:AP sends the message of the group temporary key after upgrading to the STA within the scope of the VAP of the original access of described STA.
Thus, AP has triggered the renewal of the group temporary key of the STA within the scope of VAP.
The method of Fig. 8 for providing according to the embodiment of the present invention, AP carries out the flow chart of group key management in the time of STA abnormal off-line to all STA within the scope of the VAP of the original access of this STA, please refer to Fig. 8, and the method comprises:
Whether step 801:AP detects STA and rolls off the production line;
In the present embodiment, whether AP can detect STA according to message flow and roll off the production line.
Whether STA corresponding on the regular detection AP chip of step 802:AP has traffic statistics, and on chip, according to the MAC statistics of STA, if by detecting that STA does not have flow, think that STA rolls off the production line, AP upgrades the group temporary key of the VAP of the original access of this STA;
Step 803:AP sends the message of the group temporary key after upgrading to all online STA within the scope of the VAP of the original access of described STA.
Thus, AP has triggered the renewal of the group temporary key of the STA within the scope of VAP.
The method of Fig. 9 for providing according to the embodiment of the present invention, AP carries out the flow chart of group key management in the time that STA roams to all STA within the scope of the VAP of the original access of this STA, please refer to Fig. 9, and the method comprises:
Step 901:AP receives going association or going authentication request of STA;
In the present embodiment, STA has left old VAP, goes new VAP certification, can send out association or go authentication request to old VAP.
Step 902:AP upgrades the group temporary key of the VAP of the original access of described STA;
In the present embodiment, old VAP receives that this goes association or goes after authentication request, and the STA triggering within the scope of this VAP carries out group key management.
AP can, according to going associated request or removing the mac address information in authentication request packet, find the VAP of this STA association, searches corresponding group temporary key according to VAP again; This be stored in local and this VAP identify corresponding group temporary key be AP before receiving group temporary key update request, self calculate and preserve, organize the content that interim computational methods are prior aries, repeat no more.
Step 903:AP sends the message of the group temporary key after upgrading to the STA within the scope of the VAP of the original access of described STA.
Thus, AP acts on behalf of AC and has triggered the renewal of the group temporary key of the STA within the scope of VAP.
The method of Figure 10 for providing according to the embodiment of the present invention, the flow chart of the group key management of all STA within the scope of VAP is upgraded in AP timing, please refer to Figure 10, and the method comprises:
Step 1001: timing renewal group temporary key;
Step 1002: the message that sends the group temporary key after upgrading to the STA within the scope of VAP.
By the method for the present embodiment, AP is according to the group key management proxy requests of AC, in the time of needs renewal group temporary key, replace AC within the scope of VAP, to organize the renewal of temporary key, participate in because whole renewal process does not just need AC, alleviated the processing load of AC, again because the scope of upgrading drops to VAP level by ESS level, dwindle the scope of upgrading, therefore reduced the flow of whole system network, the concussion that has alleviated system.
Figure 11, for the access device composition frame chart that the embodiment of the present invention provides, please refer to Figure 11, on this device, divides and has multiple virtual access point, and described device comprises:
Whether detecting unit 111, need to upgrade group temporal key for detection of particular virtual access point.
Determining unit 112, in the time that detecting unit 111 detects that particular virtual access point need to upgrade group temporal key, determines the new group temporal key that this particular virtual access point is to be updated.
Updating block 113, for sending to described new group temporal key within the scope of described particular virtual access point online wireless site to carry out group temporal key renewal.
Described access device also comprises division unit 114, for dividing multiple virtual access point according to the business configuration request of access control point on described access device.
Wherein, described detecting unit 111 specifically can comprise first detection module 1111 and the second detection module 1112, wherein:
Described first detection module 1111 when detecting that according to message flow wireless site rolls off the production line, judges that the virtual access point under described wireless site need to upgrade group temporal key.
Described the second detection module 1112 for detection of send to wireless site go associated request or go authentication request time, determine that the virtual access point under described wireless site need to renewal group temporary key.
Described updating block 113 can also send new group temporal key in timing to the wireless site under virtual access point.
Each part of the device of the present embodiment is respectively used to the step of the each method that realizes preceding method embodiment, due in embodiment of the method, each step is had been described in detail, and does not repeat them here.
The device of the present embodiment can be applied to access point AP, does not repeat them here.
By the device of the present embodiment, AP is according to the group key management proxy requests of AC, in the time of needs renewal group temporary key, replace AC within the scope of VAP, to organize the renewal of temporary key, participate in because whole renewal process does not just need AC, alleviated the processing load of AC, again because the scope of upgrading drops to VAP level by ESS level, dwindle the scope of upgrading, therefore reduced the flow of whole system network, the concussion that has alleviated system.
Figure 12, for a kind of communication system composition frame chart that the embodiment of the present invention provides, please refer to Figure 12, and this system comprises access point (AP) 122 and wireless site (STA) 123, and the upper division of AP122 has multiple virtual access point, wherein:
AP122 for detection of need to renewal group temporary key to particular virtual access point time, determines the new group of temporary key that this particular virtual access point is to be updated; Send to all online wireless site within the scope of this particular virtual access point to upgrade to organize temporary key the new group of temporary key of determining.
The system providing can also comprise access control point (AC) 121, and described AC121 is used for to AP122 issuing service configuring request, and AP122 can be divided into multiple virtual access point by AP122 according to this business configuration request.
Concrete, AC121 is used for to AP122 issuing service configuring request and group key management proxy requests.
Access point 122 is divided into multiple VAPs for the business configuration request issuing according to AC121 by AP122, for example VAP1~VAPn, n is positive integer, wherein, each VAPi(1 < i < group key management proxy requests that n) tool issues, carries out group key management to the wireless site within the scope of VAPi.
In the present embodiment, physically, wireless site STA is connected with access point 122, but because access point 122 is divided for multiple virtual access point 122i, therefore, the wireless site STA being connected under access point 122 is also under the jurisdiction of respectively the plurality of virtual access point VAPi, is also the corresponding multiple wireless sites of each virtual access point VPAi.
In the present embodiment, access point 122 can comprise the access device shown in Figure 11, due in the explanation of Figure 11, this communicator is had been described in detail, and does not repeat them here.
The group temporary key of wireless site 123 after for the renewal that receives described access point 122 and issue.
In the present embodiment, this wireless site 123 is wireless sites of the scope that belongs to a certain virtual access point VAPi that is connected with access point 122, can be multiple, specifically depends on division and the update request of access point 122 to virtual access point.For example, if access point 122 is divided into n virtual access point VAP, be VAP1~VAPn, according to the group key management proxy requests of access control point 121, need to carry out group key management to the STA within the scope of VAP1, this access point 122 is issued to the STA within the scope of VAP1 after the group temporary key of VAP1 is upgraded.
By the system of the present embodiment, AP is according to the group key management proxy requests of AC, in the time of needs renewal group temporary key, replace AC within the scope of VAP, to organize the renewal of temporary key, participate in because whole renewal process does not just need AC, alleviated the processing load of AC, again because the scope of upgrading drops to VAP level by ESS level, dwindle the scope of upgrading, therefore reduced the flow of whole system network, the concussion that has alleviated system.
The methods, devices and systems that the embodiment of the present invention provides, compared with existing group of temporary key update method, have following advantage:
1, change the position of the management of group key, transferred to AP by AC, under the network model of thin AC centralized management, alleviated greatly the burden of AC;
2, change the scope of group key management, dropped to VAP level by ESS level, dwindled the scope of upgrading, reduced the flow of whole system network, the concussion that has alleviated system;
3, WPA is divided into WPA1 and two kinds of standards of WAP2, and the technical scheme of the embodiment of the present invention, also optimizes the group key management flow process of WPA2.
The software module that the method for describing in conjunction with embodiment disclosed herein or the step of algorithm can directly use hardware, processor to carry out, or the combination of the two is implemented.Software module can be placed in the storage medium of any other form known in random asccess memory (RAM), internal memory, read-only memory (ROM), electrically programmable ROM, electrically erasable ROM, register, hard disk, moveable magnetic disc, CD-ROM or technical field.
Above-described specific embodiment; object of the present invention, technical scheme and beneficial effect are further described; institute is understood that; the foregoing is only specific embodiments of the invention; the protection range being not intended to limit the present invention; within the spirit and principles in the present invention all, any amendment of making, be equal to replacement, improvement etc., within all should being included in protection scope of the present invention.
Claims (11)
1. a WLAN group temporary key update method, is characterized in that, described method comprises:
Access point is divided into multiple virtual access point;
Access point detects that particular virtual access point need to renewal group temporary key, determines the new group of temporary key that this particular virtual access point is to be updated, and this particular virtual access point is a virtual access point in described multiple virtual access point;
Access point sends to all online wireless site within the scope of this particular virtual access point to upgrade to organize temporary key the new group of temporary key of determining.
2. method according to claim 1, is characterized in that, determines that the step of this particular virtual access point new group of temporary key to be updated comprises:
Access point is according to particular virtual access point new group of temporary key to be updated described in the key updating policy calculation of this locality configuration.
3. method according to claim 1, is characterized in that, described method also comprises:
The group temporary key of the virtual access point that access point reception access control point regularly issues, utilizes this group temporary key to upgrade service groups identifier and the group temporary key mapping table of virtual access point in local data base;
The described step of determining this particular virtual access point new group of temporary key to be updated comprises:
Access point obtains the service groups identifier of particular virtual access point, and from service groups identifier and group temporary key mapping table, the group temporary key of the recent renewal of the service groups identifier match of inquiry and this particular virtual access point is as new group of temporary key.
4. according to the method described in claims 1 to 3 any one, it is characterized in that,
Access point detects that according to message flow wireless site rolls off the production line, and determines that the virtual access point under described wireless site need to renewal group temporary key.
5. according to the method described in claims 1 to 3 any one, it is characterized in that,
Access point detects going associated request or going authentication request of particular radio site transmission, determines that the virtual access point under described particular radio site need to renewal group temporary key.
6. an access device, is characterized in that, on described device, divides and has multiple virtual access point, and described device comprises:
Whether detecting unit, need renewal group temporary key for detection of particular virtual access point;
Determining unit, when detecting that at described detecting unit described particular virtual access point need to renewal group temporary key, determine the new group of temporary key that this particular virtual access point is to be updated, this particular virtual access point is a virtual access point in described multiple virtual access point;
Updating block, for sending to described new group of temporary key all online wireless site within the scope of described particular virtual access point to upgrade to organize temporary key.
7. device according to claim 6, is characterized in that, described detecting unit specifically comprises:
First detection module, when detecting that according to message flow wireless site rolls off the production line, judges that the virtual access point under described wireless site need to upgrade group temporal key.
8. device according to claim 7, is characterized in that, described detecting unit also comprises:
The second detection module, goes associated request or goes authentication request for detection of what send to wireless site, determines that the virtual access point under described wireless site need to renewal group temporary key.
9. device according to claim 7, is characterized in that, described device also comprises division unit, and described division unit is for being divided into multiple virtual access point according to the business configuration request of access control point by described access device.
10. a communication system, described system comprises access point and wireless site, described access point connects described wireless site, on described access point, divides and has multiple virtual access point, it is characterized in that:
Described access point comprises:
Whether detecting unit, need renewal group temporary key for detection of particular virtual access point;
Determining unit, when detecting that at described detecting unit described particular virtual access point need to renewal group temporary key, determine the new group of temporary key that this particular virtual access point is to be updated, this particular virtual access point is a virtual access point in described multiple virtual access point;
Updating block, for sending to described new group of temporary key all online wireless site within the scope of described particular virtual access point to upgrade to organize temporary key.
11. systems according to claim 10, is characterized in that, described system also comprises access control point, for upgrading proxy requests to described access point issuing service configuring request and group secret key.
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| PCT/CN2010/070062 WO2011082529A1 (en) | 2010-01-08 | 2010-01-08 | Method, apparatus and system for updating group transient key |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102217239A CN102217239A (en) | 2011-10-12 |
| CN102217239B true CN102217239B (en) | 2014-11-05 |
Family
ID=44305171
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201080003437.0A Active CN102217239B (en) | 2010-01-08 | 2010-01-08 | Method, apparatus and system for updating group transient key |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN102217239B (en) |
| WO (1) | WO2011082529A1 (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102984701B (en) * | 2011-09-07 | 2018-05-11 | 深圳迈辽技术转移中心有限公司 | The method and access point of identity net incremental deployment |
| CN103686854B (en) * | 2012-09-17 | 2018-05-04 | 中兴通讯股份有限公司 | The method and apparatus for controlling AP |
| GB2516284A (en) * | 2013-07-18 | 2015-01-21 | Here Global Bv | Method and apparatus for classifying access points in a radio map |
| US9788076B2 (en) | 2014-02-28 | 2017-10-10 | Alcatel Lucent | Internet protocol television via public Wi-Fi network |
| CN107257558B (en) * | 2017-07-25 | 2020-07-28 | 锐捷网络股份有限公司 | Message forwarding method and device |
| CN108650673B (en) * | 2018-03-29 | 2021-06-18 | 新华三技术有限公司 | Message processing method and device |
| JP7263098B2 (en) * | 2018-12-27 | 2023-04-24 | パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ | Terminal, communication method and program |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101453409A (en) * | 2007-12-07 | 2009-06-10 | 中国移动通信集团公司 | Information broadcast method for supporting terminal combined access, apparatus and system thereof |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7986937B2 (en) * | 2001-12-20 | 2011-07-26 | Microsoft Corporation | Public access point |
| CN1186906C (en) * | 2003-05-14 | 2005-01-26 | 东南大学 | Wireless LAN safety connecting-in control method |
| CN101222388B (en) * | 2007-01-12 | 2013-01-16 | 华为技术有限公司 | Method and system for confirming existence of broadcast/multicast caching frame at access point |
| US20100023752A1 (en) * | 2007-12-27 | 2010-01-28 | Motorola, Inc. | Method and device for transmitting groupcast data in a wireless mesh communication network |
-
2010
- 2010-01-08 WO PCT/CN2010/070062 patent/WO2011082529A1/en active Application Filing
- 2010-01-08 CN CN201080003437.0A patent/CN102217239B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101453409A (en) * | 2007-12-07 | 2009-06-10 | 中国移动通信集团公司 | Information broadcast method for supporting terminal combined access, apparatus and system thereof |
Non-Patent Citations (2)
| Title |
|---|
| 《Control and Provisioning of Wireless Access Points(CAPWAP) Protocol Binding for IEEE 802.11》;P. Calhoun等;《Network Working Group Request for Comments:5416》;20090331;第16页 * |
| P. Calhoun等.《Control and Provisioning of Wireless Access Points(CAPWAP) Protocol Binding for IEEE 802.11》.《Network Working Group Request for Comments:5416》.2009,第16页. * |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2011082529A1 (en) | 2011-07-14 |
| CN102217239A (en) | 2011-10-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102217239B (en) | Method, apparatus and system for updating group transient key | |
| US7231521B2 (en) | Scheme for authentication and dynamic key exchange | |
| US9641494B2 (en) | Method and apparatus for handling keys used for encryption and integrity | |
| US8150372B2 (en) | Method and system for distributing data within a group of mobile units | |
| EP2063567B1 (en) | A network access authentication and authorization method and an authorization key updating method | |
| CN103945376B (en) | The wireless device and method that re-cipher key is carried out in the case where reducing packet loss conditions for high throughput wireless communication | |
| CN102440019B (en) | Traffic encryption key generation in a wireless communication network | |
| US8000478B2 (en) | Key handshaking method and system for wireless local area networks | |
| CN101056177B (en) | Radio mesh re-authentication method based on the WLAN secure standard WAPI | |
| US20040077335A1 (en) | Authentication method for fast handover in a wireless local area network | |
| CN101771992B (en) | Method, equipment and system for protection of confidentiality of international mobile subscriber identifier IMSI | |
| JP2004164576A (en) | Method and system for authenticating user in public wireless lan service system, and recording medium | |
| CN101268669B (en) | Method and mobility anchor point for authenticating updates from mobile node | |
| CN100488281C (en) | Method for acquring authentication cryptographic key context from object base station | |
| US20230344626A1 (en) | Network connection management method and apparatus, readable medium, program product, and electronic device | |
| CN102823282A (en) | Key authentication method for binary CDMA | |
| WO2022111187A1 (en) | Terminal authentication method and apparatus, computer device, and storage medium | |
| CN101631306A (en) | Updating method of air key, terminal and base station | |
| KR100523058B1 (en) | Apparatus and Method of Dynamic Group Key Management in Wireless Local Area Network System | |
| EP3182639B1 (en) | A method and apparatus for handling keys for encryption and integrity | |
| KR101692917B1 (en) | Apparatus and method for security management of home IoT device | |
| CN101119199A (en) | Safety fast switch method in wireless local area network | |
| US20130121492A1 (en) | Method and apparatus for securing communication between wireless devices | |
| Chi et al. | Fast handoff among IEEE 802.11 r mobility domains | |
| JP2008048212A (en) | Radio communication system, radio base station device, radio terminal device, radio communication method, and program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |