CN102984700A - Security information storage apparatus, and authentication method and system - Google Patents
Security information storage apparatus, and authentication method and system Download PDFInfo
- Publication number
- CN102984700A CN102984700A CN2011102610395A CN201110261039A CN102984700A CN 102984700 A CN102984700 A CN 102984700A CN 2011102610395 A CN2011102610395 A CN 2011102610395A CN 201110261039 A CN201110261039 A CN 201110261039A CN 102984700 A CN102984700 A CN 102984700A
- Authority
- CN
- China
- Prior art keywords
- key information
- security association
- terminal
- access device
- storage equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
The present invention discloses an authentication method and the method comprises: in the process of terminal switching, the access device, which is connected with the terminal after the switching, acquires security association related to the terminal and key information from a security information storage apparatus; (4-way-handshake) process is performed according to the acquired security association and key information. The present invention also discloses a security information storage apparatus and an authentication system. By using the method, apparatus and system of the present invention, the time required for the connection reestablishment procedure during terminal switching is effectively shortened, thereby ensuring the continuity of the service, and improving the user experience.
Description
Technical field
The present invention relates to authentication techniques, refer to especially a kind of secure information storage equipment, authentication method and system.
Background technology
Find according to market survey, smart mobile phone and the mobile internet device take iPad as representative (MID, Mobile Internet Device) take iPhone, blackberry, blueberry as representative, the occupation rate on terminal market is more and more higher.Compare with common handheld terminal, these intelligent terminals have independently operating system, and software that a lot of third party service providers provide, game etc. are installed, and the use of this class method can produce a large amount of network traffics, with AT﹠amp; T is example, and its iPhone Ownership only accounts for its total client 3%, but has but produced 40% network traffics of total flow.
Owing to be subjected to the restriction of self-technique and cost, 3G (Third Generation) Moblie technology (3G, eating dishes without rice or wine 3rd-generation) can't provide enough wireless bandwidths for these intelligent terminals user, a large amount of internets (Internet) flow that the intelligent terminal user produces has also made the 3G core network can't bear the heavy load, thereby so that the limited contradiction of the demand of user's rapid growth and system capability is more and more sharp-pointed, therefore, need to shunt the data business.
Because WLAN (wireless local area network) (WLAN, Wireless Local Area Network) technology is the minimum wireless access technology of unit bandwidth cost, therefore, utilizes WLAN to come the common recognition that has become industry is shunted in the data service in the existing network.At present, occurred the multiple terminal of supporting simultaneously WLAN and Generation Mobile Telecommunication System technology (2G, 2nd Generation)/3G on the market, from 2010, each large operator began extensive centralized procurement and has built WLAN with all strength both at home and abroad.
Along with the deployment of WLAN focus is more and more intensive, so that in some zones, WLAN has realized seamless coverage.The universal while of the expansion of network size and related service has also stimulated the demand of user to network, and for example, part handheld terminal user can through on the bus of being everlasting or under other low speed situation of movement, watch Internet video or play online game.Yet in this moving process, the situation that terminal will can switch inevitably in the process of switching, need to satisfy user's business continuance requirement; Here, described business continuance requires just to refer to that the process that terminal is switched can not be to the ongoing professional harmful effect that produces.
Consider that the process that the user is switched is actually the process that a network linking is rebuild, therefore, user's business continuance requires network has been proposed following requirement:
1, when terminal is switched, need to there be the mechanism of network layer or higher level to guarantee the session that terminal is current or connect not interrupt;
2, when terminal is switched, first disconnection is connected with former access device, connect with new access device more afterwards, because in the process of this connection reconstruction, terminal can't be carried out actual data interaction with network, therefore, the required time of connection reconstruction can not be greater than the professional patient packet loss of institute or the shake limit.
Although in some zone, WLAN can guarantee that the user has the network coverage all the time in its moving process,, existing network but can't guarantee its business continuance requirement, main cause is: the required time of connection reconstruction is not satisfied business need.Particularly, at present, the patient packet loss limit of business that common real-time is stronger generally is no more than 500ms, and such as real-time video traffic and some online games, and among the existing WLAN, required time of connection reconstruction is generally all greater than 500ms during switching.
Cause that the WLAN connection reconstruction is consuming time can tolerate that greater than partial service the reason of the limit is: WLAN terminal " the first company of having no progeny " mechanism, that is: terminal is with before the access device that has been connected disconnects, can't build in advance communication linkage with new access device, this just means, when terminal was switched, what in fact terminal was carried out was exactly once complete networking flow process.
And the WLAN terminal is finished once the complete needed time of networking flow process, mainly comprise: finish physical layer and switch the required time, finish the required time of link layer switching and finish its above information configuration of network layer such as required times of switching such as Internet Protocol (IP, Internet Protocol) addresses.The below describes in detail to finish and switches the required time for every kind of switching.
The physical layer required time of switching mainly refers to: terminal scanning, new required time of access device signal of discovery, main and access point (AP of required time, the specific implementation of deployment Access Point), configuration mode and terminal scanning, the new access device signal of discovery is relevant, comprise: the concrete mode of terminal scanning wireless signal etc., in the ideal case, the physical layer required time of switching is about about 50ms.
The link layer required time of switching mainly refers to: accessing terminal to network, and set up the required time of security relationship with network, here, the process of setting up security relationship comprises: the distribution of authentication, re-authentication and association key, certificate server is connected by switch with authenticator (Authenticator), in the ideal case, accessing terminal to network, and set up required time of security relationship with network and distribute as shown in table 1:
Table 1
| The process of carrying out | The required time | Account for the percentage of authentication required time |
| Open mode (Open Authentication) | 1.98ms | 0.99% |
| Set up related (Association) | 1.62ms | 0.81% |
| The EAP authentication | 192.47ms | 96.28% |
| 4-Way Handshake | 3.84ms | 1.92% |
As can be seen from Table 1, link layer switches the required time mainly by Extensible Authentication Protocol (EAP, Extensible Authentication Protocol) the consuming time decision of authentication, and, in actual environment, authentication, mandate, charging (AAA, Authentication, Authorization, Accounting) server generally is positioned at upper network layer, and also have the multi-hop route between the Authenticator, even also may there be the equipment such as AAA Proxy in the centre, therefore actual switching meeting consuming time is longer; Here, described aaa server is pointed out the card server exactly.
Switch the required time for network layer and above information configuration thereof, at proxy-mobile IP (PMIP, Proxy Mobile IP) in the network, the time that L3 switches is mainly depended on and new, old access control point (AC, Acess Controller) and local mobile anchor (LMA, Local Mobile Anchor) network condition between, in laboratory environment, the L3 required time of switching is about 30-50ms.
Can find out that from top description the time that the EAP verification process during switching consumes is connection reconstruction flow process main cause consuming time when causing terminal to switch, therefore, the time that the EAP verification process when how to shorten switching consumes is present problem demanding prompt solution.
Summary of the invention
In view of this, main purpose of the present invention is to provide a kind of authentication method, equipment and system, the required time of connection reconstruction process in the time of effectively shortening the terminal switching.
For achieving the above object, technical scheme of the present invention is achieved in that
The invention provides a kind of authentication method, the method comprises:
In the process that terminal is switched, the access device that terminal connects after switching obtains described terminal relevant security association and key information from secure information storage equipment;
Carry out 4-Way Handshake (4-way-handshake) flow process according to the content in the security association that obtains and the key information.
In the such scheme, described access device obtains described terminal relevant security association and key information from secure information storage equipment, for:
Secure information storage equipment is according to strategy, and the access device in network sends security association and the key information of self storing;
Described access device is preserved security association and the key information receive at local cache, obtains described terminal relevant security association and key information from the security association self preserved and key information; Perhaps,
Described access device sends query messages to secure information storage equipment, obtains described terminal relevant security association and key information.
In the such scheme, described access device obtained described terminal relevant security association and key information from secure information storage equipment before, the method further comprised:
Described access device judges whether local cache preserves relevant security association and the key information of terminal, when determining not preserve, obtains described terminal relevant security association and key information from secure information storage equipment.
In the such scheme, the method further comprises:
When determining that local cache is preserved the relevant security association of terminal and key information, carry out the 4-way-handshake flow process according to the content in the security association that from local cache, obtains and the key information.
In the such scheme, before according to the security association that obtains and the execution of the content in key information 4-way-handshake flow process, the method further comprises:
The security association that obtains of check and the validity of key information, determine that information effectively after, carry out the 4-way-handshake flow process according to the content in the security association that obtains and the key information.
In the such scheme, the security association that described check is obtained and the validity of key information, for:
Whether the safeguard protection the mode whether security association that judgement is obtained and key information exceed in the term of validity and/or the key information mates with the safeguard protection mode of self supporting; if the safeguard protection mode that exceeds the safeguard protection mode in the term of validity and/or the key information and self support is not mated; think that then the security association and the key information that obtain are invalid; if the safeguard protection mode that does not exceed the safeguard protection mode in the term of validity and/or the key information and self support is mated, think that then the security association and the key information that obtain are effective.
In the such scheme, when described access device does not get access to the relevant security association of described terminal and key information from secure information storage equipment or, determine that the security association that obtains and key information are invalid after, the method further comprises:
Described access device is initiated complete networking identifying procedure to described terminal, and after finishing, relevant security association and the key information of described terminal that produces in the networking identifying procedure is uploaded to secure information storage equipment;
Secure information storage equipment is preserved security association and the key information of uploading.
In the such scheme, the method further comprises:
Security association and the key information of secure information storage plant maintenance self storage.
The present invention also provides a kind of secure information storage equipment, and this equipment comprises: memory cell and transmitting element; Wherein,
Memory cell is used for storage security association and key information;
Transmitting element is used for to security association and the key information of access device transmission cell stores.
In the such scheme, this equipment further comprises: receiving element is used for receiving security association and the key information that access device reports, and is saved to memory cell.
In the such scheme, this equipment further comprises: maintenance unit, and for security association and the key information of safeguarding cell stores.
The present invention also provides a kind of Verification System, and this system comprises: access device and secure information storage equipment; Wherein,
Access device for the process of switching in terminal, obtains described terminal relevant security association and key information from secure information storage equipment, carries out the 4-way-handshake flow process according to the content in the security association that obtains and the key information;
Secure information storage equipment is used for providing described terminal relevant security association and key information to access device.
In the such scheme, described access device is used for also judging whether local cache preserves relevant security association and the key information of terminal, when determining not preserve, obtains described terminal relevant security association and key information from secure information storage equipment.
In the such scheme, described access device also is used for security association that check obtains and the validity of key information, determine that information effectively after, carry out the 4-way-handshake flow process according to the content in the security association that obtains and the key information.
In the such scheme, described access device, also be used for not getting access to described terminal relevant security association and key information or the security association determining to obtain and key information when invalid from secure information storage equipment, described terminal is initiated complete networking identifying procedure, and after finishing, relevant security association and the key information of described terminal that produces in the networking identifying procedure is uploaded to secure information storage equipment;
Described secure information storage equipment after also being used for receiving the security association and key information that access device is uploaded, is preserved security association and the key information uploaded
In the such scheme, described secure information storage equipment also is used for security association and the key information of safeguarding that self stores.
Authentication method provided by the invention and system, in the process that terminal is switched, the access device that terminal connects after switching obtains described terminal relevant security association and key information from secure information storage equipment; Carry out the 4-way-handshake flow process according to the content in the security association that obtains and the key information, like this, the required time of connection reconstruction process in the time of effectively shortening the terminal switching, thus guarantee professional continuity, and then promote user's experience.
In addition, in network topology, secure information storage equipment is placed in the position of close access device, so, two-way time (RRT, Roundup-Trip Times) in the time of reducing authentication, thereby the required time of connection reconstruction process when further shortening end-grain cutting and changing, guarantee professional continuity, and then promote user's experience.
Description of drawings
Fig. 1 is the method flow schematic diagram that the present invention authenticates;
Fig. 2 is the method flow schematic diagram of embodiment one authentication;
Fig. 3 is the method flow schematic diagram of embodiment two authentications;
Fig. 4 is the method flow schematic diagram of embodiment three authentications;
Fig. 5 is the structural representation of secure information storage equipment of the present invention;
The structural representation of Fig. 6 Verification System of the present invention.
Embodiment
The present invention is further described in more detail below in conjunction with drawings and the specific embodiments.
Authentication method of the present invention as shown in Figure 1, may further comprise the steps:
Step 101: in the process that terminal is switched, the access device that terminal connects after switching obtains described terminal relevant security association and key information from secure information storage equipment;
Here, described access device refers to: possessing the wlan device of access authentication of user function, according to the difference of network form, specifically can be AP, perhaps, can be that AC adds AP, and wherein, described AC adds AP and refers to: access device comprises AC and AP.
Described security association and key information comprise: the identity information of terminal, the information of current access device, be used for carrying out the required key material of 4-way-handshake flow process and the term of validity etc.
Described access device obtains described terminal relevant security association and key information from secure information storage equipment, is specially:
Secure information storage equipment is according to strategy, and the access device in network sends security association and the key information of self storing;
Described access device is preserved security association and the key information of receiving, obtains described terminal relevant security association and key information from the security association self preserved and key information; Perhaps,
Described access device sends query messages to secure information storage equipment, obtains described terminal relevant security association and key information.
Wherein, secure information storage equipment is according to strategy, can send to all or part of access device in the network security association and the key information of self storage; Described strategy can arrange according to needs, such as: can be the positional information etc. of terminal, after secure information storage equipment obtains the positional information of terminal, can send to the access device that terminal connects security association and the key information of self storage.
Access device obtained described terminal relevant security association and key information from secure information storage equipment before, the method can further include:
Described access device judges whether local cache preserves relevant security association and the key information of terminal, when determining not preserve, obtains described terminal relevant security association and key information from secure information storage equipment.
Wherein, when determining that local cache is preserved the relevant security association of terminal and key information, execution in step 102.
In WLAN, the Main Function of verification process is: set up the trusting relationship between terminal and network, terminal and the access device, for security consideration, the trusting relationship of terminal and network and current access device strong correlation, in case switch, the trusting relationship of setting up before terminal and the network had so just lost efficacy, and need to re-start authentication with new access device; Here, described trusting relationship comprises: security association and key information etc.Consider that access device in the existing network is all in the control range of operator, therefore, access device deliberately leaks out safe key before unlikely occuring, perhaps utilize these information to disturb, intercept the behavior that terminal is communicated by letter with rear access device, therefore, in case after can adopting terminal and certain access device to set up trusting relationship, when terminal accesses other access device, still can continue to use this trusting relationship, that is: adopt until this trusting relationship expires or owing to till other reason given up.
In actual application, in network topology, secure information storage equipment can be placed in as far as possible the position near access device, such as: the distance of 1~2 jumping route only between access device and the secure information storage equipment, so, the RTT in the time of can reducing authentication.
When access device did not get access to the relevant security association of described terminal and key information from secure information storage equipment, the method can further include:
Access device is initiated complete networking identifying procedure to described terminal, and after finishing, relevant security association and the key information of described terminal that produces in the networking identifying procedure is uploaded to secure information storage equipment, and secure information storage equipment is preserved security association and the key information of uploading.。
Step 102: carry out the 4-way-handshake flow process according to the content in the security association that obtains and the key information.
Here, the specific implementation of this step is prior art, repeats no more here.
Before carrying out this step, the method can further include:
The security association that obtains of check and the validity of key information, determine that information effectively after, carry out the 4-way-handshake flow process according to the content in the security association that obtains and the key information;
Wherein, the security association that described check is obtained and the validity of key information are specially:
Whether the safeguard protection the mode whether security association that judgement is obtained and key information exceed in the term of validity and/or the key information mates with the safeguard protection mode of self supporting; if the safeguard protection mode that exceeds the safeguard protection mode in the term of validity and/or the key information and self support is not mated; think that then the security association and the key information that obtain are invalid; if the safeguard protection mode that does not exceed the safeguard protection mode in the term of validity and/or the key information and self support is mated, think that the security association and the key information that obtain are effective.
Wherein, described safeguard protection mode specifically can comprise: cryptographic algorithm and/or completeness check algorithm etc.
After the security association of determining to obtain and key information were invalid, the method can further include:
Described access device is initiated complete networking identifying procedure to described terminal, and after finishing, relevant security association and the key information of described terminal that produces in the networking identifying procedure is uploaded to secure information storage equipment, and secure information storage equipment is preserved security association and the key information of uploading.
The method can further include:
Security association and the key information of secure information storage plant maintenance self storage.Wherein, attended operation mainly is the aging of security association and key information, particularly, after every security association of storage and key information surpass the term of validity, then deletes this security association and key information.
When determining that local cache preserves relevant security association and the key information of terminal, when carrying out this step, the security association that obtains and key information security association and the key information for obtaining in the security association from local cache, preserved and the key information.
Below in conjunction with embodiment the present invention is described in further detail again.
Embodiment one
The application scenarios of present embodiment is: access device refers to AP, that is: AP has the function of access authentication of user.The authentication method of present embodiment as shown in Figure 2, may further comprise the steps:
Step 201: when terminal was switched, terminal was determined to carry out related with certain AP;
Here, the concrete processing procedure of this step is prior art.
Step 202: after the association, AP sends inquiry message to terminal, the identity of inquiry terminal;
Step 203: after terminal is received message, send response message to AP;
Here, the identity information of carried terminal in the described response message.
After step 204:AP received response message, the inquiry local cache judged whether local cache preserves relevant security association and the key information of terminal, and if so, then execution in step 211, otherwise, execution in step 205;
Here, if AP does not have local cache, direct execution in step 205 then.
Step 205:AP sends query messages to secure information storage equipment;
Here, described query messages comprises the identity information of terminal.
Step 206: secure information storage equipment is according to the actual conditions of self storing, to AP feedback query result;
Particularly, according to the terminal identity information in the query messages, in the security association of preserving and key information, inquire about, if find relevant security association and the key information of terminal, then to relevant security association and the key information of AP feedback terminal, otherwise, do not find the relevant security association of terminal and the message of key information to the AP feedback.
In addition, secure information storage equipment also is responsible for maintenance terminal relevant security association and key information, and attended operation mainly is the aging of security association and key information, particularly, after every security association of storage and key information surpass the term of validity, then delete this security association and key information.
Step 207:AP obtains terminal relevant security association and key information, the validity of checking information then, if effectively, then execution in step 211, otherwise, execution in step 209;
Here, but the validity of checking information be operating as selection operation;
The validity of described checking information; be specially: judge whether the security association and the key information that obtain exceed the term of validity; and/or whether the safeguard protection mode in the key information mates with the safeguard protection mode of self supporting; if exceed the term of validity; and/or the safeguard protection mode of the safeguard protection mode in the key information and self support is not mated; think that then the security association and the key information that obtain are invalid; if do not exceed the term of validity; and/or the safeguard protection mode that the safeguard protection mode in the key information and self are supported mates, and thinks that then the security association and the key information that obtain are effective.
Step 208:AP does not get access to terminal relevant security association and key information from secure information storage equipment, and execution in step 209 afterwards;
Here, what AP received secure information storage equipment feedback does not find the relevant security association of terminal and the message of key information, shows that then AP does not get access to terminal relevant security association and key information from secure information storage equipment.
Step 209:AP initiates complete EAP authentication to terminal, and after terminal is by the EAP authentication, execution in step 210;
Here, the concrete processing procedure that AP initiates complete EAP authentication to terminal is prior art, repeats no more here.
Step 210:AP is uploaded to secure information storage equipment with relevant security association and the key information of terminal that complete EAP produces, and execution in step 211 afterwards;
Here, after secure information storage equipment is received the security association and key information of uploading, preserve security association and the key information uploaded.
Step 211:AP sends the EAP success message to terminal, and carries out follow-up 4-way-handshake flow process according to the content in security association and the key information, finishes afterwards current handling process.
Here, when practical application, AP in step 210 and the step 211 sends the EAP success message to terminal, and carry out the operation of follow-up 4-way-handshake flow process according to the content in security association and the key information, without sequencing, in other words, the AP in also can first execution in step 211 sends the EAP success message to terminal on carrying out, and carry out the operation of follow-up 4-way-handshake flow process according to the content in security association and the key information, execution in step 210 again.
Embodiment two:
The application scenarios of present embodiment is: terminal and AP carry out related, and access device refers to: AC and AP, that is: AC and AP acting in conjunction have the function of access authentication of user.The authentication method of present embodiment as shown in Figure 3, may further comprise the steps:
Step 301: when terminal was switched, terminal was carried out related with certain AP;
Here, the concrete processing procedure of this step is prior art.
Step 302: after the association, AP reports to AC: terminal has been carried out related with this AP;
After step 303:AC received and reports, AC sent inquiry message to terminal, the identity of inquiry terminal;
Step 304: after terminal is received message, send response message to AC;
Here, carry the identity information of middle terminal in described this response message;
After step 305:AC received response message, the inquiry local cache judged whether local cache exists relevant security association and the key information of terminal, and if so, then execution in step 312, otherwise, execution in step 306;
Here, if AC does not have local cache, direct execution in step 306 then.
Step 306:AC sends query messages to secure information storage equipment;
Here, described query messages comprises the identity information of terminal.
Step 307: secure information storage equipment is according to the actual conditions of self storing, to AC feedback query result;
Particularly, according to the terminal identity information in the query messages, in the security association of preserving and key information, inquire about, if find relevant security association and the key information of terminal, then to relevant security association and the key information of AC feedback terminal, otherwise, do not find the relevant security association of terminal and the message of key information to the AC feedback;
In addition, secure information storage equipment also is responsible for maintenance terminal relevant security association and key information, and attended operation mainly is the aging of security association and key information, particularly, after every security association of storage and key information surpass the term of validity, then delete this security association and key information.
Step 308: if AC obtains terminal relevant security association and key information, check message validity, if effectively, then execution in step 312, otherwise, execution in step 310;
But the validity of checking information be operating as selection operation;
The validity of described checking information; be specially: judge whether the security association and the key information that obtain exceed the term of validity; and/or whether the safeguard protection mode in the key information mates with the safeguard protection mode of self supporting; if exceed the term of validity; and/or the safeguard protection mode of the safeguard protection mode in the key information and self support is not mated; think that then the security association and the key information that obtain are invalid; if do not exceed the term of validity; and/or the safeguard protection mode that the safeguard protection mode in the key information and self are supported mates, and thinks that then the security association and the key information that obtain are effective.
Step 309:AC does not get access to terminal relevant security association and key information from secure information storage equipment, and execution in step 310 afterwards;
Here, here, what AC received secure information storage equipment feedback does not find the relevant security association of terminal and the message of key information, shows that then AC does not get access to terminal relevant security association and key information from secure information storage equipment.
Step 310: access device is initiated complete EAP authentication to terminal, and after terminal is by the EAP authentication, execution in step 311;
Here, the concrete processing procedure that access device is initiated complete EAP authentication to terminal is prior art, repeats no more here.
Step 311:AC is uploaded to secure information storage equipment with relevant security association and the key information of terminal that complete EAP produces, and execution in step 312 afterwards;
Here, after secure information storage equipment is received the security association and key information of uploading, preserve security association and the key information uploaded.
Step 312:AC sends the EAP success message to terminal, and carries out the 4-way-handshake flow process according to the content in security association and the key information, and the key that afterwards the 4-way-handshake flow process is produced is given AP, and finishes current handling process.
Here, when practical application, AP in step 311 and the step 312 sends the EAP success message to terminal, and according to the follow-up 4-way-handshake flow process of the execution of the content in security association and the key information, the key that afterwards the 4-way-handshake flow process is produced is given the operation of AP, on carrying out without sequencing, in other words, AP in also can first step 312 sends the EAP success message to terminal, and according to the follow-up 4-way-handshake flow process of the execution of the content in security association and the key information, the key that afterwards the 4-way-handshake flow process is produced is given the operation of AP, and execution in step 311 again.
Embodiment three:
The application scenarios of present embodiment is: terminal and AC carry out related, and access device refers to: AC and AP, that is: AC and AP acting in conjunction have the function of access authentication of user.The authentication method of present embodiment as shown in Figure 4, may further comprise the steps:
Step 401: when terminal was switched, terminal was carried out related with certain AC;
Here, the concrete processing procedure of this step is prior art.
Step 402: after the association, AC sends inquiry message to terminal, the identity of inquiry terminal;
Step 403: after terminal is received message, send response message to AC;
Here, carry the identity information of middle terminal in described this response message;
After step 404:AC received response message, the inquiry local cache judged whether local cache exists relevant security association and the key information of terminal, and if so, then execution in step 411, otherwise, execution in step 405;
Here, if AC does not have local cache, direct execution in step 405 then.
Step 405:AC sends query messages to secure information storage equipment;
Here, described query messages comprises the identity information of terminal.
Step 406: secure information storage equipment is according to the actual conditions of self storing, to AC feedback query result;
Particularly, according to the terminal identity information in the query messages, in the security association of preserving and key information, inquire about, if find relevant security association and the key information of terminal, then to relevant security association and the key information of AC feedback terminal, otherwise, do not find the relevant security association of terminal and the message of key information to the AC feedback;
In addition, secure information storage equipment also is responsible for maintenance terminal relevant security association and key information, and attended operation mainly is the aging of security association and key information, particularly, after every security association of storage and key information surpass the term of validity, then delete this security association and key information.
Step 407: if AC obtains terminal relevant security association and key information, check message validity, if effectively, then execution in step 411, otherwise, execution in step 409;
But the validity of checking information be operating as selection operation;
The validity of described checking information; be specially: judge whether the security association and the key information that obtain exceed the term of validity; and/or whether the safeguard protection mode in the key information mates with the safeguard protection mode of self supporting; if exceed the term of validity; and/or the safeguard protection mode of the safeguard protection mode in the key information and self support is not mated; think that then the security association and the key information that obtain are invalid; if do not exceed the term of validity; and/or the safeguard protection mode that the safeguard protection mode in the key information and self are supported mates, and thinks that then the security association and the key information that obtain are effective.
Step 408:AC does not get access to terminal relevant security association and key information from secure information storage equipment, and execution in step 409 afterwards;
Here, here, what AC received secure information storage equipment feedback does not find the relevant security association of terminal and the message of key information, shows that then AC does not get access to terminal relevant security association and key information from secure information storage equipment.
Step 409: access device is initiated complete EAP authentication to terminal, and after terminal is by the EAP authentication, execution in step 410;
Here, the concrete processing procedure that access device is initiated complete EAP authentication to terminal is prior art, repeats no more here.
Step 410:AC is uploaded to secure information storage equipment with relevant security association and the key information of terminal that complete EAP produces, and execution in step 411 afterwards;
Here, after secure information storage equipment is received the security association and key information of uploading, preserve security association and the key information uploaded.
Step 411:AC sends the EAP success message to terminal, and carries out the 4-way-handshake flow process according to the content in security association and the key information, and the key that afterwards the 4-way-handshake flow process is produced is given AP, and finishes current handling process.
Here, when practical application, AP in step 410 and the step 411 sends the EAP success message to terminal, and according to the follow-up 4-way-handshake flow process of the execution of the content in security association and the key information, the key that afterwards the 4-way-handshake flow process is produced is given the operation of AP, on carrying out without sequencing, in other words, AP in also can first step 411 sends the EAP success message to terminal, and according to the follow-up 4-way-handshake flow process of the execution of the content in security association and the key information, the key that afterwards the 4-way-handshake flow process is produced is given the operation of AP, and execution in step 410 again.
For realizing said method, the present invention also provides a kind of secure information storage equipment, and as shown in Figure 5, this equipment comprises: memory cell 51 and transmitting element 52; Wherein,
Transmitting element 52 is used for sending security association and the key information that memory cell 51 is stored to access device.
Wherein, this equipment can further include: receiving element 53 is used for receiving security association and the key information that access device reports, and is saved to memory cell 51.
This equipment can further include: maintenance unit is used for security association and the key information of safeguarding that memory cell 51 is stored.
Here, the concrete processing procedure of the transmitting element in the equipment of the present invention and maintenance unit describes in detail hereinbefore, repeats no more.
The present invention also provides a kind of Verification System, and as shown in Figure 6, this system comprises: access device 61 and secure information storage equipment 62; Wherein,
Secure information storage equipment 62 is used for providing described terminal relevant security association and key information to access device 61.
Here, need to prove: the access device that described access device 61 connects for terminal after switching.
Wherein, described access device 61 is used for also judging whether local cache preserves relevant security association and the key information of terminal, when determining not preserve, obtains described terminal relevant security association and key information from secure information storage equipment 62.
Described access device 61 also is used for security association that check obtains and the validity of key information, determine that information effectively after, carry out the 4-way-handshake flow process according to the content in the security association that obtains and the key information.
Described access device 61, also be used for not getting access to described terminal relevant security association and key information or the security association determining to obtain and key information when invalid from secure information storage equipment 62, described terminal is initiated complete networking identifying procedure, and after finishing, relevant security association and the key information of described terminal that produces in the networking identifying procedure is uploaded to secure information storage equipment 62;
Described secure information storage equipment 62 after also being used for receiving the security association and key information that access device 61 is uploaded, is preserved security association and the key information uploaded.
Described secure information storage equipment 62 also is used for security association and the key information of safeguarding that self stores.
Here, the concrete processing procedure of the access device in the system of the present invention and secure information storage equipment describes in detail hereinbefore, repeats no more.
The above is preferred embodiment of the present invention only, is not for limiting protection scope of the present invention.
Claims (16)
1. authentication method is characterized in that the method comprises:
In the process that terminal is switched, the access device that terminal connects after switching obtains described terminal relevant security association and key information from secure information storage equipment;
Carry out 4-Way Handshake (4-way-handshake) flow process according to the content in the security association that obtains and the key information.
2. method according to claim 1 is characterized in that, described access device obtains described terminal relevant security association and key information from secure information storage equipment, for:
Secure information storage equipment is according to strategy, and the access device in network sends security association and the key information of self storing;
Described access device is preserved security association and the key information receive at local cache, obtains described terminal relevant security association and key information from the security association self preserved and key information; Perhaps,
Described access device sends query messages to secure information storage equipment, obtains described terminal relevant security association and key information.
3. method according to claim 1 is characterized in that, described access device obtained described terminal relevant security association and key information from secure information storage equipment before, the method further comprised:
Described access device judges whether local cache preserves relevant security association and the key information of terminal, when determining not preserve, obtains described terminal relevant security association and key information from secure information storage equipment.
4. method according to claim 3 is characterized in that, the method further comprises:
When determining that local cache is preserved the relevant security association of terminal and key information, carry out the 4-way-handshake flow process according to the content in the security association that from local cache, obtains and the key information.
5. according to claim 1 to 4 each described methods, it is characterized in that before according to the security association that obtains and the execution of the content in key information 4-way-handshake flow process, the method further comprises:
The security association that obtains of check and the validity of key information, determine that information effectively after, carry out the 4-way-handshake flow process according to the content in the security association that obtains and the key information.
6. method according to claim 5 is characterized in that, the security association that described check is obtained and the validity of key information, for:
Whether the safeguard protection the mode whether security association that judgement is obtained and key information exceed in the term of validity and/or the key information mates with the safeguard protection mode of self supporting; if the safeguard protection mode that exceeds the safeguard protection mode in the term of validity and/or the key information and self support is not mated; think that then the security association and the key information that obtain are invalid; if the safeguard protection mode that does not exceed the safeguard protection mode in the term of validity and/or the key information and self support is mated, think that then the security association and the key information that obtain are effective.
7. method according to claim 5, it is characterized in that, when described access device does not get access to the relevant security association of described terminal and key information from secure information storage equipment or, determine that the security association that obtains and key information are invalid after, the method further comprises:
Described access device is initiated complete networking identifying procedure to described terminal, and after finishing, relevant security association and the key information of described terminal that produces in the networking identifying procedure is uploaded to secure information storage equipment;
Secure information storage equipment is preserved security association and the key information of uploading.
8. according to claim 1 to 4 each described methods, it is characterized in that the method further comprises:
Security association and the key information of secure information storage plant maintenance self storage.
9. a secure information storage equipment is characterized in that, this equipment comprises: memory cell and transmitting element; Wherein,
Memory cell is used for storage security association and key information;
Transmitting element is used for to security association and the key information of access device transmission cell stores.
10. equipment according to claim 9 is characterized in that, this equipment further comprises: receiving element is used for receiving security association and the key information that access device reports, and is saved to memory cell.
11. according to claim 9 or 10 described equipment, it is characterized in that this equipment further comprises: maintenance unit is used for safeguarding security association and the key information of cell stores.
12. a Verification System is characterized in that, this system comprises: access device and secure information storage equipment; Wherein,
Access device for the process of switching in terminal, obtains described terminal relevant security association and key information from secure information storage equipment, carries out the 4-way-handshake flow process according to the content in the security association that obtains and the key information;
Secure information storage equipment is used for providing described terminal relevant security association and key information to access device.
13. system according to claim 12, it is characterized in that, described access device, be used for also judging whether local cache preserves relevant security association and the key information of terminal, when determining not preserve, obtain described terminal relevant security association and key information from secure information storage equipment.
14. according to claim 12 or 13 described systems, it is characterized in that described access device also is used for security association that check obtains and the validity of key information, after determining that information effectively, carry out the 4-way-handshake flow process according to the content in the security association that obtains and the key information.
15. system according to claim 14, it is characterized in that, described access device, also be used for not getting access to described terminal relevant security association and key information or the security association determining to obtain and key information when invalid from secure information storage equipment, described terminal is initiated complete networking identifying procedure, and after finishing, relevant security association and the key information of described terminal that produces in the networking identifying procedure is uploaded to secure information storage equipment;
Described secure information storage equipment after also being used for receiving the security association and key information that access device is uploaded, is preserved security association and the key information uploaded.
16. according to claim 12 or 13 described systems, it is characterized in that described secure information storage equipment also is used for safeguarding security association and the key information of self storage.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011102610395A CN102984700A (en) | 2011-09-05 | 2011-09-05 | Security information storage apparatus, and authentication method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011102610395A CN102984700A (en) | 2011-09-05 | 2011-09-05 | Security information storage apparatus, and authentication method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102984700A true CN102984700A (en) | 2013-03-20 |
Family
ID=47858345
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2011102610395A Pending CN102984700A (en) | 2011-09-05 | 2011-09-05 | Security information storage apparatus, and authentication method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102984700A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104917595A (en) * | 2015-06-16 | 2015-09-16 | 四川长虹通信科技有限公司 | Secret key switching method and system in encryption communication process |
| CN110278556A (en) * | 2018-03-13 | 2019-09-24 | 中兴通讯股份有限公司 | A kind of safety certification strategy determines method, equipment and computer readable storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1414262A1 (en) * | 2002-10-15 | 2004-04-28 | Samsung Electronics Co., Ltd. | Authentication method for fast handover in a wireless local area network |
| CN101335621A (en) * | 2007-06-26 | 2008-12-31 | 中国科学院声学研究所 | 802.11i key management method |
| CN101600200A (en) * | 2008-06-02 | 2009-12-09 | 华为技术有限公司 | Method for switching among heterogeneous networks, mobile node and authenticating access point |
| CN101635923A (en) * | 2009-08-05 | 2010-01-27 | 中兴通讯股份有限公司 | EAP authentication method and system supporting fast switching |
| CN101998399A (en) * | 2009-08-12 | 2011-03-30 | 中兴通讯股份有限公司 | Method and system for quickly switching terminal |
-
2011
- 2011-09-05 CN CN2011102610395A patent/CN102984700A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1414262A1 (en) * | 2002-10-15 | 2004-04-28 | Samsung Electronics Co., Ltd. | Authentication method for fast handover in a wireless local area network |
| CN101335621A (en) * | 2007-06-26 | 2008-12-31 | 中国科学院声学研究所 | 802.11i key management method |
| CN101600200A (en) * | 2008-06-02 | 2009-12-09 | 华为技术有限公司 | Method for switching among heterogeneous networks, mobile node and authenticating access point |
| CN101635923A (en) * | 2009-08-05 | 2010-01-27 | 中兴通讯股份有限公司 | EAP authentication method and system supporting fast switching |
| CN101998399A (en) * | 2009-08-12 | 2011-03-30 | 中兴通讯股份有限公司 | Method and system for quickly switching terminal |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104917595A (en) * | 2015-06-16 | 2015-09-16 | 四川长虹通信科技有限公司 | Secret key switching method and system in encryption communication process |
| CN104917595B (en) * | 2015-06-16 | 2018-04-27 | 四川长虹通信科技有限公司 | Key switching method and system during a kind of coded communication |
| CN110278556A (en) * | 2018-03-13 | 2019-09-24 | 中兴通讯股份有限公司 | A kind of safety certification strategy determines method, equipment and computer readable storage medium |
| CN110278556B (en) * | 2018-03-13 | 2021-11-12 | 中兴通讯股份有限公司 | Security authentication policy determination method, device and computer readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP2432265B1 (en) | Method and apparatus for sending a key on a wireless local area network | |
| CN104396291B (en) | The method and apparatus established for WLAN initial link circuit | |
| CN104270758B (en) | The method for connecting and authorizing is established by WIFI and server security | |
| CN102783218B (en) | Method and apparatus for redirecting data traffic | |
| CN105830473B (en) | A kind of means of communication, user equipment, access network equipment and application server | |
| WO2017092501A1 (en) | Method and system for network certification | |
| CN101990202B (en) | Method for updating user policy and application server | |
| CN104469977B (en) | Method of mobile communication, device and system | |
| CN114024594A (en) | Communication method and device of satellite communication system | |
| CN101945388A (en) | Wireless roaming authentication method, wireless roaming method and device thereof | |
| CN108112005A (en) | The switching method and system of a kind of wireless network roaming | |
| CN100558187C (en) | A kind of radio switch-in method and access controller | |
| US11265708B2 (en) | Method and device for joining access node group | |
| CN106878987B (en) | Communication method, system and cloud server | |
| CN103384365A (en) | Method and system for network access, method for processing business and equipment | |
| CN101483929B (en) | Method and apparatus for obtaining interaction mode with policy making entity by non-3GPP access gateway | |
| CN101990207B (en) | Access control method, home base station (HBS) and HBS authorization server | |
| CN106304400A (en) | The IP address distribution method of wireless network and system | |
| CN102244857B (en) | Wireless local area network roaming subscriber control method, device and network system | |
| CN102984700A (en) | Security information storage apparatus, and authentication method and system | |
| CN107566418B (en) | Security management method and access device | |
| CN105101337A (en) | Information transmitting method and information transmitting system | |
| KR101131841B1 (en) | System and method for adaptive roaming threshold parameter setup | |
| CN104735749B (en) | A kind of method and wireless router, portal platform server accessing network | |
| CN1949924B (en) | User terminal idel mode managing method and wireless communication system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20130320 |
|
| WD01 | Invention patent application deemed withdrawn after publication |