CN103139770A - Method for transmitting paired master cryptography keys in wireless local area network (WLAN) access network and system - Google Patents

Method for transmitting paired master cryptography keys in wireless local area network (WLAN) access network and system Download PDF

Info

Publication number
CN103139770A
CN103139770A CN2013100375385A CN201310037538A CN103139770A CN 103139770 A CN103139770 A CN 103139770A CN 2013100375385 A CN2013100375385 A CN 2013100375385A CN 201310037538 A CN201310037538 A CN 201310037538A CN 103139770 A CN103139770 A CN 103139770A
Authority
CN
China
Prior art keywords
access
message
authentication
pairwise master
master key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2013100375385A
Other languages
Chinese (zh)
Other versions
CN103139770B (en
Inventor
梁乾灯
石磊
范亮
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN201310037538.5A priority Critical patent/CN103139770B/en
Publication of CN103139770A publication Critical patent/CN103139770A/en
Priority to PCT/CN2013/083632 priority patent/WO2014117524A1/en
Application granted granted Critical
Publication of CN103139770B publication Critical patent/CN103139770B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0433Key management protocols

Abstract

The invention discloses a method for transmitting paired master cryptography keys in a wireless local area network (WLAN) access network. The method includes the steps: an access key negotiation point receives an access authentication message sent by an access client, expands notice information in the access authentication message, and sends the expanded access authentication message to an access authentication point; the access authentication point sends an access request message with identification information of the access client to an authentication server-side; after an authentication success message is received, a main master cryptography key is obtained from the authentication success message, the main master cryptography key is encrypted according to the notice message, and an obtained encrypted message is packaged in the authentication success message to be sent to the access client. The invention further provides a corresponding system. Due to the fact that the scheme is adopted, the problems that networking compatibility is poor and an interface is complex and the like due to the fact that the access authentication point sends the paired master cryptography keys to a secret key negotiation point are avoided.

Description

Transmit the method and system of pairwise master key in the WLAN access network
Technical field
The present invention relates to wireless communication technology field, specially refer to the method and system that transmits pairwise master key in a kind of WLAN access network.
Background technology
Along with the fast development of internet, applications and intelligent terminal, WLAN uses very general, and a lot of public places are deployed, and the user can pass through the various terminal equipments such as mobile phone, computer, accesses the Internet whenever and wherever possible and carries out the activities such as online working, amusement.One of most important means of customer access network resource by wlan access network.
In order to strengthen the eat dishes without rice or wine fail safe of transfer of data of wireless device, IEEE 802.1X and IEEE802.11i have defined 8021X+EAP access authentication mode and EAPOL-Key key agreement mechanism.WLAN adopts the key agreement of 4-Way Handshake machine-processed, impels wireless service end and access client to consult to produce key PTK and GTK, and the key of generation is protected the reliable and safety of wireless network for the encryption and decryption of the data of eating dishes without rice or wine between wireless device.And before carrying out the EAPOL-Key key agreement, wireless access client and wireless service end need to have identical pairwise master key PMK(pairwise master key), use 802.1X+EAP access authentication mode, the access client can be at the Procedure Acquisition PMK of authentication, and the wireless-device services end is to obtain PMK the authorization message of the authentication success that sends from aaa server.PMK is the cryptographic cipher key material of carrying out the EAPOL-Key key agreement, is the basis of carrying out the EAPOL-Key key agreement.
During the actual sets wet end was affixed one's name to now, the access key agreement point of wireless user STA and access authentication points were not often an equipment, usually adopt BNG equipment as access authentication points, and AP is as access key agreement point.The access client STA is obtained PMK by the MSK of 802.1X verification process, and BNG can obtain PMK from the authorization message of aaa server, but AP can't directly obtain PMK from the authorization message of AAA authentication success.Like this, solve the problem of the passing interface of PMK between BNG and AP with regard to needs, if come to carry out key agreement with STA and act on behalf of AP by BNG, and pass through particular tunnel or specific protocol interface transmission PTK and GTK to AP, bring unnecessary burden will for BNG equipment.In prior art, on the equipment of AC and BNG fusion, by expanding CAPWAP message element transmission PMK or PTK/GTK to AP, but the scene that this method is separated with BNG for AC, need to set up special-purpose interface (particular tunnel interface or expand some agreement) and transmit PMK between AC and BNG, and this interface is not standard interface at present, thereby can cause the problems such as poor compatibility, interoperability be poor.
Summary of the invention
Main purpose of the present invention is for providing in a kind of WLAN access network the method and system that transmits pairwise master key, is intended to avoid transmit because of access authentication points the problems such as networking poor compatibility that pairwise master key causes to the cipher key agreement authentication point and complex interfaces.
The invention provides a kind of transmit pairwise master key in WLAN access network method, comprising:
Access key agreement point receives the access authentication message that the access client sends, and expand advertised information in described access authentication message, and the described access authentication message after expanding is sent to access authentication points;
Access authentication points is obtained the identity information of access client, sends the access request message of the identity information that carries described access client to certificate server; After receiving the authentication success message that certificate server returns according to described access request message, from wherein obtaining pairwise master key, and according to the described advertised information of learning before, described pairwise master key is encrypted, after encrypting, resulting ciphertext is encapsulated in described authentication success message and is sent to described access key agreement point;
The described authentication success of access key agreement point deciphering message obtains described pairwise master key, and the authentication success message that does not comprise described pairwise master key of recombinating is sent to the access client.
Preferably, the described advertised information cryptographic algorithm that comprises at least the PKI of described access key agreement point and be used for pairwise master key is encrypted; Described PKI and cryptographic algorithm can local configure, and also can configure by network management system.
Preferably, described access authentication points is obtained the identity information of access client, sends the access request message of the identity information that carries described access client to certificate server; After receiving the authentication success message that certificate server returns according to described access request message, from wherein obtaining pairwise master key, and according to the described advertised information of learning before, described pairwise master key is encrypted, after encrypting, formed ciphertext is encapsulated in and is sent to described access key agreement point in described authentication success message and comprises:
Access authentication points is processed described access authentication message, preserve advertised information wherein, and the identity information that send to be used for asking for the identity information of access client asks for message to accessing the key agreement point, asks for message repeating to accessing client for access key agreement this identity information of naming a person for a particular job;
Receive the identity information response message of the access client response of access key agreement point forwarding, described identity information response message is encapsulated in for the access request message to certificate server request access WLAN, this access request message is sent to certificate server;
After receiving the authentication success message that certificate server returns, obtain pairwise master key from authorization message, and by the cryptographic algorithm in the described advertised information of preserving before and PKI, described pairwise master key is encrypted, after encrypting, resulting ciphertext is encapsulated in described authentication success message repeating to accessing the key agreement point, forward the packet to the access client for it, inform that its authentication passes through.
Preferably, the described authentication success of described access key agreement point deciphering message obtains described pairwise master key, and the restructuring authentication success message that do not comprise described pairwise master key is sent to the access client and comprises:
Access key agreement point obtains according to the described authentication success message that described advertised information deciphering receives the described pairwise master key that wherein carries;
Described pairwise master key is removed from described authentication success message, and restructuring one does not comprise the authentication success message of described pairwise master key, and the described authentication success message that will recombinate is sent to the access client; And according to described pairwise master key, carry out key agreement with described access client.
Preferably, after the authentication success message of carrying out described restructuring and do not comprise described pairwise master key is sent to the access client, also comprise:
The described authentication success message that does not comprise described pairwise master key of access client sends IP Address requests message, to obtain the IP address.
The present invention also provides the system that transmits pairwise master key in a kind of WLAN access network, comprises access client, certificate server, access key agreement point and access authentication points, wherein,
Described access key agreement point is used for receiving the access authentication message that the access client sends, and expand advertised information in described access authentication message, and the described access authentication message after expanding is sent to access authentication points; Also be used for the authentication success message that the deciphering access authentication points sends, obtain described pairwise master key, and the authentication success message that does not comprise described pairwise master key of recombinating is sent to the access client;
Described access authentication points is used for obtaining the identity information that accesses client, sends the access request message of the identity information that carries described access client to certificate server; After receiving the authentication success message that certificate server returns according to described access request message, from wherein obtaining pairwise master key, and according to described advertised information, described pairwise master key is encrypted, after encrypting, resulting ciphertext is encapsulated in described authentication success message and is sent to described access key agreement point;
Described access client is used for sending the access authentication message to described access key agreement point, and receives the described authentication success message that does not comprise described pairwise master key, sends IP Address requests message, to obtain the IP address;
Described certificate server is used for the access request message according to described access authentication points transmission, whether judges described access client by authentication, if return authorization information is carried the authentication success message of pairwise master key to described access authentication points.
Preferably, described access authentication points specifically is used for:
Process described access authentication message, preserve advertised information wherein, and the identity information that send to be used for asking for the identity information of access client asks for message to accessing the key agreement point, asks for message repeating to accessing client for access key agreement this identity information of naming a person for a particular job;
Receive the identity information response message of the access client response of access key agreement point forwarding, described identity information response message is encapsulated in for the access request message to certificate server request access WLAN, this access request message is sent to certificate server;
After receiving the authentication success message that certificate server returns, obtain pairwise master key from authorization message, and by the cryptographic algorithm in the described advertised information of preserving before and PKI, described pairwise master key is encrypted, after encrypting, resulting ciphertext is encapsulated in described authentication success message repeating to accessing the key agreement point, forward the packet to the access client for it, inform that its authentication passes through.
Preferably, described access key agreement point specifically is used for:
Described authentication success message according to described advertised information deciphering receives obtains the described pairwise master key that wherein carries;
Described pairwise master key is removed from described authentication success message, and restructuring one does not comprise the authentication success message of described pairwise master key, and the described authentication success message that will recombinate is sent to the access client; And according to described pairwise master key, carry out key agreement with described access client.
The present invention receives by access key agreement point the access authentication message that the access client sends, and expand advertised information in the access authentication message, and the access authentication message after expanding is sent to access authentication points; Access authentication points is obtained the identity information of access client, sends the access request message of the identity information that carries the access client to certificate server; And after receiving authentication success message, from wherein obtaining pairwise master key, and according to advertised information, pairwise master key is encrypted, the ciphertext that obtains after encrypting is encapsulated in is sent to access key agreement point in authentication success message; Access key agreement point deciphering authentication success message obtains pairwise master key, and the authentication success message that does not comprise pairwise master key of recombinating is sent to the access client.By the access message identifying is expanded, and authentication success message is expanded, thereby realize transmitting pairwise master key to access authentication points and access key agreement point, owing to need not to set up special-purpose interface between access key agreement point and access authentication points, thereby avoided transmitting pairwise master key to accessing the problems such as networking poor compatibility that the key agreement point causes and complex interfaces because of access authentication points.
Description of drawings
Fig. 1 transmits the schematic flow sheet of method one embodiment of pairwise master key in WLAN access network of the present invention;
Fig. 2 transmits in WLAN access network of the present invention that in the method for pairwise master key, access authentication points sends the schematic flow sheet of access request message to certificate server;
Fig. 3 transmits the schematic flow sheet that access key agreement point in the method for pairwise master key obtains pairwise master key in WLAN access network of the present invention;
Fig. 4 transmits the schematic flow sheet of another embodiment of method of pairwise master key in WLAN access network of the present invention;
Fig. 5 transmits the structural representation of one embodiment of system of pairwise master key in WLAN access network of the present invention.
The realization of the object of the invention, functional characteristics and advantage are described further with reference to accompanying drawing in connection with embodiment.
Embodiment
Should be appreciated that specific embodiment described herein only in order to explain the present invention, is not intended to limit the present invention.
The invention provides a kind of transmit pairwise master key in WLAN access network method.By the access message identifying is expanded, and authentication success message is expanded, realization is transmitted pairwise master key to the cipher key agreement authentication point from access authentication points, transmits and need not to set up special-purpose interface between access key agreement point and access authentication points.
With reference to Fig. 1, Fig. 1 transmits the schematic flow sheet of method one embodiment of pairwise master key in WLAN access network of the present invention.
Transmit the method for pairwise master key in the WLAN access network that the present embodiment provides, comprising:
Step S10, access key agreement point receives the access authentication message that the access client sends, and expand advertised information in the access authentication message, and the access authentication message after expanding is sent to access authentication points;
In the present embodiment, the authentication protocol between access client and certificate server can be the EAP authentication protocol, and this EAP authentication protocol can comprise the agreements such as EAP-PEAP, EAP-SIM, EAP-AKA, EAP-TLS, EAP-TTLS; And the authentication protocol between access authentication points and certificate server can be Radius agreement or Diameter; Access key agreement point can be AP equipment or AC equipment, and access authentication points can be BNG equipment.
When the access client is passed through the WLAN access network, at first be positioned at it near access key agreement point related, after being successfully associated, the access client can access key agreement point to this and send the access authentication message that authenticates for to self identity, in the present embodiment, this access authentication message can be the EAPOL-Start message.And after access key agreement point receives this access authentication message, it is expanded, namely expand advertised information in the EAPOL-Start message, the information such as cryptographic algorithm that this advertised information can comprise the PKI that accesses key agreement point and be used for pairwise master key is encrypted, the needed PKI of these information and cryptographic algorithm can local configure, and also can configure by network management system.After the access message identifying is expanded, send it to access authentication points.
Step S20, access authentication points is obtained the identity information of access client, sends the access request message of the identity information that carries the access client to certificate server; After receiving the authentication success message that certificate server returns according to the access request message, from wherein obtaining pairwise master key, and according to the advertised information of learning before, pairwise master key is encrypted, after encrypting, resulting ciphertext is encapsulated in and is sent to access key agreement point in authentication success message;
After access authentication message after access authentication points receives and expands, obtain the identity information of access client, and after obtaining accessing the identity information of client, the identity information that accesses client is packaged into access authentication points is sent to certificate server to be sent to certificate server in the access request message of asking access, in the present embodiment, this access request message can be the Access-Request message of Radius agreement.And certificate server can be consulted concrete authentication mode with the access client after receiving the access request message, and judges finally whether this access client can be by authentication.After the success of access client certificate, certificate server can return to authentication success message to access authentication points, in the present embodiment, this authentication success message can be the Access-Accept message of Radius agreement, comprises the EAP-SUCCESS message in the attribute of this message.
And after access authentication points receives authentication success message, obtain pairwise master key from the authorization attribute of this authentication success message, then, according to the cryptographic algorithm in advertised information, pairwise master key is encrypted, after encrypting, formed ciphertext is encapsulated in authentication success message (EAP-SUCCESS message), and this authentication success message is sent to access key agreement point.
Step S30, access key agreement point deciphering authentication success message obtains pairwise master key, and the authentication success message that does not comprise pairwise master key of recombinating is sent to the access client.
The authentication success message that access key agreement point is received according to identical cryptographic algorithm deciphering, thereby obtain pairwise master key, and authentication success message is recombinated, the authentication success message of namely recombinating one and not comprising pairwise master key, and the success of the authentication after recombinating message is sent to the access client.
The embodiment of the present invention receives by access key agreement point the access authentication message that the access client sends, and expand advertised information in the access authentication message, and the access authentication message after expanding is sent to access authentication points; Access authentication points is obtained the identity information of access client, sends the access request message of the identity information that carries the access client to certificate server; And after receiving authentication success message, from wherein obtaining pairwise master key, and according to advertised information, pairwise master key is encrypted, the ciphertext that obtains after encrypting is encapsulated in is sent to access key agreement point in authentication success message; Access key agreement point deciphering authentication success message obtains pairwise master key, and the authentication success message that does not comprise pairwise master key of recombinating is sent to the access client.By the access message identifying is expanded, and authentication success message is expanded, thereby realize transmitting pairwise master key to access key agreement point from access authentication points, owing to need not to set up special-purpose interface between access key agreement point and access authentication points, thereby avoided transmitting pairwise master key to accessing the problems such as networking poor compatibility that the key agreement point causes and complex interfaces because of access authentication points.
With reference to Fig. 2, Fig. 2 transmits in WLAN access network of the present invention that in the method for pairwise master key, access authentication points sends the schematic flow sheet of access request message to certificate server.
In the above-described embodiments, step S20 comprises:
Step S201, access authentication points is processed the access authentication message, preserve advertised information wherein, and the identity information that sends the identity information that is used for asking for the access client asks for message to accessing the key agreement point, ask for message repeating to accessing client for access key agreement this identity information of naming a person for a particular job;
After access authentication points receives the access authentication message that access client that access key agreement point forwards sends, at first preserve wherein comprise the PKI that accesses key agreement point and for the advertised information of the information such as cryptographic algorithm that pairwise master key is encrypted.Then, send for the identity information of the identity information of asking for the access client to access key agreement point and ask for message, in the present embodiment, this identity information is asked for message can be the EAPoL/Eap-Request/Identity message, asks for message repeating to accessing client for access key agreement this identity information of naming a person for a particular job.
Step S202, receive the identity information response message of the access client response of access key agreement point forwarding, the identity information response message is encapsulated in for the access request message to certificate server request access WLAN, this access request message is sent to certificate server;
In access after client asks for message to identity information, can respond carry self identity information the identity information response message to accessing the key agreement point, access key agreement point and the identity information response message be forwarded to access authentication points.And the name a person for a particular job identity information response message that receives of access authentication is encapsulated in for the access request message to certificate server request access WLAN, then, this access request message is sent to certificate server, with the request access.
Step S203, after receiving the authentication success message that certificate server returns, obtain pairwise master key from authorization message, and by the cryptographic algorithm in the advertised information of preserving before and PKI, pairwise master key is encrypted, after encrypting, resulting ciphertext is encapsulated in authentication success message repeating to accessing the key agreement point, forward the packet to the access client for it, inform that its authentication passes through.
After access authentication points receives the authentication success message that certificate server returns, obtain pairwise master key from the authorization message of this authentication success message, then, by the cryptographic algorithm in the advertised information of preserving before, pairwise master key is encrypted, after encrypting, resulting ciphertext is encapsulated in authentication success message, and this authentication success message is sent to access key agreement point, supply it after receiving authentication success message, authentication success message repeating to accessing client, is passed through to inform the access client certificate.
Access authentication points is processed the access authentication message that receives, preserve advertised information wherein, and the transmission identity information is asked for message to accessing the key agreement point, and after the identity information response message that the access client that receives the forwarding of access key agreement point is responded, the identity information response message is encapsulated in for the access request message to certificate server request access WLAN, this access request message is sent to certificate server; And, after receiving the authentication success message that certificate server returns, wherein pairwise master key is encrypted, the ciphertext that obtains is encapsulated in is sent to access key agreement point in authentication success message.Thereby by the access request message is expanded, for avoiding providing the foundation because transmitting the problems such as networking poor compatibility that pairwise master key causes to access authentication points and complex interfaces.
With reference to Fig. 3, Fig. 3 transmits the schematic flow sheet that access key agreement point in the method for pairwise master key obtains pairwise master key in WLAN access network of the present invention.
In the above-described embodiments, step S30 comprises:
Step S31, the access key agreement point authentication success message that deciphering receives according to advertised information obtains the pairwise master key that wherein carries;
Step S32 removes pairwise master key from authentication success message, restructuring one does not comprise the authentication success message of pairwise master key, and the authentication success message of restructuring is sent to the access client; And according to pairwise master key, carry out key agreement with the access client.
Access key agreement point is after the successful message of authentication that comprises the pairwise master key after encryption that receives that access authentication points sends, authentication success message according in advertised information, same cryptographic algorithm deciphering receives with encrypting this pairwise master key obtains the pairwise master key that wherein carries; Then, according to the pairwise master key that obtains, carry out key agreement with the access client.Then, authentication success message is recombinated, being about to pairwise master key removes from authentication success message, formation one does not comprise the authentication success message of pairwise master key, authentication after this restructuring success message is sent to the access client, with the success of notice access client access authentication, can carry out the access of WLAN.
The access key agreement point authentication success message that deciphering receives according to advertised information obtains the pairwise master key that wherein carries, and according to pairwise master key, carries out key agreement with the access client; Then, pairwise master key is removed from authentication success message, the authentication success message that restructuring one does not comprise pairwise master key is sent to the access client, like this, access key agreement point just can get pairwise master key by the expansion that authentication success message is carried out, thereby further provides the foundation for problems such as the networking poor compatibility avoiding causing to access authentication points because of the transmission pairwise master key and complex interfaces.
With reference to Fig. 4, Fig. 4 transmits the schematic flow sheet of another embodiment of method of pairwise master key in WLAN access network of the present invention.
Based on transmitting method one embodiment of pairwise master key in WLAN access network of the present invention, after execution in step S30, the method also comprises:
Step S40, access client do not comprise the authentication success message of pairwise master key, send the IP request message, to obtain the IP address.
After the authentication success message that does not comprise pairwise master key that the access client sends to access key agreement point, begin to carry out the access of WLAN, namely the server to the WLAN side sends the IP request message, with the IP address of acquisition request access network, thereby complete network insertion according to the IP address that gets.
After the authentication success message that does not comprise pairwise master key that the access client sends to access key agreement point, send the IP request message, to complete network insertion according to the IP address that gets, thereby further the expansion by carrying out accessing message identifying and authentication success message, provide larger convenience for the user accesses wlan network.
Below with three kinds of networking modes as three execution modes of the present invention, the scheme of transmitting the method for pairwise master key in WLAN access network of the present invention is described, in these three execution modes, authentication protocol between access client STA and certificate server aaa server is the EAP authentication protocol, and the authentication protocol between access authentication points BNG and certificate server aaa server is the Radius agreement; Access key agreement point is AP equipment, and access authentication points is BNG equipment.
One, execution mode one:
Fat AP deployment scenario, AP carries out this locality and forwards.AP be in STA and BNG between, under this networking scene, do not need AC to participate in.Concrete methods of realizing is as follows:
Step 1: after access client STA associated AP, initiate the EAPol-Start message and trigger the EAP authentication.
After step 2:AP received the EAPol-Start message of STA, the advertised information that expansion EAPoL V3 version is supported in the EAPol-Start message was namely carried the information such as the PKI of AP and cryptographic algorithm by the TLV option, the message after expansion is sent to BNG.
Step 3:BNG processes the EAPol-Start message, and the information such as the incidence relation of preservation STA and AP and the PKI of AP and cryptographic algorithm by sending the EAPol/Eap-Req/Identity message, are asked for identity information to STA.
Step 4:AP forwards the EAPol/Eap-Req/Identity message to the access client STA.
Step 5:STA gives a response the EAPol/Eap-Req/Identity message, sends identity information response message EAPol/Eap-Res/Identity to AP.
Step 6:AP forwards the EAPol/Eap/Res/Identity message to BNG.
Step 7:BNG is encapsulated in the EAPol/Eap/Res/Identity message in the Access-Request of radius protocol, sends to aaa server.
Step 8:AAA server and STA consult concrete authentication mode, and judge finally whether STA can be by authentication.
Step 9:AAA server sends the EAP-SUCCESS message of authentication success or the EAP-FAILURE message of failed authentication according to judged result, and EAP-SUCCESS message or EAP-FAILURE message are encapsulated in the Access-Accept/Reject message of radius protocol, be sent to BNG.
Step 10: if BNG receives the Access-Accept message, resolve authorization attribute cryptographic cipher key material relevant field (for example MS_MPPE_RCV_KEY) the acquisition pairwise master key PMK that aaa server issues, and with cryptographic algorithm and the key with the AP agreement, it is encrypted, PMK is encapsulated into the afterbody of EAP-SUCCESS message.And if BNG receives the Access-Reject message, issue the EAP-FAILURE message to STA by AP, again trigger authorizing procedure for STA.
Step 11:BNG sends to AP to the EAP-SUCCESS message after encapsulating.Increase at last the PmkData field of encryption at the EAP-Success message, the Length in the Length in the EAPol message and EAP message will increase the length pmk_len of PMK ciphertext.
Step 12:AP uses from the EAP-SUCCESS message of process expansion and cryptographic algorithm and the local private key of BNG agreement are deciphered acquisition PMK, and PMK is removed from EAPOL-SUCCESS, and the EAP-SUCCESS that recombinates is sent to STA.During restructuring EAP-Success message, also need to reduce the Length of original EAPol and the Length in EAP, deduct the length of PMK ciphertext.So far, STA and AP obtain respectively PMK.
EAP-SUCCESS message after step 13:AP transmission restructuring is to STA.STA is after the message of receiving the authentication success, and beginning DHCP flow process is to obtain the IP address.
Two, execution mode two:
Thin AP deployment scenario, AP concentrates forwarding.Radio Access Controller AC and BNG can adopt the mode of fusion, also can adopt the integrated mode of separation, no matter under the networking that AC separates, or under the networking of AC and BNG fusion, the PMK that EAP-SUCCES carries can parse PMK in the AP side.The networking model that present embodiment adopts AC to separate with BNG.AP adds the steps such as AC request/response, AP Status Change request/response, config update request/response to complete reaching the standard grade of AP by finding AC request/response, AP, and sets up CAPWAP between AC and control the tunnel.
Step 1: access client STA and AP set up related after, initiate the EAPol-Start message and trigger the EAP authentication.
After step 2:AP receives the EAPol-Start message of STA transmission, the advertised information that expansion EAPoL V3 version is supported in the EAPol-Start message, namely carry the information such as the PKI of AP and cryptographic algorithm by the TLV option, with the EAPol-Start message after expansion by and AC between the CAPWAP data tunnel send the EAPol-Start message to AC.
Step 3:AC resolves the EAPol-Start message of receiving by CAPWAP tunnel, and the EAPol-Start message is forwarded to BNG by double layer network.
Step 4:BNG processes the EAPol-Start message, and the information such as the incidence relation of preservation STA and AP and the PKI of AP and cryptographic algorithm by sending the EAPol/Eap-Req/Identity message to AC, are asked for identity information to STA.
Step 5:AC passes through CAPWA tunnel transmission EAPol/Eap-Req/Identity message to AP.
Step 6:AP forwards EAPol/Eap-Req/Identity message to STA.
Step 7:STA gives a response the EAPol/Eap-Req/Identity message, sends identity information response message EAPol/Eap-Res/Identity to AP.
Step 8:AP transmits the EAPol/Eap-Res/Identity message to AC by CAPWAP tunnel.
The EAPol/Eap-Res/Identity message that step 9:AC forwarding is received is to BNG.
Step 10:BNG is encapsulated in the EPol/Eap-Res/Identity message in the Access-Request message of radius protocol, is sent to aaa server.
Step 11:AAA server and STA consult concrete authentication mode, and judge finally whether STA can be by authentication.Send the EAP-SUCCESS message of authentication success or the EAP-FAILURE message of failed authentication according to judged result, and EAP-SUCCESS message or EAP-FAILURE message are encapsulated in the Access-Accept/Reject message of radius protocol, be sent to BNG.
Step 12: if BNG receives the Access-Accept message, resolve authorization attribute cryptographic cipher key material relevant field (for example MS_MPPE_RCV_KEY) the acquisition pairwise master key PMK that aaa server issues, and with cryptographic algorithm and the key with the AP agreement, it is encrypted, PMK is encapsulated into the afterbody of EAP-SUCCESS message.And if BNG receives the Access-Reject message, issue the EAP-FAILURE message to STA by AP, again trigger authorizing procedure for STA.
Step 13:BNG sends to AC to the EAP-SUCCESS message after encapsulating.Increase at last the PmkData field of encryption at the EAP-Success message, the Length in the Length in the EAPol message and EAP message will increase the length pmk_len of PMK ciphertext.
Step 14: pass through the EAP-Success message of CAPWAP tunnel transmitting extended to AP by AC.
Step 15:AP uses from the EAP-SUCCESS message of process expansion and cryptographic algorithm and the local private key of BNG agreement are deciphered acquisition PMK, and PMK is removed from EAPOL-SUCCESS, and the EAP-SUCCESS that recombinates is sent to STA.During restructuring EAP-Success message, also need to reduce the Length of original EAPol and the Length in EAP, deduct the length of PMK ciphertext.So far, STA and AP obtain respectively PMK.
EAP-SUCCESS message after step 16:AP transmission restructuring is to STA.STA is after the message of receiving the authentication success, and beginning DHCP flow process is to obtain the IP address.
Under AC and BNG separate type network environment, AC also can act on behalf of AP and obtain in an identical manner the PMK of STA from BNG, then issues PMK to AP by the message element in the CAPWAP tunnel agreement.
Three, execution mode three:
Thin AP deployment scenario, the local forward mode of AP.The networking model that present embodiment adopts AC to separate with BNG, AC, AP, BNG three are connected by SW.AP adds the steps such as AC request/response, AP Status Change request/response, config update request/response to complete reaching the standard grade of AP by finding AC request/response, AP, and sets up CAPWAP between AC and control the tunnel.
Step 1: access client STA and AP set up related after, initiate the EAPol-Start message and trigger the EAP authentication.
After step 2:AP receives the EAPol-Start message of STA transmission, the advertised information that expansion EAPoL V3 version is supported in the EAPol-Start message, namely carry the information such as the PKI of AP and cryptographic algorithm by the TLV option, the EAPol-Start message after expansion is sent to BNG.
Step 3:BNG processes received EAPol-Start message, and the information such as the incidence relation of preservation STA and AP and the PKI of AP and cryptographic algorithm by sending the EAPol/Eap-Req/Identity message to AC, are asked for identity information to STA.
Step 6:AP forwards EAPol/Eap-Req/Identity message to STA.
Step 7:STA gives a response the EAPol/Eap-Req/Identity message, sends identity information response message EAPol/Eap-Res/Identity to AP.
The EAPol/Eap-Res/Identity message that step 8:AP forwarding is received is to BNG.
Step 9:BNG is encapsulated in the EPol/Eap-Res/Identity message in the Access-Request message of radius protocol, is sent to aaa server.
Step 10:AAA server and STA consult concrete authentication mode, and judge finally whether STA can be by authentication.Send the EAP-SUCCESS message of authentication success or the EAP-FAILURE message of failed authentication according to judged result, and EAP-SUCCESS message or EAP-FAILURE message are encapsulated in the Access-Accept/Reject message of radius protocol, be sent to BNG.
Step 11: if BNG receives the Access-Accept message, resolve authorization attribute cryptographic cipher key material relevant field (for example MS_MPPE_RCV_KEY) the acquisition pairwise master key PMK that aaa server issues, and with cryptographic algorithm and the key with the AP agreement, it is encrypted, PMK is encapsulated into the afterbody of EAP-SUCCESS message.And if BNG receives the Access-Reject message, issue the EAP-FAILURE message to STA by AP, again trigger authorizing procedure for STA.
Step 12:BNG sends to AP to the EAP-SUCCESS message after encapsulating.Increase at last the PmkData field of encryption at the EAP-Success message, the Length in the Length in the EAPol message and EAP message will increase the length pmk_len of PMK ciphertext.
Step 13:AP uses from the EAP-SUCCESS message of process expansion and cryptographic algorithm and the local private key of BNG agreement are deciphered acquisition PMK, and PMK is removed from EAPOL-SUCCESS, and the EAP-SUCCESS that recombinates is sent to STA.During restructuring EAP-Success message, also need to reduce the Length of original EAPol and the Length in EAP, deduct the length of PMK ciphertext.So far, STA and AP obtain respectively PMK.
EAP-SUCCESS message after step 14:AP transmission restructuring is to STA.STA is after the message of receiving the authentication success, and beginning DHCP flow process is to obtain the IP address.
The present invention also provides the system that transmits pairwise master key in a kind of WLAN access network.
With reference to Fig. 5, Fig. 5 transmits the structural representation of one embodiment of system of pairwise master key in WLAN access network of the present invention.
Transmit the system of pairwise master key in the WLAN access network that the present embodiment provides, comprise access client 100, certificate server 200, access key agreement point 300 and access authentication points 400, wherein,
Access key agreement point 300 is used for receiving the access authentication message that the access client sends, and expand advertised information in the access authentication message, and the access authentication message after expanding is sent to access authentication points; Also be used for the authentication success message that the deciphering access authentication points sends, obtain pairwise master key, and the authentication success message that does not comprise pairwise master key of recombinating is sent to the access client;
Access authentication points 400 is used for obtaining the identity information that accesses client, sends the access request message of the identity information that carries the access client to certificate server; After receiving the authentication success message that certificate server returns according to the access request message, from wherein obtaining pairwise master key, and according to the advertised information of learning before, pairwise master key is encrypted, after encrypting, resulting ciphertext is encapsulated in and is sent to access key agreement point in authentication success message;
Access client 100 be used for to send the access authentication message to accessing the key agreement point, and receives the authentication success message that does not comprise pairwise master key, sends the IP request message, to obtain the IP address;
Certificate server 200 is used for the access request message according to the access authentication points transmission, and whether judgement access client is by authentication, if return to the successful message of authentication to access authentication points.
In the present embodiment, the authentication protocol between access client 100 and certificate server 200 can be the EAP authentication protocol, and this EAP authentication protocol can comprise the agreements such as EAP-PEAP, EAP-SIM, EAP-AKA, EAP-TLS, EAP-TTLS; And the authentication protocol between access authentication points 400 and certificate server 200 can be Radius agreement or Diameter; Access key agreement point 300 can be AP equipment, and access authentication points 400 can be BNG equipment.
When access client 100 is passed through the WLAN access network, at first be positioned at it near access key agreement point 300 related, after being successfully associated, access client 100 can be to these access key agreement point 300 transmissions for the access authentication message that self identity is authenticated, in the present embodiment, this access authentication message can be the EAPOL-Start message.And access is after key agreement point 300 receives this access authentication message, it is expanded, the advertised information that namely expansion EAP authentication protocol is supported in the EAPOL-Start message, the information such as cryptographic algorithm that this advertised information can comprise the PKI that accesses key agreement point and be used for pairwise master key is encrypted, wherein, PKI and cryptographic algorithm can local configure, and also can configure by network management system.After the access message identifying is expanded, send it to access authentication points 400.
After access authentication message after access authentication points 400 receives and expands, obtain the identity information of access client 100, and after obtaining accessing the identity information of client 100, the identity information that accesses client 100 is packaged into to be sent in the access request message of certificate server 200 with the request access is sent to certificate server 200, in the present embodiment, this access request message can be the Access-Request message of Radius agreement.And certificate server 200 can be consulted concrete authentication mode with access client 100 after receiving the access request message, and judges finally whether this access client 100 can be by authentication.After access client 100 authentication successs, certificate server 200 can return to authentication success message to access authentication points 400, and in the present embodiment, this authentication success message can be the EAP-SUCCESS message.
And after access authentication points 400 receives authentication success message, obtain pairwise master key from this authentication success message, then, according to the cryptographic algorithm in advertised information, pairwise master key is encrypted, resulting ciphertext is encapsulated in authentication success message, and this authentication success message is sent to access key agreement point 300.
The authentication success message that access key agreement point 300 is received according to identical cryptographic algorithm deciphering, thereby obtain pairwise master key, and authentication success message is recombinated, the authentication success message of namely recombinating one and not comprising pairwise master key, and the success of the authentication after recombinating message is sent to access client 100.
After access client 100 receives the successful message of the authentication that does not comprise pairwise master key that access key agreement point 300 sends, begin to carry out the access of WLAN, namely the server to the WLAN side sends IP address acquisition message, with the IP address of acquisition request access network, thereby complete network insertion according to the IP address that gets.
The embodiment of the present invention receives by access key agreement point the access authentication message that the access client sends, and expand advertised information in the access authentication message, and the access authentication message after expanding is sent to access authentication points; Access authentication points is obtained the identity information of access client, sends the access request message of the identity information that carries the access client to certificate server; And after receiving authentication success message, from wherein obtaining pairwise master key, and according to advertised information, pairwise master key is encrypted, the pairwise master key after encrypting is encapsulated in is sent to access key agreement point in authentication success message; Access key agreement point deciphering authentication success message obtains pairwise master key, and the authentication success message that does not comprise pairwise master key of recombinating is sent to the access client.By the access message identifying is expanded, and authentication success message is expanded, thereby realize transmitting pairwise master key to access authentication points and access key agreement point, owing to need not to set up special-purpose interface between access key agreement point and access authentication points, thereby avoided transmitting pairwise master key to accessing the problems such as networking poor compatibility that the key agreement point causes and complex interfaces because of access authentication points.
In the above-described embodiments, access authentication points 400 specifically is used for:
Process the access authentication message, preserve advertised information wherein, and the identity information that sends the identity information that is used for asking for the access client asks for message to accessing the key agreement point, ask for message repeating to accessing client for access key agreement this identity information of naming a person for a particular job;
Receive the identity information response message of the access client response of access key agreement point forwarding, the identity information response message is encapsulated in for the access request message to certificate server request access WLAN, this access request message is sent to certificate server;
After receiving the authentication success message that certificate server returns, obtain pairwise master key from authorization message, and by the cryptographic algorithm in the advertised information of preserving before and PKI, pairwise master key is encrypted, after encrypting, resulting ciphertext is encapsulated in authentication success message repeating to accessing the key agreement point, forward the packet to the access client for it, inform that its authentication passes through.
After access authentication points 400 receives the access authentication message that access client 100 that access key agreement point 300 forwards sends, at first preserve wherein comprise the PKI that accesses key agreement point and for the advertised information of the information such as cryptographic algorithm that pairwise master key is encrypted.Then, send for the identity information of the identity information of asking for access client 100 to access key agreement point 300 and ask for message, in the present embodiment, this identity information is asked for message can be the EAPol/Eap-Req/Identity message, for access key agreement point 300, this identity information is asked for message repeating to accessing client 100.
After access client 100 receives identity information and asks for message, can respond carry self identity information the identity information response message to accessing key agreement point 300, access key agreement point 300 and the identity information response message be forwarded to access authentication points 400.And access authentication points 400 is encapsulated in the identity information response message that receives for the access request message to certificate server 200 request access WLAN, then, this access request message is sent to certificate server 200, with the request access.
After receiving the authentication success message that certificate server 200 returns, obtain pairwise master key from the authorization message of this authentication success message, then, by the cryptographic algorithm in the advertised information of preserving before, pairwise master key is encrypted, after encrypting, resulting ciphertext is encapsulated in authentication success message, and this authentication success message is sent to access key agreement point 300, supply it after receiving authentication success message, authentication success message repeating to accessing client 100, is passed through to inform 100 authentications of access client.
Access authentication points is processed the access authentication message that receives, preserve advertised information wherein, and the transmission identity information is asked for message to accessing the key agreement point, and after the identity information response message that the access client that receives the forwarding of access key agreement point is responded, the identity information response message is encapsulated in for the access request message to certificate server request access WLAN, this access request message is sent to certificate server; And, after receiving the authentication success message that certificate server returns, wherein pairwise master key is encrypted, the ciphertext that obtains is encapsulated in is sent to access key agreement point in authentication success message.Thereby by the access request message is expanded, provide the foundation for avoiding transmitting the problems such as networking poor compatibility that pairwise master key causes to access key agreement point and complex interfaces because of access authentication points.
In the above-described embodiments, access key agreement point 300 specifically is used for:
The authentication success message that deciphering receives according to advertised information obtains the pairwise master key that wherein carries;
Pairwise master key is removed from authentication success message, and restructuring one does not comprise the authentication success message of pairwise master key, and the authentication success message of restructuring is sent to the access client; And according to pairwise master key, carry out key agreement with client.
Access key agreement point 300 is after the successful message of authentication that comprises the pairwise master key after encryption that receives that access authentication points 400 sends, authentication success message according in advertised information, same cryptographic algorithm deciphering receives with encrypting this pairwise master key obtains the pairwise master key that wherein carries; Then, according to the pairwise master key that obtains, carry out key agreement with access client 100.Then, authentication success message is recombinated, being about to pairwise master key removes from authentication success message, formation one does not comprise the authentication success message of pairwise master key, authentication after this restructuring success message is sent to access client 100, with the 100 access authentication successes of notice access client, can carry out the access of WLAN.
The access key agreement point authentication success message that deciphering receives according to advertised information obtains the pairwise master key that wherein carries, and according to pairwise master key, carries out key agreement with the access client; Then, pairwise master key is removed from authentication success message, the authentication success message that restructuring one does not comprise pairwise master key is sent to the access client, like this, access key agreement point just can get pairwise master key by the expansion that authentication success message is carried out, thereby further provides the foundation for problems such as the networking poor compatibility avoiding causing to the cipher key agreement authentication point because of access authentication points transmission pairwise master key and complex interfaces.
The above is only the preferred embodiments of the present invention; not thereby limit the scope of the claims of the present invention; every equivalent structure or equivalent flow process conversion that utilizes specification of the present invention and accompanying drawing content to do; or directly or indirectly be used in other relevant technical fields, all in like manner be included in scope of patent protection of the present invention.

Claims (8)

1. transmit the method for pairwise master key in a WLAN access network, it is characterized in that, comprising:
Access key agreement point receives the access authentication message that the access client sends, and expand advertised information in described access authentication message, and the described access authentication message after expanding is sent to access authentication points;
Access authentication points is obtained the identity information of access client, sends the access request message of the identity information that carries described access client to certificate server; After receiving the authentication success message that certificate server returns according to described access request message, from wherein obtaining pairwise master key, and according to the described advertised information of learning before, described pairwise master key is encrypted, after encrypting, resulting ciphertext is encapsulated in described authentication success message and is sent to described access key agreement point;
The described authentication success of access key agreement point deciphering message obtains described pairwise master key, and the authentication success message that does not comprise described pairwise master key of recombinating is sent to the access client.
2. method according to claim 1, is characterized in that, the cryptographic algorithm that described advertised information comprises at least the PKI of described access key agreement point and is used for pairwise master key is encrypted; Described PKI and cryptographic algorithm can local configure, and also can configure by network management system.
3. method according to claim 2, is characterized in that, described access authentication points is obtained the identity information of access client, sends the access request message of the identity information that carries described access client to certificate server; After receiving the authentication success message that certificate server returns according to described access request message, from wherein obtaining pairwise master key, and according to the described advertised information of learning before, described pairwise master key is encrypted, after encrypting, formed ciphertext is encapsulated in and is sent to described access key agreement point in described authentication success message and comprises:
Access authentication points is processed described access authentication message, preserve advertised information wherein, and the identity information that send to be used for asking for the identity information of access client asks for message to accessing the key agreement point, asks for message repeating to accessing client for access key agreement this identity information of naming a person for a particular job;
Receive the identity information response message of the access client response of access key agreement point forwarding, described identity information response message is encapsulated in for the access request message to certificate server request access WLAN, this access request message is sent to certificate server;
After receiving the authentication success message that certificate server returns, obtain pairwise master key from authorization message, and by the cryptographic algorithm in the described advertised information of preserving before and PKI, described pairwise master key is encrypted, after encrypting, resulting ciphertext is encapsulated in described authentication success message repeating to accessing the key agreement point, forward the packet to the access client for it, inform that its authentication passes through.
4. method according to claim 2, is characterized in that, the described authentication success of described access key agreement point deciphering message obtains described pairwise master key, and the restructuring authentication success message that do not comprise described pairwise master key is sent to the access client and comprises:
Access key agreement point obtains according to the described authentication success message that described advertised information deciphering receives the described pairwise master key that wherein carries;
Described pairwise master key is removed from described authentication success message, and restructuring one does not comprise the authentication success message of described pairwise master key, and the described authentication success message that will recombinate is sent to the access client; And according to described pairwise master key, carry out key agreement with described access client.
5. the described method of any one according to claim 1 to 4, is characterized in that, after the authentication success message of carrying out described restructuring and do not comprise described pairwise master key is sent to the access client, also comprises:
The described authentication success message that does not comprise described pairwise master key of access client sends IP Address requests message, to obtain the IP address.
6. transmit the system of pairwise master key in a WLAN access network, comprise access client, certificate server, access key agreement point and access authentication points, it is characterized in that, wherein,
Described access key agreement point is used for receiving the access authentication message that the access client sends, and expand advertised information in described access authentication message, and the described access authentication message after expanding is sent to access authentication points; Also be used for the authentication success message that the deciphering access authentication points sends, obtain described pairwise master key, and the authentication success message that does not comprise described pairwise master key of recombinating is sent to the access client;
Described access authentication points is used for obtaining the identity information that accesses client, sends the access request message of the identity information that carries described access client to certificate server; After receiving the authentication success message that certificate server returns according to described access request message, from wherein obtaining pairwise master key, and according to described advertised information, described pairwise master key is encrypted, after encrypting, resulting ciphertext is encapsulated in described authentication success message and is sent to described access key agreement point;
Described access client is used for sending the access authentication message to described access key agreement point, and receives the described authentication success message that does not comprise described pairwise master key, sends IP Address requests message, to obtain the IP address;
Described certificate server is used for the access request message according to described access authentication points transmission, whether judges described access client by authentication, if return authorization information is carried the authentication success message of pairwise master key to described access authentication points.
7. system according to claim 6, is characterized in that, described access authentication points specifically is used for:
Process described access authentication message, preserve advertised information wherein, and the identity information that send to be used for asking for the identity information of access client asks for message to accessing the key agreement point, asks for message repeating to accessing client for access key agreement this identity information of naming a person for a particular job;
Receive the identity information response message of the access client response of access key agreement point forwarding, described identity information response message is encapsulated in for the access request message to certificate server request access WLAN, this access request message is sent to certificate server;
After receiving the authentication success message that certificate server returns, obtain pairwise master key from authorization message, and by the cryptographic algorithm in the described advertised information of preserving before and PKI, described pairwise master key is encrypted, after encrypting, resulting ciphertext is encapsulated in described authentication success message repeating to accessing the key agreement point, forward the packet to the access client for it, inform that its authentication passes through.
8. system according to claim 6, is characterized in that, described access key agreement point specifically is used for:
Described authentication success message according to described advertised information deciphering receives obtains the described pairwise master key that wherein carries;
Described pairwise master key is removed from described authentication success message, and restructuring one does not comprise the authentication success message of described pairwise master key, and the described authentication success message that will recombinate is sent to the access client; And according to described pairwise master key, carry out key agreement with described access client.
CN201310037538.5A 2013-01-30 2013-01-30 The method and system of pairwise master key is transmitted in WLAN access network Active CN103139770B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201310037538.5A CN103139770B (en) 2013-01-30 2013-01-30 The method and system of pairwise master key is transmitted in WLAN access network
PCT/CN2013/083632 WO2014117524A1 (en) 2013-01-30 2013-09-17 Method and system for transmitting pairwise master key in wlan access network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310037538.5A CN103139770B (en) 2013-01-30 2013-01-30 The method and system of pairwise master key is transmitted in WLAN access network

Publications (2)

Publication Number Publication Date
CN103139770A true CN103139770A (en) 2013-06-05
CN103139770B CN103139770B (en) 2015-12-23

Family

ID=48498960

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310037538.5A Active CN103139770B (en) 2013-01-30 2013-01-30 The method and system of pairwise master key is transmitted in WLAN access network

Country Status (2)

Country Link
CN (1) CN103139770B (en)
WO (1) WO2014117524A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014117524A1 (en) * 2013-01-30 2014-08-07 中兴通讯股份有限公司 Method and system for transmitting pairwise master key in wlan access network
WO2015013901A1 (en) * 2013-07-31 2015-02-05 华为技术有限公司 User management device, bng, bng user online method and system
CN109120405A (en) * 2018-10-29 2019-01-01 全球能源互联网研究院有限公司 A kind of terminal security cut-in method, apparatus and system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101013940A (en) * 2006-12-22 2007-08-08 西安电子科技大学 Identity authentication method compatible 802.11i with WAPI
WO2011137782A1 (en) * 2010-09-19 2011-11-10 华为技术有限公司 Method、device and system for transmitting key in wireless local area network
CN102761869A (en) * 2012-06-26 2012-10-31 杭州华三通信技术有限公司 802.1X authentication method and equipment

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102185868B (en) * 2011-05-20 2014-10-22 杭州华三通信技术有限公司 Authentication method, system and equipment based on extensible authentication protocol (EAP)
CN103139770B (en) * 2013-01-30 2015-12-23 中兴通讯股份有限公司 The method and system of pairwise master key is transmitted in WLAN access network

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101013940A (en) * 2006-12-22 2007-08-08 西安电子科技大学 Identity authentication method compatible 802.11i with WAPI
WO2011137782A1 (en) * 2010-09-19 2011-11-10 华为技术有限公司 Method、device and system for transmitting key in wireless local area network
CN102761869A (en) * 2012-06-26 2012-10-31 杭州华三通信技术有限公司 802.1X authentication method and equipment

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014117524A1 (en) * 2013-01-30 2014-08-07 中兴通讯股份有限公司 Method and system for transmitting pairwise master key in wlan access network
WO2015013901A1 (en) * 2013-07-31 2015-02-05 华为技术有限公司 User management device, bng, bng user online method and system
CN104521320A (en) * 2013-07-31 2015-04-15 华为技术有限公司 User management device, BNG, BNG user online method and system
US10187849B2 (en) 2013-07-31 2019-01-22 Huawei Technologies Co., Ltd User management device, BNG, and BNG user internet access method and system
CN104521320B (en) * 2013-07-31 2019-06-07 华为技术有限公司 User management device, BNG, BNG user loading method and system
US10820264B2 (en) 2013-07-31 2020-10-27 Huawei Technologies Co., Ltd. User management device, BNG, and BNG user internet access method and system
US11375446B2 (en) 2013-07-31 2022-06-28 Huawei Technologies Co., Ltd. User management device, BNG, and BNG user internet access method and system
US11812378B2 (en) 2013-07-31 2023-11-07 Huawei Technologies Co., Ltd. User management device, BNG, and BNG user internet access method and system
CN109120405A (en) * 2018-10-29 2019-01-01 全球能源互联网研究院有限公司 A kind of terminal security cut-in method, apparatus and system
CN109120405B (en) * 2018-10-29 2021-11-09 全球能源互联网研究院有限公司 Terminal secure access method, device and system

Also Published As

Publication number Publication date
WO2014117524A1 (en) 2014-08-07
CN103139770B (en) 2015-12-23

Similar Documents

Publication Publication Date Title
CN107079007B (en) Method, apparatus and computer-readable medium for the certification based on certificate
KR101054202B1 (en) Secure authentication and key management within infrastructure-based wireless multihop networks
US7707412B2 (en) Linked authentication protocols
JP6732095B2 (en) Unified authentication for heterogeneous networks
CN102726080B (en) The Station To Station security association that individual's basic service is concentrated
CN102883316B (en) Connection establishing method, terminal and access point
JP2010503326A5 (en) Security authentication and key management method in infrastructure-based wireless multi-hop network
CN101500229B (en) Method for establishing security association and communication network system
US10104546B2 (en) Systems and methods for authentication
EP1869822B1 (en) Method and device for multi-session establishment
CN109075968A (en) Method and apparatus for safety equipment certification
CN103313242B (en) The verification method and device of key
US20170099137A1 (en) Secure connection method for network device, related apparatus, and system
CN108848112A (en) Cut-in method, equipment and the system of user equipment (UE)
WO2011076008A1 (en) System and method for transmitting files between wapi teminal and application sever
WO2007028328A1 (en) Method, system and device for negotiating about cipher key shared by ue and external equipment
CN101426190A (en) Service access authentication method and system
WO2009074050A1 (en) A method, system and apparatus for authenticating an access point device
CN104683343B (en) A kind of method of terminal quick registration Wi-Fi hotspot
CN108769988A (en) A kind of local mesh wireless networks of the certificate verification security mechanism based on 802.1x
CN103139770B (en) The method and system of pairwise master key is transmitted in WLAN access network
CN102752298B (en) Secure communication method, terminal, server and system
Zhu et al. Research on authentication mechanism of cognitive radio networks based on certification authority
CN103200004B (en) Send the method for message, the method for establishing secure connection, access point and work station
CN104902467A (en) Access method for wireless local area network (WLAN) based on near field communication (NFC)

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant