CN103200004A - Method of sending message, method of establishing secure connection, access point and work station - Google Patents

Method of sending message, method of establishing secure connection, access point and work station Download PDF

Info

Publication number
CN103200004A
CN103200004A CN2012100046133A CN201210004613A CN103200004A CN 103200004 A CN103200004 A CN 103200004A CN 2012100046133 A CN2012100046133 A CN 2012100046133A CN 201210004613 A CN201210004613 A CN 201210004613A CN 103200004 A CN103200004 A CN 103200004A
Authority
CN
China
Prior art keywords
message
sta
dhcp
answer message
sends
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2012100046133A
Other languages
Chinese (zh)
Other versions
CN103200004B (en
Inventor
朱李
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN201210004613.3A priority Critical patent/CN103200004B/en
Priority to PCT/CN2013/070242 priority patent/WO2013104301A1/en
Publication of CN103200004A publication Critical patent/CN103200004A/en
Application granted granted Critical
Publication of CN103200004B publication Critical patent/CN103200004B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0431Key distribution or pre-distribution; Key agreement
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5007Internet protocol [IP] addresses
    • H04L61/5014Internet protocol [IP] addresses using dynamic host configuration protocol [DHCP] or bootstrap protocol [BOOTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • H04W12/106Packet or message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity

Abstract

The invention provides a method of sending a message, a method of establishing secure connection, an access point and a work station, wherein the method of sending the message includes the steps that the access point (AP) generates a pair transient key (PTK) and / or checking message integrity code (MIC); the AP sends an association reply message to the station (STA) and conducts a dynamic host configuration protocol (DHCP) process with a DHCP server; or the association reply message which contains an internet protocol (IP) address is only sent to the STA. The method of sending the message, the method of establishing the secure connection, the access point and the work station can accelerate the speed that the STA establishes a secure link and reduce the delay that a terminal initially accesses to a wireless local area network (WLAN). Performance is greatly improved especially for the scene that a large amount of users need to access to the WLAN in a short time, and user experience is well improved.

Description

Send the method for message, method, access point and the work station that foundation safety connects
Technical field
The present invention relates to the communications field, relate in particular to a kind of method of message, method, access point and work station that foundation safety connects of sending.
Background technology
IEEE (IEEE) the 802.11st, one of first generation WLAN (wireless local area network) (Wireless Local Area Networks, i.e. WLAN) standard.This standard definition the standard of physical layer and media interviews control (MAC) agreement, allow WLAN (wireless local area network) and radio equipment manufacturer to set up mutual operation network equipment within the specific limits.Through vicennial development, the development of IEEE 802.11WLAN standard operation group is perfect series of standards family wherein has considerable influence power and the widely used 802.11a of being, 802.11b, 802.11g, standards such as 802.11n.
Wireless Fidelity (Wi-Fi) alliance corresponding with IEEE 802.11 is the non-profit-making international organization that sets up in 1999, is used for checking the interoperability based on the wlan product of IEEE 802.11 specifications.Wi-Fi Alliance member's target is to improve user's experience by the interoperability of product.
As shown in Figure 1, IEEE 802.11 networks comprise: work station (Station, STA) and WAP (wireless access point) (Access Point, AP).Wherein, STA is the MAC layer of any IEEE of possessing 802.11 and the equipment of physics (PHY) layer interface, usually add the lastblock wireless network card by a PC or notebook and constitute, wireless terminal can also be the embedded device that wireless connections can be provided (intelligent terminal that for example possesses the WLAN function) on the non-terminal in addition.AP can regard a wireless Hub as, is used for providing the bridge joint between STA and the existing backbone network (wired or wireless).AP and form Basic Service Sets (Basic Service Set, i.e. BSS) at one or more STA of its coverage.BSS carries out unique identification by basic service set identification (BSSID), and BSSID namely is the MAC Address of AP.Terminal can be communicated by letter mutually in a BSS.Adopt the more massive virtual BSS of a plurality of BSS formation of identical service set (SSID), then be defined as extended service set (Extended Service Set, i.e. ESS).Terminal can be communicated by letter in same ESS and can be moved between a plurality of BSS of subordinate.The network and the cable network that connect a plurality of BSS in ESS are called distributed system (Distribution System, i.e. DS).DS can adopt wireless or cable technology, adopts ethernet technology usually.
In order to finish authentication and IP address assignment function, wlan network also comprises certificate server (Authentication Server, AS) and DHCP (Dynamic Host Configuration protocol Server, DHCP) server, as shown in Figure 2.AS is the entity that authentication service is provided for STA, only has the STA by authentication just can be authorized to insert 802.11 networks.AS also can be embedded among the AP.Dynamic Host Configuration Protocol server then is STA distributing IP address.STA can insert Internet by this wlan network.
As shown in Figure 3, the key code system framework of the safety of introducing for IEEE 802.11i, wherein, (Pairwise Master Key is the key of STA and AS each self-generating in Extensible Authentication Protocol (EAP) verification process PMK) to pairwise master key, and length is 256.Pair temporal key (Pair Transient Key, PTK) be STA and AP respectively according to PMK, and the random number (SNonce) that generates of STA and the random number (ANonce) of AP generation, the key of deriving separately.PTK low 128 be the key confirmation key (Key Confirmation Key, KCK), middle 128 be key-encrypting key (Key Encryption Key, KEK), the high-order MSB that is left be temporary key (Temporal Key, TK).Wherein, KCK be used to the Extensible Authentication Protocol based on local area network (LAN) in 4 handshake procedures and the group key handshake procedure (EAP Over LAN, EAPOL)-key (KEY) message provides data source authentication; KEK is used to and shakes hands for 4 times and eapol-key message that group key is shaken hands provides Confidentiality protection; TK is for the protection of the transmission of the data message between STA and the AP.
In addition, IEEE 802.11 has also defined group temporary key (GTK).GTK is the random number that AP generates, and in the group key handshake procedure, AP is transferred to STA after GTK is encrypted with KEK.
As shown in Figure 4, have the flow chart that the safety of IP address assignment connects when initially inserting IEEE 802.11 networks for a kind of STA in the prior art, concrete steps are as follows:
Step 401-402, STA finish related relative program before with network; This comprises the drive sweep before step 401 (Beacon) or active scan (Probe Request/Response) process that is skipped over; STA sends the Auth message of having carried EAP response (EAP Response)/ID and gives AP; AP is transmitted to AS with AAA EAP-Response/ID message;
Step 403-409, this process are the specific verification process of EAP algorithm, may further comprise the steps:
AS sends AAA EAP request (EAP-Request) message to AP;
AP generates random number ANonce, and it is carried in the EAPoL-Key message; AP sends Auth message to STA, has comprised EAP_Request message and/or EAPoL-Key message in this message;
After STA received Auth message, the reciprocal process that may need to carry out multistep with AS continued the EAP authentication; After this STA generates random number SNonce, and generates MSK, PMK, according to PMK and SNone and ANonce generation PTK, generates KCK and KEK according to PTK;
STA sends association request message to AP, has comprised EAP_Response in this message, DHCP-Discover w/Rapid Commit, the message integrity code (MIC) of EAPoL-Key message and whole MAC service data units (MSDU) of being protected by KCK.Wherein EAPoL-Key message has comprised the random number SNonce that STA generates.The DHCP related news can be encrypted protection with KEK.Whole association request message is carried out integrity protection with KCK, and carries the MIC value of calculating;
The DHPC Discover message of AP buffer memory MSDU MIC and encryption;
AP sends AAA EAP-Response message to AS, proceeds the EAP authentication;
Step 410, EAP authentication success are finished, and AS generates MSK and/or PMK;
Step 411, AS send AAA EAP success (EAP-Success) message to AP, carry PMK in this message;
Step 412, AP generate PTK according to the PMK, the SNonce that receive and ANonde, and generate KCK and KEK according to PTK; AP uses the KCK verification MSDU MIC that generates.If be proved to be successful, AP uses the KEK deciphering DHCP-Discover message that generates;
Step 413, AP send DHCP discovery (DHCP-Discover w/Rapid Commit) message that the DHCP that quick distribution is arranged finds or do not have to distribute fast to Dynamic Host Configuration Protocol server;
Step 414, Dynamic Host Configuration Protocol server are STA distributing IP address, send DHCP-Ackw/Rapid Commit message to AP and finish the DHCP program;
Step 415, AP send related answer message to STA, this message comprised AP be the STA association identification of distributing (Association Identifier, AID); EAP_Success; DHCP-Ack w/RapidCommit message, EAPoL-Key message, the MIC of whole MSDU of KCK protection.This message uses KCK to carry out integrity protection.Wherein, EAPoL-Key message has comprised GTK and IGTK (Integrity Group Temporal Key, integrality group temporary key);
The MIC of step 416, the related answer message of STA verification, if verification succeeds, STA installs PTK, GTK and IGTK;
Step 417, AP install PTK.So far STA finishes with the foundation that is connected safely between the AP.
Connect in the process of setting up in above-mentioned safety, the related answer message in the step 415 needs just can send to STA after AP receives the DHCP-Ack w/Rapid Commit of Dynamic Host Configuration Protocol server transmission.After STA receives this association answer message, could enter and authenticate related state according to the content of carrying in this message, state machine enters the contextual state of full EAP.But (AP just can send message when not receiving DHCPACK yet after rational time period has crossed and notify this problem of STA may to have certain time-delay in Dynamic Host Configuration Protocol server carries out the process of IP address assignment, and then adopt suitable acquiescence mode to begin network program, such as resending DHCP request etc.), STA can't not receive related answer message before the DHCP program is finished.If because some reason, Dynamic Host Configuration Protocol server is that the time of STA distributing IP address is long, the timer at STA place is not also received the related answer message that AP sends to after date STA.This will cause STA can't judge in this process of setting up safely where going wrong, be unfavorable for the control of state machine among the STA, and STA also can't in time be known whether success of EAP authentication, and can cause STA can not initiate the EAP authentication again fast when the EAP authentification failure.The problems referred to above comprise IP address assignment between STA and network EAP exists when authenticating again equally, and EAP authenticates again and comprised the relevant authentication protocol again of various EAP such as EAP-RP.The time-delay that the safety that causes because of the DHCP program is set up process can reduce STA greatly and set up that safety connects and the speed of initial network entry, influence user's experience.
The mobile subscriber constantly enters or leaves the overlay area of an ESS.When mobile device initially entered an ESS, mobile device must carry out the process that as shown in Figure 4 STA initial network entry is set up initial link circuit.And in the process that this initial link circuit is set up, when if a large number of users simultaneously need insert wlan network within a short period of time (for example on the airport, a large number of users has descended to need behind the aircraft to connect wlan network and has obtained relevant transport information), the problem that the networking time delay is long can be more serious.
In order to solve mobile subscriber's networking delay issue, IEEE 802.11 has set up 802.11ai working group, be intended to not reduce former 802.11 network robust security network associations (Robust Security Network Association, RSNA) under the prerequisite of level of security, solve the problem that mobile device can be set up initial link circuit fast.Set up the part of safety chain program fast as mobile device, the networking time-delay that DHCP is relevant also needs to be solved to realize the quick foundation of link between mobile device and the network.
In sum, setting up the DHCP program causes in the process networking delay issue by safety need be solved to accelerate the mobile subscriber and go into net spee and improve user's experience.
Summary of the invention
The embodiment of the invention provides a kind of method of message, method, access point and work station that foundation safety connects of sending, to solve the networking delay issue that DHCP causes.
The embodiment of the invention provides a kind of method that sends message, and this method comprises:
Access point (AP) generates pair temporal key (PTK) and/or verification message integrality coding (MIC);
Described AP to work station (STA) send related answer message and and DHCP (DHCP) server carry out dhcp process; Perhaps, only send the related answer message that comprises the IP address to described STA.
Preferably, described related answer message comprises one of following parameter or its combination in any: described AP is the described STA association identification (AID) of distributing, Extensible Authentication Protocol (EAP) authentication success message, based on Extensible Authentication Protocol key (EAPoL-Key) message and the MIC of local area network (LAN);
The related answer message of the described IP of comprising address also comprises described AID, EAP authentication success message, EAPoL-Key message and MIC;
Wherein, EAPoL-Key message comprises group temporary key (GTK) and/or integrality group temporary key (IGTK).
Preferably, described AP and the Dynamic Host Configuration Protocol server process of carrying out DHCP comprises:
Described AP sends the dhcp process request message to described Dynamic Host Configuration Protocol server.
Preferably, described AP and Dynamic Host Configuration Protocol server carry out dhcp process and also comprise:
It is described STA IP address allocated that described AP receives described Dynamic Host Configuration Protocol server.
Preferably, described dhcp process comprises that DHCPv4, DHCPv6, neighbours find (ND) and the automatic layoutprocedure of stateless address.
Preferably, described AP sends related answer message to STA and comprises:
Described AP directly sends described related answer message to described STA; Perhaps
One timer is set among the described AP, this timer picks up counting after described AP sends described dhcp process request message to described Dynamic Host Configuration Protocol server, if this timer expires, described AP does not also receive the dhcp process answer message that described Dynamic Host Configuration Protocol server returns, and then described AP sends described related answer message to described STA; Perhaps
One timer is set among the described AP, this timer picks up counting after described AP sends described dhcp process request message to described Dynamic Host Configuration Protocol server, if this timer is not yet due, described AP receives the dhcp process answer message that described Dynamic Host Configuration Protocol server returns, and then described AP sends the described related answer message that comprises the IP address to described STA.
Preferably, described method also comprises:
If this timer expires, described AP does not also receive dhcp process response message or the dhcp process negative acknowledgment message that described Dynamic Host Configuration Protocol server returns, and then AP sends message to described STA, so that described STA carries out dhcp process again.
Preferably, described AP and Dynamic Host Configuration Protocol server carry out after the dhcp process, and described method also comprises:
Described AP sends to described STA with described dhcp process response message after receiving the dhcp process response message that described Dynamic Host Configuration Protocol server sends.
Preferably, described dhcp process response message is carried on described AP in the associate response message of described STA transmission.
The embodiment of the invention provides a kind of method that safety connects of setting up, and this method comprises:
Work station (STA) receives the related answer message that access point (AP) sends;
Described STA verification message integrality is encoded (MIC), and selects to carry out again Extensible Authentication Protocol (EAP) authentication according to check results, or selects to wait for DHCP (DHCP) process answer message.
Preferably, described related answer message comprises one of following parameter or its combination in any: described AP is the described STA association identification (AID) of distributing, EAP authentication success message, based on Extensible Authentication Protocol key (EAPoL-Key) message and the MIC of local area network (LAN); Wherein, EAPoL-Key message comprises group temporary key (GTK) and/or integrality group temporary key (IGTK).
Preferably, when described related answer message be that described method also comprises when comprising the related answer message of IP address:
Described STA verification MIC, and pair temporal key (PTK), group temporary key (GTK) and integrality group temporary key (IGTK) are installed after verification succeeds.
Preferably, described STA selects to carry out again the EAP authentication according to check results, or selects to wait for DHCP (DHCP) process answer message, comprising:
After the described MIC failure of described STA verification, carry out the EAP authentication again or rebulid safe connection; Perhaps
After the described MIC success of described STA verification, select the dhcp process answer message of waiting for that described AP returns.
Preferably, described selection waits for that described method also comprises after the dhcp process answer message that described AP returns:
Described STA receives the dhcp process answer message that is included as the STA IP address allocated that described AP returns; Perhaps
Described STA receives the dhcp process answer message that is not included as the STA IP address allocated that described AP returns, and described STA initiates dhcp process again; Perhaps
Among the described STA timer is set, this timer picks up counting after described STA receives described related answer message or after the described MIC success of described STA verification, if described timer expires, described STA does not also receive the dhcp process answer message that described AP returns, and then described STA initiates dhcp process again.
Preferably, after the described STA verification MIC, described method also comprises:
Described STA enters and authenticates association status, and the state machine of described STA correspondence enters full EAP context state.
The embodiment of the invention provides a kind of method that sends message, and this method comprises:
Access point (AP) receives certificate server (AS) and carries out the EAP authentification failure message that sends behind Extensible Authentication Protocol (EAP) authentification failure;
Described AP sends related answer message to work station (STA), and described related answer message comprises EAP authentification failure message.
The embodiment of the invention provides a kind of method that safety connects of setting up, and described method comprises:
Work station (STA) receives the related answer message that comprises Extensible Authentication Protocol (EAP) authentification failure message that access point (AP) sends;
Described STA carries out the EAP authentication again or rebulids safe connection.
The embodiment of the invention provides a kind of access point (AP), and this AP comprises:
Generate the verification module, be used for generating pair temporal key (PTK) and/or verification message integrality coding (MIC);
Processing module, be used for to work station (STA) send related answer message and and DHCP (DHCP) server carry out dhcp process; Perhaps, only send the related answer message that comprises the IP address to described STA.
Preferably, described related answer message comprises one of following parameter or its combination in any: described AP is the described STA association identification (AID) of distributing, Extensible Authentication Protocol (EAP) authentication success message, based on Extensible Authentication Protocol key (EAPoL-Key) message and the MIC of local area network (LAN);
The related answer message of the described IP of comprising address also comprises described AID, EAP authentication success message, EAPoL-Key message and MIC;
Wherein, EAPoL-Key message comprises group temporary key (GTK) and/or integrality group temporary key (IGTK).
Preferably, described processing module and Dynamic Host Configuration Protocol server carry out dhcp process, specifically are used for:
Send the dhcp process request message to described Dynamic Host Configuration Protocol server.
Preferably, described processing module, also being used for receiving described Dynamic Host Configuration Protocol server is described STA IP address allocated.
Preferably, described processing module sends related answer message to STA, specifically is used for:
Directly send described related answer message to described STA; Perhaps
One timer is set in described AP, this timer picks up counting after described processing module sends described dhcp process request message to described Dynamic Host Configuration Protocol server, if this timer expires, also do not receive the dhcp process answer message that described Dynamic Host Configuration Protocol server returns, then send described related answer message to described STA; Perhaps
One timer is set among the described AP, this timer picks up counting after described AP sends described dhcp process request message to described Dynamic Host Configuration Protocol server, if this timer is not yet due, described AP receives the dhcp process answer message that described Dynamic Host Configuration Protocol server returns, and then described AP sends the described related answer message that comprises the IP address to described STA.
Preferably, described processing module expires if also be used for this timer, does not also receive dhcp process response message or dhcp process negative acknowledgment message that described Dynamic Host Configuration Protocol server returns, then sends message to described STA, so that described STA carries out dhcp process again.
Preferably, described processing module, also be used for and Dynamic Host Configuration Protocol server carries out after the dhcp process, if receive the dhcp process response message that described Dynamic Host Configuration Protocol server sends, then described dhcp process response message directly sent or is carried at and send to described STA in the associate response message.
Preferably, described AP also comprises:
Receiver module be used for to receive certificate server (AS) and carries out Extensible Authentication Protocol (EAP) the authentification failure message that sends behind the EAP authentification failure;
Described processing module, concrete being used for sends the related answer message that comprises EAP authentification failure message to described STA.
The embodiment of the invention provides a kind of work station (STA), and this STA comprises:
Receiver module is used for receiving the related answer message that access point (AP) sends;
Processing module is used for the message integrity code (MIC) of the described related answer message of verification, and selects to carry out again Extensible Authentication Protocol (EAP) authentication according to check results, or selects to wait for DHCP (DHCP) process answer message.
Preferably, described related answer message to comprise described AP be the described STA association identification (AID) of distributing, EAP authentication success message, based on Extensible Authentication Protocol key (EAPoL-Key) message and the MIC of local area network (LAN); Wherein, EAPoL-Key message comprises group temporary key (GTK) and/or integrality group temporary key (IGTK).
Preferably, when described related answer message is when comprising the related answer message of IP address,
Described processing module also is used for the described MIC of verification, and pair temporal key (PTK), group temporary key (GTK) and integrality group temporary key (IGTK) are installed after verification succeeds.
Preferably, described processing module specifically is used for:
After the described MIC failure of verification, carry out the EAP authentication again or rebulid safe connection; Perhaps
After the described MIC success of verification, select the dhcp process answer message of waiting for that described AP returns.
Preferably, described processing module also is used for:
After the dhcp process answer message that the described AP of selection wait returns, receive the dhcp process answer message that is included as the STA IP address allocated that described AP returns; Perhaps
After the dhcp process answer message that the described AP of selection wait returns, receive the dhcp process answer message that is not included as the STA IP address allocated that described AP returns, initiate dhcp process again; Perhaps
After the dhcp process answer message that the described AP of selection wait returns, in described STA, timer is set, this timer picks up counting after described STA receives described related answer message or after the described MIC success of described STA verification, if described timer expires, also do not receive the dhcp process answer message that described AP returns, then initiate dhcp process again.
Preferably, when described related answer message comprised EAP authentification failure message, described processing module also was used for carrying out the EAP authentication again or rebuliding safe connection.
Method, access point and work station that the method for above-mentioned transmission message, foundation safety connect can be accelerated the speed that STA sets up safety chain, reduce the time delay that terminal initial inserts wlan network; Particularly need insert the scene of wlan network at the utmost point in the short time for a large number of users, performance has great lifting, has improved user's experience well.
Description of drawings
Fig. 1 is the Organization Chart of existing IEEE 802.11 networks;
Fig. 2 is the Organization Chart of existing wlan network;
The key code system Organization Chart that Fig. 3 introduces for existing IEEE 802.11i;
Fig. 4 has the signaling process figure that the safety of IP address assignment connects when initially inserting IEEE 802.11 networks for existing STA;
The signaling process figure of Fig. 5 safe method of attachment embodiment one for the present invention sets up;
The signaling process figure of Fig. 6 safe method of attachment embodiment two for the present invention sets up;
The signaling process figure of Fig. 7 safe method of attachment embodiment three for the present invention sets up;
The signaling process figure of Fig. 8 safe method of attachment embodiment four for the present invention sets up;
The signaling process figure of Fig. 9 safe method of attachment embodiment five for the present invention sets up;
The signaling process figure of Figure 10 safe method of attachment embodiment six for the present invention sets up;
The signaling process figure of Figure 11 safe method of attachment embodiment seven for the present invention sets up;
The signaling process figure of Figure 12 safe method of attachment embodiment eight for the present invention sets up;
Figure 13 is the structural representation of AP embodiment of the present invention;
Figure 14 is the structural representation of STA embodiment of the present invention.
Embodiment
For making the purpose, technical solutions and advantages of the present invention clearer, hereinafter will be elaborated to embodiments of the invention by reference to the accompanying drawings.Need to prove that under the situation of not conflicting, the embodiment among the application and the feature among the embodiment be combination in any mutually.
The embodiment of the invention provides a kind of method that sends message, and this method is described from the AP side, and this method comprises:
Step 11, access point (AP) generate pair temporal key (PTK) and/or verification message integrality coding (MIC);
Step 12, described AP to work station (STA) send related answer message and and DHCP (DHCP) server carry out dhcp process; Perhaps, only send the related answer message that comprises the IP address to described STA.
Wherein, described related answer message comprises association identification (AID), EAP authentication success message, EAPoL-Key message and the MIC that described AP is described STA distribution; The related answer message of the described IP of comprising address also comprises described AID, EAP authentication success message, EAPoL-Key message and MIC; EAPoL-Key message comprises group temporary key (GTK) and integrality group temporary key (IGTK).
Said method carries out behind the EAP authentication success, behind the EAP authentification failure, the operation that the AP side is carried out can for:
Access point (AP) receives AS and carries out the EAP authentification failure message that sends behind the EAP authentification failure;
Described AP sends related answer message to work station (STA), and described related answer message comprises EAP authentification failure message.
In the method for above-mentioned transmission message, AP need just can not send related response message to STA after the dhcp process answer message that receives the Dynamic Host Configuration Protocol server transmission, thereby can accelerate the speed that STA sets up safety chain, reduce the time delay that terminal initial inserts wlan network; Particularly need insert the scene of wlan network at the utmost point in the short time for a large number of users, performance has great lifting, has improved user's experience well.
The embodiment of the invention also provides a kind of method that safety connects of setting up, and this method is described from the STA side, and this method comprises:
Step 21, work station (STA) receive the related answer message that access point (AP) sends;
Wherein, described related answer message comprises association identification (AID), EAP authentication success message, EAPoL-Key message and the message integrity code (MIC) that described AP is described STA distribution; Wherein, EAPoL-Key message comprises group temporary key (GTK) and integrality group temporary key (IGTK).
Step 22, described STA verification message integrality are encoded (MIC), and select to carry out again the EAP authentication according to check results, or select to wait for DHCP (DHCP) process answer message.
When described related answer message is that described method also comprises when comprising the related answer message of IP address: described STA verification MIC, and pair temporal key (PTK), group temporary key (GTK) and integrality group temporary key (IGTK) are installed after verification succeeds.
When described related answer message comprised EAP authentification failure message, described method also comprised: described STA carries out the EAP authentication again or rebulids safe connection.
In the method that above-mentioned foundation connects safely, STA can receive the related answer message that AP sends rapidly, thereby can set up safety chain as soon as possible, reduces the time delay that terminal initial inserts wlan network; Particularly need insert the scene of wlan network at the utmost point in the short time for a large number of users, performance has great lifting, has improved user's experience well.
From AP and the mutual angle of STA technical scheme of the present invention is described in detail below:
Embodiment one
As shown in Figure 5, for the present invention sets up the signaling process figure of safe method of attachment embodiment one, this process comprises:
Step 501, identical with step 401-411 among Fig. 4 repeats no more herein;
Step 502, AP are according to the PMK that receives, and SNonce and ANonde generation PTK, and generate KCK and KEK according to PTK; AP uses the KCK verification MSDU MIC that generates; Be proved to be successful, AP uses the KEK deciphering DHCP-Discover message that generates;
The process of deciphering DHCP Discover message also can betide after the step 503.
Step 503, AP send related answer message to STA, and AP can comprise AID, EAP_Success, EAPoL-Key and MIC to the related answer message that STA sends; Wherein EAPoL-Key comprises GTK and IGTK;
Step 504, AP send DHCP-Discover message to Dynamic Host Configuration Protocol server, wherein carry Rapid Commit option;
Wherein, DHCP-Discover message namely is the dhcp process request message; Rapid Commit is the Fast IP address allocation scheme, for optional.
Certainly, this step also can send for example DHCP-request (Request) message of other dhcp process request messages to Dynamic Host Configuration Protocol server for: AP;
The execution of above-mentioned steps 503 and step 504 sequencing regardless of time, step 504 also can betide before the step 503, can also carry out simultaneously with step 503.
After step 505, STA receive related answer message, verification MIC success; STA can enter and authenticate association status, and state machine enters full EAP context state;
STA selects to wait for DHCP-Ack w/Rapid Commit message.STA receive after the related answer message verification MIC can with the DHCP program parallelization, perhaps before the DHCP program and afterwards.
Step 506, Dynamic Host Configuration Protocol server send DHCP-Ack message to AP, and this message is carried Fast IP address assignment (Rapid Commit) option; Wherein, the Fast IP address allocation scheme is optional;
Correspondingly, DHCP-Ack message namely is the dhcp process answer message;
If above-mentioned dhcp process request message is DHCP-Request message, then corresponding dhcp process answer message is DHCP-response (Response) message;
Step 507, AP send to STA with DHCP-Ack message, wherein carry Rapid Commit option.
Preferably, DHCP Ack message portability is in DHCP-Ack.
Embodiment two
As shown in Figure 6, for the present invention sets up the signaling process figure of safe method of attachment embodiment two, this process comprises:
Step 601, identical with step 401-411 among Fig. 4 repeats no more herein;
Step 602, AP are according to the PMK that receives, and SNonce and ANonde generation PTK, and generate KCK and KEK according to PTK; AP uses the KCK verification MSDU MIC that generates; Be proved to be successful, AP uses the KEK deciphering DHCP-Discover message that generates;
Step 603, AP send DHCP-Discover message to Dynamic Host Configuration Protocol server, and this message is carried Rapid Commit option;
Wherein, the Fast IP address allocation scheme is optional.
A timer is set among step 604, the AP, picks up counting after Dynamic Host Configuration Protocol server sends DHCP-Discover message at AP.If timer expires, AP does not also receive the DHCP-Ack message that Dynamic Host Configuration Protocol server sends, and then AP sends related answer message to STA, and this related answer message can comprise AID, EAP_Success message, EAPoL-Key message, MIC; Wherein EAPoL-Key message comprises GTK and IGTK.
After step 605, STA receive related answer message, verification MIC success, STA can enter and authenticate association status, and state machine enters full EAP context state.
STA selects to wait for DHCP-Ack w/Rapid Commit message.STA receive after the related answer message verification MIC can with the DHCP program parallelization, perhaps before the DHCP program and afterwards.
Step 606, Dynamic Host Configuration Protocol server send DHCP-Ack w/Rapid Commit message to AP;
Wherein, the Fast IP address allocation scheme is optional.
Step 607, AP send to STA with DHCP-Ack w/Rapid Commit message.
Embodiment three
As shown in Figure 7, for the present invention sets up the signaling process figure of safe method of attachment embodiment three, this process comprises:
Step 701, identical with step 401-411 among Fig. 4 repeats no more herein;
Step 702, AP are according to the PMK that receives, and SNonce and ANonde generation PTK, and generate KCK and KEK according to PTK; AP uses the KCK verification MSDU MIC that generates; Be proved to be successful, AP uses the KEK deciphering DHCP-Discover message that generates;
Step 703, AP send DHCP-Discover w/Rapid Commit message to Dynamic Host Configuration Protocol server;
Wherein, the Fast IP address allocation scheme is optional.
Step 704, AP send DHCP-Discover message to Dynamic Host Configuration Protocol server, and this message is carried Rapid Commit option; A timer is set among the AP, picks up counting after Dynamic Host Configuration Protocol server sends DHCP-Discover message at AP, if timer expires, AP does not receive DHCP-Ack or the DHCP NAK message that DHCP sends yet, and then AP sends this problem of message informing to STA.Preferably, this message can be related answer message.
After step 705, STA receive related answer message, verification MIC success, STA can enter and authenticate association status, and state machine enters full EAP context state;
STA selects to wait for the DHCP acknowledge message.STA receive after the related answer message verification MIC can with the DHCP program parallelization, perhaps before the DHCP program and afterwards.
Step 706, Dynamic Host Configuration Protocol server send the DHCP acknowledge message to AP, carry Rapid Commit option in this message;
Wherein, the Fast IP address allocation scheme is optional.
If step 707 AP receives the DHCP acknowledge message in special time, then the AP DHCP acknowledge message that will carry Rapid Commit option sends to STA.Preferably, described DHCP acknowledge message is carried in the related answer message; If in special time, AP does not receive the DHCP acknowledge message that DHCP sends yet, and AP sends this problem of message informing to STA.Preferably, this message is related answer message.STA or AP adopt suitable acquiescence mode to restart network program, such as resend DHCP request etc. to Dynamic Host Configuration Protocol server.
Embodiment four
As shown in Figure 8, for the present invention sets up the signaling process figure of safe method of attachment embodiment four, this process comprises:
Step 801, identical with step 401-411 among Fig. 4 repeats no more herein;
Step 802, AP are according to the PMK that receives, and SNonce and ANonde generation PTK, and generate KCK and KEK according to PTK; AP uses the KCK verification MSDU MIC that generates; Be proved to be successful, AP uses the KEK deciphering DHCP-Discover message that generates;
The process of deciphering DHCP Discover message also can betide after the step 803.
Step 803, AP send related answer message to STA, and AP can comprise AID, EAP_Success, EAPoL-Key, MIC to the related answer message that STA sends; Wherein EAPoL-Key comprises GTK and IGTK;
Step 804, AP send DHCP-Discover w/Rapid Commit message to DHCP;
Wherein, the Fast IP address allocation scheme is optional.
Wherein, step 803 and step 804 sequencing regardless of time, step 804 also can betide before the step 803, also can carry out simultaneously with step 803.
After step 805, STA receive related answer message, verification MIC success, STA can enter and authenticate association status, and state machine enters full EAP context state; STA selects to wait for DHCP-Ackw/Rapid Commit message.Timer is set among the STA to pick up counting after STA receives related answer message or after the MIC verification succeeds;
STA receive after the related answer message verification MIC can with the DHCP program parallelization, perhaps before the DHCP program and afterwards.
Timer expires among step 806, the STA, and STA does not receive the DHCP related news that AP sends yet, and STA initiates DHCP program or initialize routine again or rebulids safe connection, and wherein the DHCP program can only be carried out at data surface.
Embodiment five
As shown in Figure 9, for the present invention sets up the signaling process figure of safe method of attachment embodiment five, this process comprises:
Step 901, identical with step 401-411 among Fig. 4 repeats no more herein;
Step 902, AP are according to the PMK that receives, and SNonce and ANonde generation PTK, and generate KCK and KEK according to PTK; AP uses the KCK verification MSDU MIC that generates, and is proved to be successful;
Step 903, AP send related answer message to STA, and AP can comprise AID, EAP_Success message, EAPoL-Key message, MIC to the related answer message that STA sends; Wherein EAPoL-Key comprises GTK and IGTK.
Step 904, AP deciphering DHCP-Discover message, AP sends DHCP-Discoverw/Rapid Commit message to DHCP;
Wherein, the Fast IP address allocation scheme is optional.The process of deciphering DHCP Discover message also can betide in the step 902.
Wherein, the execution of step 903 and step 904 sequencing regardless of time, step 904 also can betide before the step 903, also can carry out simultaneously with step 903.
After step 905, STA receive related answer message, verification MIC failure.
Step 906, STA can carry out the EAP verification process again, or rebulid safe connection.
Embodiment six
As shown in figure 10, for the present invention sets up the signaling process figure of safe method of attachment embodiment six, this process comprises:
Step 1001, identical with step 401-411 among Fig. 4 repeats no more herein;
Step 1002, AP are according to the PMK that receives, and SNonce and ANonde generation PTK, and generate KCK and KEK according to PTK, and AP uses the KCK verification MSDU MIC that generates, and is proved to be successful;
Step 1003, AP send the related answer message that comprises the IP address information to STA, and AP can comprise AID, EAP_Success, EAPoL-Key, MIC to the related answer message that STA sends; Wherein EAPoL-Key comprises GTK and IGTK;
Wherein, AP has obtained the IP address assignment of Dynamic Host Configuration Protocol server.
After step 1004, STA receive related answer message, verification MIC success; STA carries out the installation of PTK, GTK and IGTK.
Embodiment seven
As shown in figure 11, for the present invention sets up the signaling process figure of safe method of attachment embodiment seven, this process comprises:
Step 1101, identical with step 401-409 among Fig. 4 repeats no more herein;
Step 1102, EAP authentification failure;
Step 1103, AS send EAP_ failure (Failure) message to AP;
Step 1104, AP send related answer message to STA, and the related answer message that AP sends to STA comprises EAP_ failure (Failure) message;
Step 1105, STA carry out the EAP authentication again, or rebulid safe connection.
Embodiment eight
As shown in figure 12, for the present invention sets up the signaling process figure of safe method of attachment embodiment eight, this process comprises:
Step 1201, identical with step 401-411 among Fig. 4 repeats no more herein;
Step 1202, AP are according to the PMK that receives, and SNonce and ANonde generation PTK, and generate KCK and KEK according to PTK; AP uses the KCK verification MSDU MIC that generates; Be proved to be successful, AP uses the KEK deciphering DHCP-Discover message that generates;
Step 1203, AP send DHCP-Discover w/ message to Dynamic Host Configuration Protocol server, and this message is carried Rapid Commit option;
Wherein, the Fast IP address allocation scheme is optional.
A timer is set among step 1204, the AP, picks up counting after Dynamic Host Configuration Protocol server sends DHCP-Discover message at AP.If timer is not yet due, AP receives the DHCP-Ack message that Dynamic Host Configuration Protocol server sends;
The related answer message that step 1205, AP transmission comprise the IP address is to STA, and this related answer message can comprise AID, EAP_Success message, EAPoL-Key message, MIC; Wherein EAPoL-Key message comprises GTK and IGTK;
After step 1206, STA receive related answer message, verification MIC success, STA can enter and authenticate association status, and state machine enters full EAP context state.
Above-described embodiment one to embodiment eight can betide STA and network when setting up safety fast and being connected, or STA and network carry out EAP when authenticating again.
The above embodiment of the present invention is not limited to IEEE 802.11 systems, its associative mode can be applied in other wireless communication system.
As shown in figure 13, be the structural representation of AP embodiment of the present invention, this AP comprises generation verification module 1301 and processing module 1302, wherein:
Generate the verification module, be used for generating pair temporal key (PTK) and/or verification message integrality coding (MIC);
Processing module, be used for to work station (STA) send related answer message and and DHCP (DHCP) server carry out dhcp process; Perhaps, only send the related answer message that comprises the IP address to described STA.
Wherein, described processing module and Dynamic Host Configuration Protocol server carry out dhcp process, specifically are used for: send the dhcp process request message to described Dynamic Host Configuration Protocol server.Optionally, described processing module, also being used for receiving described Dynamic Host Configuration Protocol server is described STA IP address allocated.
In addition, described processing module sends related answer message to STA, specifically is used for: directly send described related answer message to described STA; Perhaps, one timer is set in described AP, this timer picks up counting after described processing module sends described dhcp process request message to described Dynamic Host Configuration Protocol server, if this timer expires, also do not receive the dhcp process answer message that described Dynamic Host Configuration Protocol server returns, then send described related answer message to described STA; Perhaps, one timer is set among the described AP, this timer picks up counting after described AP sends described dhcp process request message to described Dynamic Host Configuration Protocol server, if this timer is not yet due, described AP receives the dhcp process answer message that described Dynamic Host Configuration Protocol server returns, and then described AP sends the described related answer message that comprises the IP address to described STA.Described processing module expires if also be used for this timer, does not also receive dhcp process response message or dhcp process negative acknowledgment message that described Dynamic Host Configuration Protocol server returns, then sends message to described STA, so that described STA carries out dhcp process again.
Further, described processing module, also be used for and Dynamic Host Configuration Protocol server carries out after the dhcp process, if receive the dhcp process response message that described Dynamic Host Configuration Protocol server sends, then described dhcp process response message directly sent or is carried at and send to described STA in the associate response message.
At the situation of EAP authentification failure, described AP also comprises: receiver module be used for to receive certificate server (AS) and carries out Extensible Authentication Protocol (EAP) the authentification failure message that sends behind the EAP authentification failure; Described processing module, concrete being used for sends the related answer message that comprises EAP authentification failure message to described STA.
The operation that AP is corresponding among the process that above-mentioned AP handles and Fig. 5-12 is identical, repeats no more herein.
Above-mentioned AP need just can not send related response message to STA after the dhcp process answer message that receives the Dynamic Host Configuration Protocol server transmission, thereby can accelerate the speed that STA sets up safety chain, reduces the time delay that terminal initial inserts wlan network; Particularly need insert the scene of wlan network at the utmost point in the short time for a large number of users, performance has great lifting, has improved user's experience well.
As shown in figure 14, be the structural representation of STA embodiment of the present invention, this STA comprises receiver module 1401 and processing module 1402, wherein:
Receiver module is used for receiving the related answer message that access point (AP) sends;
Processing module is used for the message integrity code (MIC) of the described related answer message of verification, and selects to carry out again Extensible Authentication Protocol (EAP) authentication according to check results, or selects to wait for DHCP (DHCP) process answer message.
Wherein, described related answer message comprises association identification (AID), EAP authentication success message, EAPoL-Key message and the message integrity code (MIC) that described AP is described STA distribution; Wherein, EAPoL-Key message comprises group temporary key (GTK) and integrality group temporary key (IGTK).
In addition, when described related answer message is when comprising the related answer message of IP address, described processing module also is used for the described MIC of verification, and pair temporal key (PTK), group temporary key (GTK) and integrality group temporary key (IGTK) are installed after verification succeeds.
Preferably, described processing module specifically is used for: after the described MIC failure of verification, carry out the EAP authentication again or rebulid safe connection; Perhaps, after the described MIC success of verification, select the dhcp process answer message of waiting for that described AP returns.Described processing module also is used for: after the dhcp process answer message that the described AP of selection wait returns, receive the dhcp process answer message that is included as the STA IP address allocated that described AP returns; Perhaps, after the dhcp process answer message that the described AP of selection wait returns, receive the dhcp process answer message that is not included as the STA IP address allocated that described AP returns, initiate dhcp process again; Perhaps, after the dhcp process answer message that the described AP of selection wait returns, in described STA, timer is set, this timer picks up counting after described STA receives described related answer message or after the described MIC success of described STA verification, if described timer expires, also do not receive the dhcp process answer message that described AP returns, then initiate dhcp process again.
Further, when described related answer message comprised EAP authentification failure message, described processing module also was used for carrying out the EAP authentication again or rebuliding safe connection.
The operation that STA is corresponding among the process that above-mentioned STA handles and Fig. 5-12 is identical, repeats no more herein.
Above-mentioned STA can receive the related answer message that AP sends rapidly, thereby can set up safety chain as soon as possible, reduces the time delay that terminal initial inserts wlan network; Particularly need insert the scene of wlan network at the utmost point in the short time for a large number of users, performance has great lifting, has improved user's experience well.
One of ordinary skill in the art will appreciate that all or part of step in the said method can instruct related hardware to finish by program, said procedure can be stored in the computer-readable recording medium, as read-only memory, disk or CD etc.Alternatively, all or part of step of above-described embodiment also can use one or more integrated circuits to realize.Correspondingly, each the module/unit in above-described embodiment can adopt the form of hardware to realize, also can adopt the form of software function module to realize.The present invention is not restricted to the combination of the hardware and software of any particular form.
Above embodiment is only unrestricted in order to technical scheme of the present invention to be described, only with reference to preferred embodiment the present invention is had been described in detail.Those of ordinary skill in the art should be appreciated that and can make amendment or be equal to replacement technical scheme of the present invention, and do not break away from the spirit and scope of technical solution of the present invention, all should be encompassed in the middle of the claim scope of the present invention.

Claims (31)

1. a method that sends message is characterized in that, this method comprises:
Access point (AP) generates pair temporal key (PTK) and/or verification message integrality coding (MIC);
Described AP to work station (STA) send related answer message and and DHCP (DHCP) server carry out dhcp process; Perhaps, only send the related answer message that comprises the IP address to described STA.
2. method according to claim 1 is characterized in that:
Described related answer message comprises one of following parameter or its combination in any: described AP is the described STA association identification (AID) of distributing, Extensible Authentication Protocol (EAP) authentication success message, based on Extensible Authentication Protocol key (EAPoL-Key) message and the MIC of local area network (LAN);
The related answer message of the described IP of comprising address also comprises described AID, EAP authentication success message, EAPoL-Key message and MIC;
Wherein, EAPoL-Key message comprises group temporary key (GTK) and/or integrality group temporary key (IGTK).
3. according to the described method of claim 1, it is characterized in that:
The process that described AP and Dynamic Host Configuration Protocol server carry out DHCP comprises:
Described AP sends the dhcp process request message to described Dynamic Host Configuration Protocol server.
4. method according to claim 1 is characterized in that:
Described AP and Dynamic Host Configuration Protocol server carry out dhcp process and also comprise:
It is described STA IP address allocated that described AP receives described Dynamic Host Configuration Protocol server.
5. method according to claim 1 is characterized in that:
Described dhcp process comprises that DHCPv4, DHCPv6, neighbours find (ND) and the automatic layoutprocedure of stateless address.
6. method according to claim 3 is characterized in that:
Described AP sends related answer message to STA and comprises:
Described AP directly sends described related answer message to described STA; Perhaps
One timer is set among the described AP, this timer picks up counting after described AP sends described dhcp process request message to described Dynamic Host Configuration Protocol server, if this timer expires, described AP does not also receive the dhcp process answer message that described Dynamic Host Configuration Protocol server returns, and then described AP sends described related answer message to described STA; Perhaps
One timer is set among the described AP, this timer picks up counting after described AP sends described dhcp process request message to described Dynamic Host Configuration Protocol server, if this timer is not yet due, described AP receives the dhcp process answer message that described Dynamic Host Configuration Protocol server returns, and then described AP sends the described related answer message that comprises the IP address to described STA.
7. method according to claim 6 is characterized in that, described method also comprises:
If this timer expires, described AP does not also receive dhcp process response message or the dhcp process negative acknowledgment message that described Dynamic Host Configuration Protocol server returns, and then AP sends message to described STA, so that described STA carries out dhcp process again.
8. according to the described method of the arbitrary claim of claim 1-7, it is characterized in that:
Described AP and Dynamic Host Configuration Protocol server carry out after the dhcp process, and described method also comprises:
Described AP sends to described STA with described dhcp process response message after receiving the dhcp process response message that described Dynamic Host Configuration Protocol server sends.
9. method according to claim 8 is characterized in that:
Described dhcp process response message is carried on described AP in the associate response message of described STA transmission.
10. set up the method that safety connects for one kind, it is characterized in that this method comprises:
Work station (STA) receives the related answer message that access point (AP) sends;
Described STA verification message integrality is encoded (MIC), and selects to carry out again Extensible Authentication Protocol (EAP) authentication according to check results, or selects to wait for DHCP (DHCP) process answer message.
11. method according to claim 10 is characterized in that:
Described related answer message comprises one of following parameter or its combination in any: described AP is the described STA association identification (AID) of distributing, EAP authentication success message, based on Extensible Authentication Protocol key (EAPoL-Key) message and the MIC of local area network (LAN); Wherein, EAPoL-Key message comprises group temporary key (GTK) and/or integrality group temporary key (IGTK).
12. method according to claim 11 is characterized in that:
When described related answer message is that described method also comprises when comprising the related answer message of IP address:
Described STA verification MIC, and pair temporal key (PTK), group temporary key (GTK) and integrality group temporary key (IGTK) are installed after verification succeeds.
13. method according to claim 10 is characterized in that:
Described STA selects to carry out again the EAP authentication according to check results, or selects to wait for DHCP (DHCP) process answer message, comprising:
After the described MIC failure of described STA verification, carry out the EAP authentication again or rebulid safe connection; Perhaps
After the described MIC success of described STA verification, select the dhcp process answer message of waiting for that described AP returns.
14. method according to claim 13 is characterized in that:
Described selection waits for that described method also comprises after the dhcp process answer message that described AP returns:
Described STA receives the dhcp process answer message that is included as the STA IP address allocated that described AP returns; Perhaps
Described STA receives the dhcp process answer message that is not included as the STA IP address allocated that described AP returns, and described STA initiates dhcp process again; Perhaps
Among the described STA timer is set, this timer picks up counting after described STA receives described related answer message or after the described MIC success of described STA verification, if described timer expires, described STA does not also receive the dhcp process answer message that described AP returns, and then described STA initiates dhcp process again.
15. method according to claim 10 is characterized in that:
After the described STA verification MIC, described method also comprises:
Described STA enters and authenticates association status, and the state machine of described STA correspondence enters full EAP context state.
16. a method that sends message is characterized in that, this method comprises:
Access point (AP) receives certificate server (AS) and carries out the EAP authentification failure message that sends behind Extensible Authentication Protocol (EAP) authentification failure;
Described AP sends related answer message to work station (STA), and described related answer message comprises EAP authentification failure message.
17. set up the method that safety connects, it is characterized in that described method comprises for one kind:
Work station (STA) receives the related answer message that comprises Extensible Authentication Protocol (EAP) authentification failure message that access point (AP) sends;
Described STA carries out the EAP authentication again or rebulids safe connection.
18. an access point (AP) is characterized in that, this AP comprises:
Generate the verification module, be used for generating pair temporal key (PTK) and/or verification message integrality coding (MIC);
Processing module, be used for to work station (STA) send related answer message and and DHCP (DHCP) server carry out dhcp process; Perhaps, only send the related answer message that comprises the IP address to described STA.
19. AP according to claim 18 is characterized in that:
Described related answer message comprises one of following parameter or its combination in any: described AP is the described STA association identification (AID) of distributing, Extensible Authentication Protocol (EAP) authentication success message, based on Extensible Authentication Protocol key (EAPoL-Key) message and the MIC of local area network (LAN);
The related answer message of the described IP of comprising address also comprises described AID, EAP authentication success message, EAPoL-Key message and MIC;
Wherein, EAPoL-Key message comprises group temporary key (GTK) and/or integrality group temporary key (IGTK).
20. AP according to claim 18 is characterized in that:
Described processing module and Dynamic Host Configuration Protocol server carry out dhcp process, specifically are used for:
Send the dhcp process request message to described Dynamic Host Configuration Protocol server.
21. AP according to claim 18 is characterized in that:
Described processing module, also being used for receiving described Dynamic Host Configuration Protocol server is described STA IP address allocated.
22. AP according to claim 18 is characterized in that:
Described processing module sends related answer message to STA, specifically is used for:
Directly send described related answer message to described STA; Perhaps
One timer is set in described AP, this timer picks up counting after described processing module sends described dhcp process request message to described Dynamic Host Configuration Protocol server, if this timer expires, also do not receive the dhcp process answer message that described Dynamic Host Configuration Protocol server returns, then send described related answer message to described STA; Perhaps
One timer is set among the described AP, this timer picks up counting after described AP sends described dhcp process request message to described Dynamic Host Configuration Protocol server, if this timer is not yet due, described AP receives the dhcp process answer message that described Dynamic Host Configuration Protocol server returns, and then described AP sends the described related answer message that comprises the IP address to described STA.
23. AP according to claim 22 is characterized in that:
Described processing module expires if also be used for this timer, does not also receive dhcp process response message or dhcp process negative acknowledgment message that described Dynamic Host Configuration Protocol server returns, then sends message to described STA, so that described STA carries out dhcp process again.
24. according to the described AP of the arbitrary claim of claim 18-23, it is characterized in that:
Described processing module, also be used for carrying out after the dhcp process with Dynamic Host Configuration Protocol server, if receive the dhcp process response message that described Dynamic Host Configuration Protocol server sends, then described dhcp process response message is directly sent or is carried at and send to described STA in the associate response message.
25. AP according to claim 18 is characterized in that, described AP also comprises:
Receiver module be used for to receive certificate server (AS) and carries out Extensible Authentication Protocol (EAP) the authentification failure message that sends behind the EAP authentification failure;
Described processing module, concrete being used for sends the related answer message that comprises EAP authentification failure message to described STA.
26. a work station (STA) is characterized in that, this STA comprises:
Receiver module is used for receiving the related answer message that access point (AP) sends;
Processing module is used for the message integrity code (MIC) of the described related answer message of verification, and selects to carry out again Extensible Authentication Protocol (EAP) authentication according to check results, or selects to wait for DHCP (DHCP) process answer message.
27. STA according to claim 26 is characterized in that:
It is the described STA association identification (AID) of distributing, EAP authentication success message that described related answer message comprises described AP, based on Extensible Authentication Protocol key (EAPoL-Key) message and the MIC of local area network (LAN); Wherein, EAPoL-Key message comprises group temporary key (GTK) and/or integrality group temporary key (IGTK).
28. STA according to claim 27 is characterized in that:
When described related answer message is when comprising the related answer message of IP address,
Described processing module also is used for the described MIC of verification, and pair temporal key (PTK), group temporary key (GTK) and integrality group temporary key (IGTK) are installed after verification succeeds.
29. STA according to claim 26 is characterized in that:
Described processing module specifically is used for:
After the described MIC failure of verification, carry out the EAP authentication again or rebulid safe connection; Perhaps
After the described MIC success of verification, select the dhcp process answer message of waiting for that described AP returns.
30. STA according to claim 29 is characterized in that:
Described processing module also is used for:
After the dhcp process answer message that the described AP of selection wait returns, receive the dhcp process answer message that is included as the STA IP address allocated that described AP returns; Perhaps
After the dhcp process answer message that the described AP of selection wait returns, receive the dhcp process answer message that is not included as the STA IP address allocated that described AP returns, initiate dhcp process again; Perhaps
After the dhcp process answer message that the described AP of selection wait returns, in described STA, timer is set, this timer picks up counting after described STA receives described related answer message or after the described MIC success of described STA verification, if described timer expires, also do not receive the dhcp process answer message that described AP returns, then initiate dhcp process again.
31. STA according to claim 26 is characterized in that:
When described related answer message comprised EAP authentification failure message, described processing module also was used for carrying out the EAP authentication again or rebuliding safe connection.
CN201210004613.3A 2012-01-09 2012-01-09 Send the method for message, the method for establishing secure connection, access point and work station Expired - Fee Related CN103200004B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201210004613.3A CN103200004B (en) 2012-01-09 2012-01-09 Send the method for message, the method for establishing secure connection, access point and work station
PCT/CN2013/070242 WO2013104301A1 (en) 2012-01-09 2013-01-09 Method for transmitting message, method for establishing secure connection, access point and workstation

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201210004613.3A CN103200004B (en) 2012-01-09 2012-01-09 Send the method for message, the method for establishing secure connection, access point and work station

Publications (2)

Publication Number Publication Date
CN103200004A true CN103200004A (en) 2013-07-10
CN103200004B CN103200004B (en) 2018-11-20

Family

ID=48722371

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210004613.3A Expired - Fee Related CN103200004B (en) 2012-01-09 2012-01-09 Send the method for message, the method for establishing secure connection, access point and work station

Country Status (2)

Country Link
CN (1) CN103200004B (en)
WO (1) WO2013104301A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103491528A (en) * 2013-09-18 2014-01-01 福建星网锐捷网络有限公司 Table entry processing method and device
CN104902500A (en) * 2015-05-21 2015-09-09 南京创维信息技术研究院有限公司 Automatic connection method and system for wireless network device and wireless access device
CN109361459A (en) * 2018-12-10 2019-02-19 朱新宁 A kind of optic communication intelligence system and method

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1455556A (en) * 2003-05-14 2003-11-12 东南大学 Wireless LAN safety connecting-in control method
CN101119199A (en) * 2006-08-02 2008-02-06 西安电子科技大学 Safety fast switch method in wireless local area network
US20080072047A1 (en) * 2006-09-20 2008-03-20 Futurewei Technologies, Inc. Method and system for capwap intra-domain authentication using 802.11r
CN101155092A (en) * 2006-09-29 2008-04-02 西安电子科技大学 Wireless local area network access method, device and system
CN102137401A (en) * 2010-12-09 2011-07-27 华为技术有限公司 Centralized 802.1X authentication method, device and system of wireless local area network

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101056177B (en) * 2007-06-01 2011-06-29 清华大学 Radio mesh re-authentication method based on the WLAN secure standard WAPI

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1455556A (en) * 2003-05-14 2003-11-12 东南大学 Wireless LAN safety connecting-in control method
CN101119199A (en) * 2006-08-02 2008-02-06 西安电子科技大学 Safety fast switch method in wireless local area network
US20080072047A1 (en) * 2006-09-20 2008-03-20 Futurewei Technologies, Inc. Method and system for capwap intra-domain authentication using 802.11r
CN101155092A (en) * 2006-09-29 2008-04-02 西安电子科技大学 Wireless local area network access method, device and system
CN102137401A (en) * 2010-12-09 2011-07-27 华为技术有限公司 Centralized 802.1X authentication method, device and system of wireless local area network

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
CHENGYAN FENG, DEZHI ZHANG: "Fast Security Setup", 《IEEE 802.11-11/1426R00》 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103491528A (en) * 2013-09-18 2014-01-01 福建星网锐捷网络有限公司 Table entry processing method and device
CN103491528B (en) * 2013-09-18 2016-05-25 福建星网锐捷网络有限公司 Table entry processing method and equipment
CN104902500A (en) * 2015-05-21 2015-09-09 南京创维信息技术研究院有限公司 Automatic connection method and system for wireless network device and wireless access device
CN109361459A (en) * 2018-12-10 2019-02-19 朱新宁 A kind of optic communication intelligence system and method

Also Published As

Publication number Publication date
CN103200004B (en) 2018-11-20
WO2013104301A1 (en) 2013-07-18

Similar Documents

Publication Publication Date Title
US10412083B2 (en) Dynamically generated SSID
CN108293185B (en) Wireless device authentication method and device
RU2424634C2 (en) Method and apparatus for base station self-configuration
EP3334084B1 (en) Security authentication method, configuration method and related device
CN101926151B (en) Method and communication network system for establishing security conjunction
KR101582502B1 (en) Systems and methods for authentication
JP5597676B2 (en) Key material exchange
JP4903792B2 (en) Method of assigning authentication key identifier for wireless portable internet system
US20090019539A1 (en) Method and system for wireless communications characterized by ieee 802.11w and related protocols
CN101371491A (en) Method and arrangement for the creation of a wireless mesh network
CN103686709A (en) Method and system for identifying wireless mesh network
US10263960B2 (en) Wireless communication system and wireless communication method
EP2741475B1 (en) Method and apparatus for allocating an internet protocol address to a client device
CN103313242A (en) Secret key verification method and device
EP2993933A1 (en) Wireless terminal configuration method, apparatus and wireless terminal
US20200389788A1 (en) Session Key Establishment
CN103096307A (en) Secret key verification method and device
CN103200004A (en) Method of sending message, method of establishing secure connection, access point and work station
WO2012068801A1 (en) Authentication method for mobile terminal and mobile terminal
KR100527631B1 (en) System and method for user authentication of ad-hoc node in ad-hoc network
KR100527632B1 (en) System and method for user authentication of ad-hoc gateway in ad-hoc network
US11722894B2 (en) Methods and devices for multi-link device (MLD) address discovery in a wireless network
EP3174326A1 (en) Method for providing a wireless user station for access to a telecommunication network through a network wireless access point, associated network wireless access point and wireless user station
CN117641345A (en) Transmission of network access information for wireless devices
CN102740291A (en) System for realizing wireless LAN authentication and privacy infrastructure (WAPI) authentication and method thereof

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20181120

Termination date: 20200109