CN104270752B - Key agreement method and apparatus for a wireless network - Google Patents

Key agreement method and apparatus for a wireless network Download PDF

Info

Publication number
CN104270752B
CN104270752B CN201410519532.6A CN201410519532A CN104270752B CN 104270752 B CN104270752 B CN 104270752B CN 201410519532 A CN201410519532 A CN 201410519532A CN 104270752 B CN104270752 B CN 104270752B
Authority
CN
China
Prior art keywords
key
operation
step
message4
wireless client
Prior art date
Application number
CN201410519532.6A
Other languages
Chinese (zh)
Other versions
CN104270752A (en
Inventor
傅嘉嘉
吴蔷
刘琛
Original Assignee
新华三技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 新华三技术有限公司 filed Critical 新华三技术有限公司
Priority to CN201410519532.6A priority Critical patent/CN104270752B/en
Publication of CN104270752A publication Critical patent/CN104270752A/en
Application granted granted Critical
Publication of CN104270752B publication Critical patent/CN104270752B/en

Links

Abstract

本申请公开了一种无线网络中的密钥协商方法及装置,其中,该方法包括:A、AP向无线客户端发送EAPOL‑Key报文Message3,并计时;B、若在到达预定时间间隔之后,AP仍未成功接收到无线客户端发来的EAPOL‑Key报文Message4,则执行第一操作或第二操作;重复执行步骤A和步骤B,直至Message3的重传次数超过预设的重传次数门限值时,确认密钥协商失败;其中,第一操作是安装密钥,第二操作是卸载密钥,或者,第一操作是安装新密钥,第二操作是安装旧密钥;在第2N‑1次执行步骤B时,执行第一操作,在第2N次执行步骤B时,执行第二操作,N为大于0的自然数。 The present application discloses a method and a device key negotiation in a wireless network, wherein the method includes: A, AP transmits Message3 EAPOL-Key message to the wireless client, and timing; B, if a predetermined time interval after reaching , AP has not successfully received the wireless client to the EAPOL-Key message Message4, performing a first operation or the second operation; repeat step a and step B, and until the number of retransmissions exceeds a predetermined Message3 retransmission when the number of times the threshold, certification key negotiation fails; wherein the first operation key is installed, a second unloading operation is a key, or a first operation is to install the new key, the second operation is mounting the old key; the first step in the implementation of 2N-1 sub B, performing a first operation, while performing the step B of 2N times, performing a second operation, N being a natural number greater than 0. 本申请中,AP最终能够正确解密无线客户端回复的密文的Message4,并按照密钥协商成功处理,使得无线客户端能够成功认证并接入AP。 In the present application, the AP ultimately properly decrypting the ciphertext Message4 wireless client responses, and in accordance with successful key negotiation process, such that the wireless client can be successfully authenticated and the access AP.

Description

无线网络中的密钥协商方法及装置 Key agreement method and apparatus for a wireless network

技术领域 FIELD

[0001 ]本申请涉及无线网络技术领域,特别涉及一种无线网络中的密钥协商方法及装置。 [0001] The present application relates to wireless network technology, and in particular relates to a key agreement method and apparatus for a wireless network.

背景技术 Background technique

[0002] AP (Access Point,无线接入点)是一种无线收发设备,是无线网络的接入点,其一端通过无线网络连接无线客户端,另一端连接有线网络(例如Internet) oAP可以将收到的来自无线客户端的无线信号转换成数据后转发到有线网络,以及将收到的来自有线网络的数据转换成无线信号后转发给无线客户端。 [0002] AP (Access Point, the wireless access point) is a wireless transceiver, a wireless network access point, having one end connected wireless clients over a wireless network, and the other end connected to a wired network (e.g., Internet) oAP may be forwarding the converted radio signal received from the wireless client to the data to a wired network, and forwarded to the wireless client after converting the data received from the wired network into a wireless signal. 为了无线网络的安全性,无线客户端与AP在进行通信时需要使用密钥对报文进行加密,这样,无线客户端上线时,会与AP进行密钥协商, 双方协商出相同的密钥,对报文进行加解密处理。 To secure wireless network, uses a key when performing wireless communication with the AP client to encrypt packets, so that, when the wireless clients on-line, will be key negotiation with the AP, the same key is negotiated, for packet encryption and decryption process. 并且,在无线客户端上线成功之后,也会与AP定期进行密钥更新。 Then, after the wireless client of success, with the AP will be the key updated periodically.

[0003]目前,主要有RSN (Robust Security Network,固安网络)模式和WPA (Wi-Fi Protected Access,Wi-Fi防护访问)模式。 [0003] Currently, there are RSN (Robust Security Network, Guan network) mode and WPA (Wi-Fi Protected Access, Wi-Fi Protection Access) mode. 在RSN模式中,无线客户端与AP之间通过四次EAPOL-Key (Extensible Authentication Protocol Over LAN-Key,基于局域网的扩展认证协议-密钥)报文的交互,来完成用于对单播报文进行加密的密钥PTK (Pairwise Transient Key,成对临时密钥)和用于对非单播报文进行加密的密钥GTK (Group Temporal Key,群组临时密钥)的协商;WPA模式的密钥协商过程与RSN模式类似,不同之处在于,无线客户端与AP之间通过六次EAPOL-Key报文的交互完成PTK和GTK的协商,其中在前四次EAPOL-Key报文的交互中仅完成PTK的协商,之后还需要再通过两次EAPOL-Key报文的交互来协商GTK。 In RSN mode between the wireless client and AP four EAPOL-Key (Extensible Authentication Protocol Over LAN-Key, Extensible Authentication Protocol-based local area network - key) through message interaction, accomplished for unicast packets WPA key mode; encrypting key negotiation PTK (pairwise Transient key, pairwise transient key) and a key GTK (group Temporal key, a group temporary key) for non-unicast packets encrypting RSN negotiation process with a similar pattern, except that, between the wireless client and AP PTK and GTK completion of negotiation six EAPOL-Key message interaction, in which four EAPOL-Key message interaction only in the previous PTK complete consultations, after still need to be negotiated by GTK twice EAPOL-Key message interaction.

[0004] 一般情况下,无线客户端是在发送完Messaged之后安装密钥,但是,某些无线客户端会提前安装密钥,即,在收到Message3之后以及向AP回复Message4之前,就安装密钥,这种情况下,无线客户端回复的Message4是加密的报文,而AP此时尚未安装密钥,无法对加密的Message4进行解密,只能丢弃加密的Message4,此时认为没有成功接收到Message4。 [0004] In general, wireless client is installed after completing transmission messaged key, however, some wireless client installation key in advance, i.e., before Message4 Message3 and after receiving responses to the AP, to dense installation key, in this case, the wireless client Message4 reply message is encrypted, but the key is not already installed AP this time, unable to decrypt the encrypted Message4, only to discard encrypted Message4, at this time considered not successfully received Message4. 这样,AP就会不断重传Message〗,直至在超过重传次数门限值时,按照密钥协商失败处理。 In this way, AP will continue to retransmit Message〗, until the number of retransmissions exceeds the threshold value, in accordance with the key negotiation process fails. 最终,导致无线客户端认证失败,无法接入AP。 In the end, lead to the wireless client authentication fails, can not access the AP.

发明内容 SUMMARY

[0005] 有鉴于此,本申请提供了一种无线网络中的密钥协商方法及装置。 [0005] Accordingly, the present application provides a key agreement method and apparatus for a wireless network.

[0006] 本申请的技术方案如下: [0006] aspect of the present application is as follows:

[0007] 一方面,提供了一种无线网络中的密钥协商方法,包括: [0007] In one aspect, there is provided a key agreement method in a wireless network, comprising:

[0008] A、AP向无线客户端发送EAPOL-Key报文Message3,并计时; [0008] A, AP sends Message3 EAPOL-Key message to the wireless client, and timing;

[0009] B、若在到达预定时间间隔之后,AP仍未成功接收到无线客户端发来的EAPOL-Key 报文Message4,则执行第一操作或第二操作; [0009] B, when after reaching a predetermined time interval, AP has not successfully received the wireless client to the EAPOL-Key message Message4, performing a first operation or the second operation;

[0010] 重复执行步骤A和步骤B,直至MeSsage3的重传次数超过预设的重传次数门限值时,确认密钥协商失败; [0010] Repeat step A and step B, and until the number of retransmissions exceeds a preset MeSsage3 retransmission number threshold, certification key negotiation fails;

[0011]其中,第一操作是安装密钥,第二操作是卸载密钥,或者,第一操作是安装新密钥, 第二操作是安装旧密钥;在第2N-1次执行步骤B时,执行第一操作,在第2N次执行步骤B时, 执行第二操作,N为大于0的自然数。 [0011] wherein the first operation key is installed, a second unloading operation is a key, or a first operation is to install the new key, the second operation is mounting the old key; 2N-1 in the first execution of step B when performing the first operation, while performing the step B of 2N times, performing a second operation, N being a natural number greater than 0.

[0012]另一方面,还提供了一种无线网络中的密钥协商装置,该装置应用于无线网络中的AP上,该装置包括: [0012] On the other hand, also provides a key agreement device in a wireless network, the apparatus used in the AP in a wireless network, the apparatus comprising:

[0013] 接收模块,用于接收无线客户端发来的EAPOL-Key报文Message4; [0013] a receiving module, for EAPOL-Key message Message4 receiver sent by the wireless client;

[00M]处理模块,用于执行步骤A和步骤B,其中,步骤A包括:向无线客户端发送EAPOL-Key报文MeSSage3,并计时;步骤B包括:若在到达预定时间间隔之后,接收模块仍未成功接收到无线客户端发来的EAPOL-Key报文Messaged则执行第一操作或第二操作; [00M] The processing module, for performing the steps A and B, wherein A comprises the step of: transmitting MeSSage3 EAPOL-Key message to the wireless client, and counting; Step B comprises: if a predetermined time interval after reaching the receiving module not successfully receiving the wireless client to the EAPOL-Key message Messaged performing a first operation or the second operation;

[0015]失败确认模块,用于控制处理模块重复执行步骤A和步骤B,直至MeSSage3的重传次数超过预设的重传次数门限值时,确认密钥协商失败; [0015] failed confirmation module for controlling the processing module Repeat steps A and step B, and until the number of retransmissions exceeds a preset MeSSage3 retransmission number threshold, certification key negotiation fails;

[0016]其中,第一操作是安装密钥,第二操作是卸载密钥,或者,第一操作是安装新密钥, 第二操作是安装旧密钥;处理模块在第2N-1次执行步骤B时,执行第一操作,处理模块在第2N次执行步骤B时,执行第二操作,N为大于0的自然数。 [0016] wherein the first operation key is installed, a second unloading operation is a key, or a first operation is to install the new key, the second operation is mounting old key; processing module executes in 1 2N-times of step B, performing a first operation, the processing module while performing step B of 2N times, performing a second operation, N being a natural number greater than 0.

[0017]本申请的以上技术方案中,在无线客户端提前安装密钥的异常情况下,AP在首次发送Message3时开始计时,由于无线客户端收到Message3后、以及回复Message4前就安装密钥,因此,回复的Message4是加密后的密文报文,AP无法解密该密文的Message4,会做丢弃处理,因此,在预定时间间隔T到达之前,AP无法成功接收到Message4,则安装密钥后重传MeSSage3并开始计时,此时该重传的Message是密文报文,无线客户端可以正确解密收到的该密文的Message3并回复密文的Message4,AP接收到该密文的Message4后可以使用安装的密钥进行正确解密,从而,在预定时间间隔T到达之前,AP成功接收到了Messaged,则可以按照现有技术执行后续相关处理,确认密钥协商成功。 [0017] The above aspect of the present application, the abnormal condition before the installation key in the wireless client, the AP at the first transmission start time Message3, since the wireless client receives Message3, and respond to the key mounted on the front Message4 Therefore, the reply packet MESSAGE4 ciphertext encrypted, the AP was unable to decrypt the ciphertext MESSAGE4, ​​will be discarded, and therefore, before arriving at a predetermined time interval T, AP MESSAGE4 not successfully received, then the installation key after the retransmission MeSSage3 and start timing, at which time the retransmission message ciphertext message, the wireless client can decrypt the ciphertext Message3 and respond correctly received ciphertext Message4, AP receiving the ciphertext MESSAGE4 after installation of the key may be used to decrypt correctly, thus, before reaching the T, the AP successfully receives the Messaged predetermined time interval, according to the prior art may be performed subsequent correlation process, a key negotiation confirm success. 可见,按照上述方法,AP最终能够正确解密无线客户端回复的密文的Messaged并按照密钥协商成功处理,使得无线客户端能够成功认证并接入AP。 Visible, as described above, the AP ultimately properly decrypting the ciphertext Messaged wireless clients and reply processing according to the key negotiation succeeds, that can successfully authenticate the wireless client and the access AP.

附图说明 BRIEF DESCRIPTION

[0018] 图1是现有技术的RSN模式的密钥协商过程的流程示意图; [0018] FIG. 1 is a flowchart of the key negotiation process RSN prior art schematic model;

[0019] 图2是本申请实施例的无线网络中的密钥协商方法的流程示意图; [0019] FIG. 2 is a flow key for the wireless network negotiation method of the present embodiment in a schematic view of application;

[0020] 图3是本申请实施例中在无线客户端提前安装密钥时的首次密钥协商过程的示意图; [0020] FIG. 3 is a schematic view of the present application of the first embodiment of the key negotiation process when the wireless client installation key advance embodiment;

[0021] 图4是本申请实施例的无线网络中的密钥协商装置的结构示意图。 [0021] FIG. 4 is a schematic diagram of the device key negotiation the wireless network embodiment of the present application.

具体实施方式 Detailed ways

[0022]如图1所示,现有技术的RSN模式的密钥协商过程包括以下四个步骤: [0022] As shown in FIG. 1, the mode key negotiation process RSN prior art comprises the following four steps:

[0023] 步骤S102,AP向无线客户端发送携带有随机数ANonce的EAPOL-Key报文Messagel; [0023] Step S102, AP sends to the wireless client carries random ANonce the EAPOL-Key message Messagel;

[0024] 步骤S104,无线客户端接收到Messagel之后,使用无线客户端生成的随机数SNonce、已经协商好的PMK (Pairwise Master Key,成对主密钥)、以及Messagel中携带的随机数ANonce,来计算生成PTK,然后使用生成的PTK中的KCK (EAPOL-Key ConHrmation Key, 基于局域网的扩展认证协议-密钥确认密钥)得到MIC (Message Integrity Check,信息完整性校验),向AP发送携带随机数SNonce和MIC的EAPOL-Key报文Message2; [0024] In step S104, after the wireless client receives Messagel, SNonce using a random number generated by a wireless client, has negotiated PMK (Pairwise Master Key, PMK), and a random number carried in Messagel the ANonce, generating calculated PTK, then use the generated PTK KCK (EAPOL-key ConHrmation key, Extensible authentication protocol-based local area network - key confirmation key) to obtain MIC (message integrity check, integrity check information), sent to the AP SNonce carries the random number and the MIC EAPOL-Key message Message2;

[0025] 步骤S106,AP接收到Message2之后,使用随机数ANonce、已经协商好的PMK、以及MeSsage2中携带的随机数SNonce,来计算生成PTK,然后使用生成的PTK中的KCK得到MIC,对Message2进行MIC校验,即,将AP生成的MIC与Message2中携带的MIC进行比较,如果这两个MIC相同,则MIC校验成功,否则,MIC校验失败。 [0025] Step S106, AP after receiving Message2, using a random number ANonce, has negotiated PMK, and a random number carried in MeSsage2 SNonce, generating PTK calculated, and using the generated PTK in KCK obtained MIC, for Message2 MIC for verification, i.e., the AP generated and Message2 carried MIC MIC compared, if two identical MIC, the MIC verification succeeds, otherwise, MIC verification fails. 在MIC校验成功后,使用随机值GMK (Group Master Key,群组主密钥)和AP的MAC (Media Access Control,媒体访问控制)地址生成GTK,并向无线客户端发送携带用于通知无线客户端安装密钥的标记、MIC和GTK的EAP0L-Key 报文Message3; After the MIC verification is successful, a random value GMK (Group Master Key, the group master key) and the AP MAC (Media Access Control, media access control) address of the GTK generated, and transmits the wireless client carries inform the wireless tag client installation key, MIC and the GTK EAP0L-key message Message3;

[0026] 步骤S108,无线客户端接收到Message3之后,首先对Message3进行MIC校验,然后, 向AP发送携带用于安装密钥确认标记和MIC的EAPOL-Key报文Messaged,之后,安装PTK和GTK; [0026] Step S108, after the wireless client receives Message3, firstly subjected to MIC Message3 check, then send confirmation flag carrying the key and for installing the MIC Messaged EAPOL-Key message to the AP, after installation and PTK GTK;

[0027] 步骤S110,AP接收到Message4之后,首先对Message4进行MIC校验,然后,在校验成功后安装PTK和GTK。 [0027] Step S110, AP after receiving MESSAGE4, ​​firstly MESSAGE4 for MIC verification, then, after the verification is successful installation PTK and GTK.

[0028] 由上可见,在RSN模式中,如果无线客户端提前安装密钥,即,在收到Message3之后以及向AP回复Message4之前,就安装密钥,则无线客户端回复的Message4是加密的报文,而AP此时尚未安装密钥,无法对加密的Message4进行解密,只能丢弃加密的Message4,此时AP 认为没有成功接收到Message4。 [0028] As seen above, the RSN mode, if the wireless client key installed in advance, i.e., after receiving the reply to the AP and Message3 MESSAGE4 before, the key to the installation, the wireless client is encrypted reply MESSAGE4 packets, while the AP this time has not yet installed the key, can not decrypt the encrypted Message4, only to discard encrypted Message4, at this time that there is no AP successfully received Message4. 这样,AP就会不断重传Message3,直至在超过重传次数门限值时,按照密钥协商失败处理。 In this way, AP will continue to retransmit Message3, until the number of retransmissions exceeds the threshold value, in accordance with the key negotiation process fails. 同样,在WPA模式中,在无线客户端提前安装密钥的情况下, 在Message3的重传次数超过重传次数门限值时,也会按照密钥协商失败处理。 Similarly, in WPA mode, in the case of a wireless client key pre-installed, while the number of thresholds, will fail in key negotiation process in accordance with the number of retransmissions Message3 more than retransmission.

[0029] 为了解决现有技术中存在的上述问题,本申请以下实施例中提供了一种无线网络中的密钥协商方法,以及一种可以应用该方法的装置。 [0029] In order to solve the above problems present in the prior art, this embodiment provides a key agreement method in a wireless network in the following embodiment of the present application, an apparatus and method that can be applied.

[0030] 以下实施例的无线网络中包括:无线客户端和AP。 [0030] The following embodiment of a wireless network comprising: a client and a wireless AP. 以下实施例的方法可以应用于首次密钥协商过程中,也可以应用于后续的密钥更新时的密钥协商过程中;可以应用于RSN 模式中,也可以应用于WPA模式中。 The following method may be applied to the first embodiment of the key negotiation process, a key negotiation may be applied to the subsequent key update process; RSN mode may be applied, may be applied WPA mode.

[0031] 如图2所示,本申请实施例的密钥协商方法由AP执行,该方法包括以下步骤: [0031] 2, the key agreement method of the embodiment of the present application is executed by the AP, the method comprising the steps of:

[0032] 步骤S202,AP向无线客户端发送EAPOL-Key报文Messagel; [0032] Step S202, AP sends to the wireless client EAPOL-Key message Messagel;

[0033] 步骤S204,AP接收到无线客户端发来的EAPOL-Key报文Message2; [0033] Step S204, AP receiving the wireless client to the EAPOL-Key message Message2;

[0034] 步骤S202〜步骤S204的具体实施方式可以参见现有技术,这里不再赘述。 [0034] Step S202~ step S204 DETAILED DESCRIPTION Referring to the prior art can not be repeated here.

[0035] 步骤S206,AP向无线客户端发送EAPOL-Key报文Message3,并计时; [0035] Step S206, AP sends Message3 EAPOL-Key message to the wireless client, and timing;

[0036] 在实际实施过程中,可以使用重传定时器进行计时。 [0036] In an actual implementation, the retransmission timer may be used for timing. 向无线客户端发送EAPOL-Key 报文MeSSage3的具体实施方式可以参见现有技术,这里不再赘述。 Wireless client sends an EAPOL-Key message MeSSage3 particular embodiment can be found in the prior art, it is not repeated here.

[0037] 步骤S208,AP判断在到达预定时间间隔之前,是否成功接收到了无线客户端发来的EAPOL-Key报文Message4,若在到达预定时间间隔之前,成功接收到了Message4,则执行步骤S210,若在到达预定时间间隔之后,仍未成功接收到Message4,则执行步骤S212; [0037] Step S208, AP is determined before reaching the predetermined time interval, whether or not successfully received the wireless client to the EAPOL-Key message MESSAGE4, ​​if before reaching the predetermined interval is successfully received the MESSAGE4, ​​executes step S210, If after reaching a predetermined time interval, MESSAGE4 not successfully received, step S212 is executed;

[0038] 其中,可以按照以下两种情况确认成功接收到了Message4: [0038] where, it was confirmed Message4 successfully received the following two situations:

[0039]情况一:无线客户端和AP均安装了密钥 [0039] where a: a wireless client and AP were installed key

[0040] 此时,无线客户端发来的MeSSage4是经过密钥加密后的密文报文,AP成功接收到了Message4指的是:AP使用当前安装的密钥正确解密接收到的密文的Message4。 [0040] At this time, the wireless client is sent via MeSSage4 the ciphertext message key encryption, the AP successfully received Message4 refers to: AP currently installed correctly using the key to decrypt the received ciphertext Message4 .

[0041] 情况二:无线客户端和AP均未安装密钥 [0041] Case 2: no wireless client and the AP installation key

[0042] 此时,无线客户端发来的Message4是未经密钥加密的明文报文,AP成功接收到了Message4指的是:AP接收到了该明文的Message4。 [0042] At this time, the wireless client is not sent Message4 plaintext encrypted key packet, the AP successfully received Message4 refers to: AP receives the Message4 the plaintext.

[0043] 步骤S210,根据接收到的Message4进行相关处理; [0043] step S210, the correlation processing according to the received MESSAGE4;

[0044] 此处所说的相关处理包括:在RSN模式中,对接收到的MeSSage4进行MIC校验成功, 确认密钥协商成功;在WPA模式中,对接收到的Message4进行MIC校验成功,与无线客户端再进行两次EAPOL-Key报文的交互后,确认密钥协商成功。 [0044] where said associated processing includes: RSN mode, MESSAGE4 the received MIC's verification key negotiation confirm success; in WPA mode, MESSAGE4 the received MIC verification is successful, and after the wireless client and then twice EAPOL-key message interaction, confirmation key negotiation is successful.

[0045] 步骤S212,执行第一操作或第二操作; [0045] step S212, the performing a first operation or a second operation;

[0046] 其中,如果是首次密钥协商过程,则在第2N-1次执行步骤S212时,执行的是第一操作:安装密钥,在第2N次执行步骤S212时,执行的是第二操作:卸载密钥。 [0046] wherein, if the first key negotiation process, then 2N-1 at the first execution of step S212, the first operation is performed: the key is mounted in the first 2N execution of step S212, the execution is the second : uninstall key. 如果是后续密钥更新时的密钥协商过程,则在第2N-1次执行步骤S212时,执行的是第一操作:安装新密钥,在第2N次执行步骤S212时,执行的是第二操作:安装旧密钥。 If the key negotiation process is the subsequent key update time, then 2N-1 at the first execution of step S212, the first operation is performed by: mounting a new key, at the first execution of 2N step S212, the execution is the first two: install the old key. N为大于0的自然数。 N is a natural number greater than 0.

[0047] 由于现有的重传定时器每次超时后,会将计时时间延长等待下一次超时,也就是说,每次超时后,会将自己的计时时间延长。 [0047] As the existing retransmission timer after each timeout, the timing will be prolonged wait for the next time out, that is, after each time out, their timing will be prolonged. 因为AP在接收到Message4后,根据不同的情况存在两种操作方式,此时需要将重传延时延长设定为分别执行一次不同操作后再进行,从而避免不同操作之间重传延时变长所造成的接入时间延长。 Because the AP after receiving the MESSAGE4, ​​the presence of two operating modes depending on the circumstances, then the need to extend the retransmission delay is set for each operation is performed after a different, so as to avoid the retransmission delay variations between different operating long access time caused by prolonged. 在本申请实施例的方法中,重传定时器每两次超时后,将自己的计时时间延长。 In an embodiment of the method of the present application, after the retransmission timer times out every second, prolonged their timing. 例如,重传定时器的计时时间分别为5秒、 5秒、6秒、6秒、8秒、8秒……。 For example, the retransmission timer is counting time was 5 seconds, 5 seconds, 6 seconds, 6 seconds, 8 seconds, 8 seconds .......

[0048] 在本申请实施例的技术方案中,AP向无线客户端发送EAPOL-Key报文Message3,并计时,若在到达预定时间间隔之后,仍未成功接收到无线客户端发来的EAPOL-Key报文Message4,则AP执行第一操作或第二操作;重复执行上述步骤,直至Message3的重传次数超过预设的重传次数门限值时,确认密钥协商失败;其中,第一操作是安装密钥,第二操作是卸载密钥,或者,第一操作是安装新密钥,第二操作是安装旧密钥;在第2N-1次执行上述步骤时,执行第一操作,在第2N次执行上述步骤时,执行第二操作,N为大于0的自然数。 Technical Solution [0048] In an embodiment of the present application, the AP transmits to the wireless client Message3 EAPOL-Key message, and timing, if the predetermined time interval after arrival, not successfully received to the wireless client sent EAPOL- key MESSAGE4 packet, the AP performing a first operation or a second operation; repeat these steps until the number of retransmissions exceeds a preset Message3 retransmission times threshold, certification key negotiation fails; wherein the first operation a key is installed, a second unloading operation is a key, or a first operation is to install the new key, the second operation is mounting the old key; 2N-1 in the first execution of the above steps, performing a first operation, in when the above steps of 2N times, performing a second operation, N being a natural number greater than 0.

[0049] 这样,在正常情况下,AP在首次发送Messaged时开始计时,由于无线客户端是在回复Message4之后安装密钥,因此,回复的Message4是未经加密的明文报文,从而,AP在预定时间间隔T到达之前,接收到了该明文的Message、则按照现有技术执行后续相关处理,确认密钥协商成功,使得无线客户端能够成功认证并接入AP。 [0049] Thus, under normal circumstances, AP starts counting at the first sending Messaged, due to the wireless client is installed in the return key after Message4, therefore, reply Message4 is unencrypted plain text message, so, AP in arrives before a predetermined time interval T, the received Message to the plaintext, the subsequent correlation processing is performed according to the prior art, key negotiation confirm success, such that the wireless client can be successfully authenticated and the access AP.

[0050] 在无线客户端提前安装密钥的异常情况下,AP在首次发送Message3时开始计时, 由于无线客户端收到Message3后、以及回复Message4前就安装密钥,因此,回复的Message4 是加密后的密文报文,AP无法解密该密文的Me s sage4,会做丢弃处理,因此,在预定时间间隔T到达之前,AP无法成功接收到Message4,则安装密钥后重传Message3并开始计时,此时该重传的Message3是密文报文,无线客户端可以正确解密收到的该密文的Message3并回复密文的Message4,AP接收到该密文的Message4后可以使用安装的密钥进行正确解密,从而, 在预定时间间隔T到达之前,AP成功接收到了Messaged则可以按照现有技术执行后续相关处理,确认密钥协商成功。 [0050] Under unusual circumstances pre-installed key in the wireless client, AP when first sent Message3 start time due to the wireless client receives Message3, and return it before Message4 installation key, therefore, is an encrypted reply Message4 after the ciphertext message packet, the AP was unable to decrypt the ciphertext Me s sage4, it will be discarded, and therefore, before arriving at a predetermined time interval T, AP MESSAGE4 not successfully received, then retransmitted after the installation key and start Message3 timing, at which time the retransmission Message3 ciphertext message, the wireless client can decrypt the ciphertext Message3 and respond correctly received ciphertext Message4, AP receives the secret may be used to install after the ciphertext MESSAGE4 key to decrypt correctly, so that, before reaching the T, the AP successfully receives the Messaged may be according to the prior art related to processing performed in a subsequent predetermined time interval, key negotiation confirm success. 可见,按照上述方法,AP最终能够正确解密无线客户端回复的密文的Messaged并按照密钥协商成功处理,使得无线客户端能够成功认证并接入AP。 Visible, as described above, the AP ultimately properly decrypting the ciphertext Messaged wireless clients and reply processing according to the key negotiation succeeds, that can successfully authenticate the wireless client and the access AP.

[0051] 在首个Message3丢失的异常情况下,AP在首次发送Message3时开始计时,由于该Message3在传输过程中丢失,无线客户端收不到该Message3则不会回复Message4,因此,在预定时间间隔T到达之前,AP接收不到Message4,则安装密钥后重传Messaged并开始计时, 此时该重传的Message3是密文报文,由于无线客户端尚未安装密钥,因此无线客户端收到该密文的Message3后无法正确解密,会丢弃该密文的Message3,不会回复Message4,从而, 在预定时间间隔T到达之前,AP接收不到Message4,则卸载密钥后再次重传Message3并开始计时,此时该重传的Message3是明文报文,无线客户端收到该明文的Message3后回复Message4并安装密钥,AP在预定时间间隔T到达之前接收到了该明文的Message4,则可以按照现有技术执行后续相关处理,确认密钥协商成功,使得无线客户端能够成功认证并接入AP〇 [0051] In exceptional cases the first Message3 missing, AP sent Message3 start at the first timing, since the Message3 lost during transmission, the wireless client can not receive the Message3 does not reply Message4, therefore, at a predetermined time before reaching the interval T, the AP does not receive MESSAGE4, ​​after the installation key and start timing Messaged retransmission, when the retransmission Message3 ciphertext packets, because the wireless client key has not been installed, and therefore the wireless client receiving after Message3 the ciphertext can not be decrypted correctly, discards the ciphertext Message3, MESSAGE4 not respond, thus, before reaching the T, the AP does not receive MESSAGE4 at a predetermined time interval, after unloading the key again and retransmit Message3 start time, at which time the plaintext Message3 retransmission packet, the wireless client receives the plain text reply Message4 Message3 and installation key, is received before the plaintext Message4 T reaches a predetermined time interval AP, you can follow subsequent correlation process performed prior art, key negotiation confirm success, such that the wireless client can be successfully authenticated and the access AP〇

[OO52] 在首个MeSSage4丢失的异常情况下,AP在首次发送Message〗时开始计时,无线客户端收到该Message3后回复明文的Message4并安装密钥,由于该明文的Message4在传输过程中丢失了,因此,AP在预定时间间隔T到达之前接收不到该明文的Message、则安装密钥后重传MeSSage3并开始计时,此时该重传的MeSSage3是密文报文,无线客户端可以使用安装的密钥正确解密收到的密文的Message3,并回复密文的Message4,AP在预定时间间隔T到达之前,接收到了该密文的Message4并使用安装的密钥进行正确解密,则可以按照现有技术执行后续相关处理,确认密钥协商成功,使得无线客户端能够成功认证并接入AP。 [OO52] in exceptional cases the first MeSSage4 missing, AP starts counting at the first sending Message〗 wireless client received a reply after the Message3 Message4 expressly and install the key, because the Message4 the plaintext is lost during transmission , and thus, the AP does not receive the plaintext before message T reaches a predetermined time interval, then after the installation retransmission MeSSage3 key and start timing, at which time the retransmission MeSSage3 ciphertext message, the client can use wireless installation of Message3 key correctly decrypts the received ciphertext, and the ciphertext reply Message4, AP before arrival at a predetermined time interval T, the received ciphertext using the key and MESSAGE4 installed properly decrypted, can follow subsequent correlation process performed prior art, key negotiation confirm success, such that the wireless client can be successfully authenticated and the access AP.

[0053]以下以RSN模式下的首次密钥协商过程中,无线客户端提前安装密钥时的一个具体实例来详细说明上述方法。 [0053] In the following key negotiation process in the first mode RSN, a specific example of the client in advance when the wireless key installation method described above will be described in detail.

[0054]如图3所示,此时的密钥协商方法包括以下步骤: [0054] As shown in FIG 3, when the key agreement method comprising the steps of:

[0055] 步骤S302,AP向无线客户端发送EAPOL-Key报文Messagel; [0055] Step S302, AP sends to the wireless client EAPOL-Key message Messagel;

[OO56] 无线客户端接收到Messagel之后,向AP发送EAPOL-Key报文Message2; [OO56] After the client receives the wireless Messagel, sent to AP EAPOL-Key message Message2;

[0057] 步骤S304,AP接收到无线客户端发来的EAPOL-Key报文Message2; [0057] Step S304, AP receiving the wireless client to the EAPOL-Key message Message2;

[OO58] 步骤S306,AP向无线客户端发送EAPOL-Key报文Message3,此时发送的Message3是明文报文;发送的同时,开启重传定时器; [OO58] Step S306, AP sends to the wireless client EAPOL-Key message Message3, Message3 transmitted at this time is clear text message; simultaneously transmitted, the retransmission timer is turned on;

[0059] 无线客户端接收到MeSSage3之后,安装密钥,向AP发送加密后的EAPOL-Key报文Message4,此时发送的Message4是密文报文; [0059] After the client receives the wireless MESSAGE3, installation key, the encrypted transmission to the AP EAPOL-Key message Message4, Message4 at this time is transmitted ciphertext message;

[0060] 步骤S308,由于AP此时尚未安装密钥,因此,无线客户端发来的密文的MeSSage4被丢弃,AP认为没有接收到Message4; [0060] step S308, the AP at this time since the key has not been installed, therefore, sent by the wireless client MeSSage4 ciphertext is dropped, that AP is not received MESSAGE4;

[0061] 步骤S310,当重传定时器超时时,由于没有成功接收到无线客户端发来的Message4,则安装密钥,由于此时Message3的重传次数尚未超过预设的重传次数门限值,因此,重传Message3,此时发送的Message3是密文报文,同时开启重传定时器; [0061] step S310, the retransmission timer expires when, because not successfully received wireless client sent MESSAGE4, ​​key installation, since at this time the number of retransmissions has not been Message3 retransmission times exceeds a preset threshold values, therefore, the retransmission Message3, Message3 at this time is transmitted ciphertext message, the retransmission timer is turned on at the same time;

[0062] 无线客户端接收到密文的Messaged之后,由于已经安装了密钥,因此,可以正确解密该密文的Message3,并按照现有技术回复密文的Message4; After the [0062] wireless client receives ciphertext messaged, since the key has been installed, therefore, you can correctly decrypt the ciphertext Message3, and respond Message4 ciphertext according to the prior art;

[0063] 步骤S312,AP接收到密文的Message4,由于已经安装了密钥,因此,可以正确解密该密文的Message4,即,在重传定时器超时之前,成功接收到了Message4,对解密得到的明文的MeSSage4进行MIC校验成功后,执行相关处理,确认密钥协商成功。 [0063] Step S312, AP received ciphertext MESSAGE4, ​​since the key has been installed, therefore, can correctly decrypted the ciphertext MESSAGE4, ​​i.e., before the retransmission timer expires, the MESSAGE4 successfully received, on the decrypted after the plaintext MeSSage4 be MIC verification is successful, the implementation of the relevant processing, confirming key negotiation is successful.

[0064] 假设,重传定时器的超时时间平均为t,Message3的重传次数门限值为n。 [0064] Suppose, retransmission timer timeout time average t, Message3 retransmission number threshold value is n. 则,现有技术中,在无线客户端提前安装密钥的情况下,密钥协商成功所需的时间T(无线客户端提前安装密钥)二t Xn;而采用本申请实施例的方法后,密钥协商成功所需的时间T (无线客户端提前安装密钥)= tX2。 After the method of Example of the present application; the prior art, in a case where the wireless client to install keys in advance, the time required for a successful key negotiation T (wireless client before installation key) di t Xn the time required for the success of key negotiation T (wireless client key pre-installed) = tX2.

[0065] 例如,t = 800ms,n = 7,则采用本申请实施例的方法后,密钥协商成功所需的时间可以缩短4s。 After [0065] e.g., t = 800ms, n = 7, the embodiment of the present application method is used, the time required for a successful key negotiation can be shortened 4s.

[0066] 可见,在无线客户端提前安装密钥的情况下,使用本申请实施例的方法,AP最终可以正确解密无线客户端回复的密文的Messaged并按照密钥协商成功处理,使得无线客户端能够成功认证并接入AP。 [0066] shows the case where the key installed in advance in the wireless client, using the method of the present application embodiment, the AP eventually correctly decrypted ciphertext Messaged wireless clients and reply processing according to the key negotiation is successful, the wireless client such that can successfully authenticate the access terminal and AP.

[0067]以上仅以RSN模式为例进行描述,在WPA模式下,进行密钥协商的过程相类似,不再赘述。 [0067] RSN mode only in the above described example, in the WPA mode, key negotiation process is similar and is not repeated herein.

[0068]针对上述实施例的方法,本申请实施例中还提供了一种无线网络中的密钥协商装置,该装置应用于AP上。 [0068] For embodiments of the method of the above-described embodiment, application of the present embodiment further provides key negotiation in a wireless network apparatus, the apparatus is applied to the AP.

[0069]如图4所示,该装置中包括以下模块:接收模块10、处理模块20、失败确认模块30和成功确认模块40,其中: [0069] As shown in FIG. 4, the apparatus comprises the following modules: a receiving module 10, a processing module 20, validation module 30 failure and success confirmation module 40, wherein:

[0070] 接收模块10,用于接收无线客户端发来的EAPOL-Key报文Message4; [0070] a receiving module 10, for EAPOL-Key message Message4 receiver sent by the wireless client;

[0071] 处理模块20,用于执行步骤A和步骤B,其中,步骤A包括:向无线客户端发送EAP0L-Key报文Message3,并计时;步骤B包括:若在到达预定时间间隔之后,接收模块10仍未成功接收到无线客户端发来的EAPOL-Key报文Message4,则执行第一操作或第二操作; [0071] The processing module 20, for performing the steps A and B, wherein A comprises the step of: transmitting packets Message3 EAP0L-Key to the wireless client, and counting; Step B comprises: if a predetermined time interval after arrival, received module 10 has not yet successfully received by the wireless client to the EAPOL-Key message Message4, performing a first operation or the second operation;

[0072] 失败确认模块30,用于控制处理模块20重复执行步骤A和步骤B,直至MeSSage3的重传次数超过预设的重传次数门限值时,确认密钥协商失败; [0072] failed confirmation module 30, for controlling the processing module 20 repeatedly executes step A and step B, and until the number of retransmissions exceeds a preset MeSSage3 retransmission number threshold, certification key negotiation fails;

[0073]成功确认模块40,用于若在处理模块20的计时时间到达预定时间间隔之前,接收模块10成功接收到了无线客户端发来的EAPOL-Key报文Message4,则根据该Message4进行相关处理,确认密钥协商成功; [0073] Successful confirmation module 40, before being used when the interval measured time the processing module 20 reaches the predetermined time, the receiving module 10 successfully received by the wireless client to the EAPOL-Key message MESSAGE4, ​​the correlation processing according to the MESSAGE4 confirm key negotiation is successful;

[0074]其中,第一操作是安装密钥,第二操作是卸载密钥,或者,第一操作是安装新密钥, 第二操作是安装旧密钥;处理模块20在第2N-1次执行步骤B时,执行第一操作,处理模块20 在第2N次执行步骤B时,执行第二操作,N为大于0的自然数; [0074] wherein the first operation key is installed, a second unloading operation is a key, or a first operation is to install the new key, the second operation is mounting old key; first processing module 20 times 2N 1- when executing step B, performing a first operation, the processing module 20 while performing the step B of 2N times, performing a second operation, N being a natural number greater than 0;

[0075]其中,当第一操作是安装密钥,第二操作是卸载密钥时,在处理模块20第2N-1次执行的步骤A中,向无线客户端发送的Message是未经密钥加密的明文报文;在处理模块20第2N次执行的步骤A中,向无线客户端发送的MeSSage3是经过密钥加密后的密文报文。 [0075] wherein, when the first operation key is installed, a second unloading operation is a key step in the first processing block 20 A 2N-1 in execution, Message transmitted to the wireless client is not a key plaintext encrypted message; in step a performed by the processing module 20 of the 2N times, MeSSage3 transmitted to the wireless client is the ciphertext message through key encryption.

[0076]其中,当第一操作是安装新密钥,第二操作是安装旧密钥时,在处理模块2〇第2N-1 次执行的步骤A中,向无线客户端发送的MeSSage3是经过旧密钥加密后的密文报文;在处理模块20第2N次执行的步骤A中,向无线客户端发送的是经过新密钥加密后的密文报文。 [0076] wherein, when the first operation is to install the new key, the second operation is mounting the old key, at step A first processing module 2〇 2N-1 in execution, MESSAGE3 transmitted to a wireless client via ciphertext message after the old encryption key; a processing module executes in step 20 of 2N times, the transmission to the wireless client after a new key encrypted ciphertext message.

[0077] 其中,成功确认模块40,具体用于当无线客户端发来的MeSSage4是加密后的密文报文时,接收模块10使用当前安装的密钥正确解密接收到的密文的Message4,则确定成功接收到了无线客户端发来的Message4;当无线客户端发来的Message4是未经密钥加密的明文报文时,接收模块10接收到了该明文的Message4,则确定成功接收到了无线客户端发来的Message4。 [0077] wherein successful validation module 40 is specifically configured to, when the wireless client to MeSSage4 ciphertext is the encrypted message, the receiving module 10 using the key currently installed correctly decrypting the ciphertext Message4 received, it is determined that successfully receive the wireless client to the MESSAGE4; when the wireless client to the MESSAGE4 is not key encryption message plain text, the receiving module 10 receives the MESSAGE4 the plaintext, it is determined that successfully receive the wireless client Message4 end to the hair.

[0078]其中,处理模块20每执行两次步骤B之后,延长预定时间间隔。 [0078] wherein, after the processing module 20 is performed twice for each step B, and extend the predetermined time interval.

[0079] 综上,本申请以上实施例可以达到以下技术效果: [0079] In summary, the foregoing embodiment of the present application can achieve the following technical effects:

[0080] 在无线客户端提前安装密钥的异常情况下,AP在首次发送Message3时开始计时, 由于无线客户端收到Message3后、以及回复Message4前就安装密钥,因此,回复的Message4 是加密后的密文报文,AP无法解密该密文的Messaged会做丢弃处理,因此,在预定时间间隔T到达之前,AP无法成功接收到Message4,则安装密钥后重传Message3并开始计时,此时该重传的Message3是密文报文,无线客户端可以正确解密收到的该密文的也^呢63并回复密文的Message4,AP接收到该密文的Message4后可以使用安装的密钥进行正确解密,从而, 在预定时间间隔T到达之前,AP成功接收到了Messaged则可以按照现有技术执行后续相关处理,确认密钥协商成功。 [0080] Under unusual circumstances pre-installed key in the wireless client, AP when first sent Message3 start time due to the wireless client receives Message3, and return it before Message4 installation key, therefore, is an encrypted reply Message4 after the ciphertext message packet, the AP was unable to decrypt the ciphertext Messaged will be discarded, and therefore, before arriving at a predetermined time interval T, AP MESSAGE4 not successfully received, then retransmitted after Message3 key installation and start timing, this when the retransmission Message3 ciphertext message, the wireless client can be correctly decrypted the ciphertext is also received 63 ^ and respond to it ciphertext MESSAGE4, ​​AP after receiving the ciphertext MESSAGE4 secret may be used to install key to decrypt correctly, so that, before reaching the T, the AP successfully receives the Messaged may be according to the prior art related to processing performed in a subsequent predetermined time interval, key negotiation confirm success. 可见,按照上述方法,AP最终能够正确解密无线客户端回复的密文的Message4,并按照密钥协商成功处理,使得无线客户端能够成功认证并接入AP。 Visible, as described above, the AP ultimately properly decrypting the ciphertext Message4 wireless client responses, and in accordance with successful key negotiation process, such that the wireless client can be successfully authenticated and the access AP.

[0081]以上所述仅为本申请的较佳实施例而已,并不用以限制本申请,凡在本申请的精神和原则之内,所做的任何修改、等同替换、改进等,均应包含在本申请保护的范围之内。 [0081] The foregoing is only preferred embodiments of the present application only, not intended to limit the present application, within the spirit and principle of the present application, made any modifications, equivalent replacements and improvements should be included within the scope of protection of the present application.

Claims (12)

1.一种无线网络中的密钥协商方法,其特征在于,包括: A、 无线接入点AP向无线客户端发送基于局域网的扩展认证协议-密钥EAPOL-Key报文Message3,并计时; B、 若在到达预定时间间隔之后,所述AP仍未成功接收到无线客户端发来的EAPOL-Key 报文Message4,则执行第一操作或第二操作; 重复执行步骤A和步骤B,直至Message3的重传次数超过预设的重传次数门限值时,确认密钥协商失败; 其中,第一操作是安装密钥,第二操作是卸载密钥,或者,第一操作是安装新密钥,第二操作是安装旧密钥;如果是首次密钥协商过程,则在第2N-1次执行所述步骤B时,执行第一操作:安装密钥,在第2N次执行所述步骤B时,执行第二操作:卸载密钥;如果是后续密钥更新时的密钥协商过程,则在第2N-1次执行所述步骤B时,执行第一操作:安装新密钥,在第2N 次执行所述步骤B时,执行第二 1. A key agreement method in a wireless network, characterized by comprising: A, wireless access point AP to the wireless LAN-based client Extensible Authentication Protocol - Key Message3 EAPOL-Key message, and timing; B, when after reaching a predetermined time interval, the AP has not successfully received the wireless client to the EAPOL-Key message MESSAGE4, ​​performing a first operation or the second operation; repeat step a and step B, and until Message3 when the number of retransmissions exceeds a predetermined retransmission number threshold, certification key negotiation fails; wherein the first operation key is installed, a second unloading operation is a key, or a first operation is to install a new secret key, the second operation is mounting old key; if the first key negotiation is performed in the first 2N 1-times during step B, and performing a first operation: key installed, the first step is performed 2N times B, the second operation is performed: unloading key; if key agreement process when a subsequent key update, at the time of performing the first step B 2N-1 times, performing a first operation: installing a new key, the first step is performed 2N times B, a second 操作:安装旧密钥,N为大于0的自然数。 Action: the old key installation, N being a natural number greater than 0.
2. 根据权利要求1所述的方法,其特征在于,还包括: 若在到达预定时间间隔之前,成功接收到了所述Messaged,则所述AP根据所述Message4进行相关处理,确认密钥协商成功。 The method according to claim 1, characterized in that, further comprising: if a predetermined time interval before the arrival, to the messaged received successfully, then the correlation processing according to the AP MESSAGE4, ​​key negotiation confirm success .
3. 根据权利要求1所述的方法,其特征在于,当第一操作是安装密钥,第二操作是卸载密钥时, 在第2N-1次执行的步骤A中,向所述无线客户端发送的Message是未经密钥加密的明文报文; 在第2N次执行的步骤A中,向所述无线客户端发送的Message是经过密钥加密后的密文报文。 3. The method according to claim 1, wherein, when the first operation key is installed, the second operation key is unloaded, in step A of 2N-1 in execution, to the wireless client message is sent by non-key encryption plaintext message; in step a of 2N in execution, message transmitted to the wireless client is the ciphertext message through key encryption.
4. 根据权利要求1所述的方法,其特征在于,当第一操作是安装新密钥,第二操作是安装旧密钥时, 在第2N-1次执行的步骤A中,向所述无线客户端发送的Messaged是经过旧密钥加密后的密文报文; 在第2N次执行的步骤A中,向所述无线客户端发送的是经过新密钥加密后的密文报文。 4. The method according to claim 1, wherein, when the first operation is to install the new key, the second operation is mounting the old key, at the first step A 2N-1 in execution, to the Messaged wireless client is transmitted after an old key ciphertext encrypted message; 2N in step a of execution, the transmission to the wireless client after a new key is encrypted ciphertext message.
5. 根据权利要求2所述的方法,其特征在于,所述成功接收到了所述Message,包括: 当所述无线客户端发来的Message4是经过密钥加密后的密文报文时,AP使用当前安装的密钥正确解密接收到的密文的Message4,则确定成功接收到了所述无线客户端发来的Message4; 当所述无线客户端发来的MeSSage4是未经密钥加密的明文报文时,AP接收到了该明文的Message4,则确定成功接收到了所述无线客户端发来的Message4。 5. The method according to claim 2, wherein the said the Message has been received successfully, comprising: when the wireless client is sent Message4 time elapsed after the key ciphertext encrypted text message, the AP currently installed correctly using the key of the ciphertext decryption MESSAGE4 received, it is determined that the successfully received the wireless client to the MESSAGE4; when the wireless client is not sent to the key encrypting MeSSage4 plaintext message when text, AP receives the plaintext Message4, it is determined that the successfully received the wireless client to the Message4.
6. 根据权利要求1所述的方法,其特征在于,每执行两次所述步骤B之后,延长所述预定时间间隔。 6. The method according to claim 1, characterized in that, after each performed twice said step B, and extending the predetermined time interval.
7. —种无线网络中的密钥协商装置,其特征在于,应用于所述无线网络中的无线接入点AP上,所述装置包括: 接收模块,用于接收无线客户端发来的基于局域网的扩展认证协议-密钥EAPOL-Key报文Message4; 处理模块,用于执行步骤A和步骤B,其中,步骤A包括:向无线客户端发送EAPOL-Key报文MeSSage3,并计时;步骤B包括:若在到达预定时间间隔之后,所述接收模块仍未成功接收到无线客户端发来的EAPOL-Key报文Message,则执行第一操作或第二操作; 失败确认模块,用于控制所述处理模块重复执行步骤A和步骤B,直至Message3的重传次数超过预设的重传次数门限值时,确认密钥协商失败; 其中,第一操作是安装密钥,第二操作是卸载密钥,或者,第一操作是安装新密钥,第二操作是安装旧密钥;如果是首次密钥协商过程,所述处理模块则在第2N-1次执行所述步骤B 时,执 7. - kind of key negotiation in a wireless network, wherein the wireless network is applied to a wireless access point in the AP, the apparatus comprising: a receiving module for receiving a wireless sent by the client based on LAN Extensible authentication protocol - key EAPOL-key message MESSAGE4; processing module, for performing the steps a and B, wherein a comprises the step of: transmitting MeSSage3 EAPOL-key message to the wireless client, and counting; step B comprising: if a predetermined time interval after reaching the receiving module has not successfully received the wireless client to the message EAPOL-Key message, performing a first operation or the second operation; fail determining module for controlling the repeating said processing module executes step a and step B, and the time until the number of retransmissions Message3 exceeds a preset threshold number of retransmissions, acknowledgment key negotiation fails; wherein the first operation key is installed, the second operation is to uninstall key, or the first operation is to install the new key, the second operation is mounting old key; if the key negotiation process is the first time, the processing module executes the step B the first 2N 1-times, the executive 第一操作:安装密钥,在第2N次执行所述步骤B时,执行第二操作:卸载密钥;如果是后续密钥更新时的密钥协商过程,所述处理模块则在第2N-1次执行所述步骤B时,执行第一操作:安装新密钥,在第2N次执行所述步骤B时,执行第二操作:安装旧密钥,N为大于0的自然数。 First operation: key installed, when performing the step B of 2N times, performing a second operation: unloading key; if key agreement process when a subsequent key update, the first processing module 2N- said step B is executed. 1 times, performing a first operation: mounting a new key, when performing the step B of 2N times, performing a second operation: mounting the old key, N being a natural number greater than 0.
8. 根据权利要求7所述的装置,其特征在于,还包括: 成功确认模块,用于若在所述处理模块的计时时间到达所述预定时间间隔之前,所述接收模块成功接收到了所述Message4,则根据所述Message4进行相关处理,确认密钥协商成功。 8. The apparatus according to claim 7, characterized in that, further comprising: a successful validation module configured prior to the predetermined time interval if the arrival time at the timing of the processing module, the receiving module receives the success of the Message4, the correlation processing according to the Message4, key negotiation confirm success.
9. 根据权利要求7所述的装置,其特征在于,当第一操作是安装密钥,第二操作是卸载密钥时, 在所述处理模块第2N-1次执行的步骤A中,向所述无线客户端发送的Message3是未经密钥加密的明文报文; 在所述处理模块第2N次执行的步骤A中,向所述无线客户端发送的MeSSage3是经过密钥加密后的密文报文。 9. The apparatus according to claim 7, wherein, when the first operation key is installed, a second unloading operation is a key step in the processing module A 2N-1 times the first execution, the Message3 the wireless client is not transmitted key encryption plaintext message; in step a of the processing module in execution 2N, MeSSage3 transmitted to the wireless client after a secret key encryption the text message.
10. 根据权利要求7所述的装置,其特征在于,当第一操作是安装新密钥,第二操作是安装旧密钥时, 在所述处理模块第2N-1次执行的步骤A中,向所述无线客户端发送的Message3是经过旧密钥加密后的密文报文; 在所述处理模块第2N次执行的步骤A中,向所述无线客户端发送的是经过新密钥加密后的密文报文。 10. The apparatus according to claim 7, wherein, when the first operation is to install the new key, the second operation is mounting the old key, A step in the processing module of executions of 2N-1 , Message3 transmitted to the wireless client after the old key is encrypted ciphertext message; in step a of 2N times the processing module executed, transmitted to the wireless client is the result of a new key ciphertext encrypted packet.
11. 根据权利要求8所述的装置,其特征在于,所述成功确认模块,具体用于当所述无线客户端发来的MessagM是经过密钥加密后的密文报文时,所述接收模块使用当前安装的密钥正确解密接收到的密文的Message4,则确定成功接收到了所述无线客户端发来的Message4;当所述无线客户端发来的Message4是未经密钥加密的明文报文时,所述接收模块接收到了该明文的Message4,则确定成功接收到了所述无线客户端发来的Message4。 11. The apparatus according to claim 8, wherein said confirmation module is successful, particularly for when the wireless client is sent via MessagM the ciphertext message key encryption, said receiving module currently installed correctly using the key to decrypt the received ciphertext Message4, it is determined that the successfully received the wireless client to the MESSAGE4; when the wireless client is not sent MESSAGE4 plaintext encrypted key packet time, the receiving module receives the plaintext to MESSAGE4, ​​it is determined that the successfully received the wireless client to the Message4.
12. 根据权利要求7所述的装置,其特征在于,所述处理模块每执行两次所述步骤8之后,延长所述预定时间间隔。 12. The apparatus according to claim 7, wherein said processing is performed after each module 8, the two extension step the predetermined time interval.
CN201410519532.6A 2014-09-30 2014-09-30 Key agreement method and apparatus for a wireless network CN104270752B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410519532.6A CN104270752B (en) 2014-09-30 2014-09-30 Key agreement method and apparatus for a wireless network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410519532.6A CN104270752B (en) 2014-09-30 2014-09-30 Key agreement method and apparatus for a wireless network

Publications (2)

Publication Number Publication Date
CN104270752A CN104270752A (en) 2015-01-07
CN104270752B true CN104270752B (en) 2017-10-27

Family

ID=52162223

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410519532.6A CN104270752B (en) 2014-09-30 2014-09-30 Key agreement method and apparatus for a wireless network

Country Status (1)

Country Link
CN (1) CN104270752B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104917595B (en) * 2015-06-16 2018-04-27 四川长虹通信科技有限公司 An encryption key during communication handover method and system for

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5506905A (en) * 1994-06-10 1996-04-09 Delco Electronics Corp. Authentication method for keyless entry system
US6590981B2 (en) * 2000-02-22 2003-07-08 Zyfer, Inc. System and method for secure cryptographic communications
CN1689268A (en) * 2003-05-22 2005-10-26 富士通株式会社 Encrypted data reception device and decryption key updating method
CN102025685A (en) * 2009-09-21 2011-04-20 华为技术有限公司 Authentication processing method and device
CN103888941A (en) * 2012-12-20 2014-06-25 杭州华三通信技术有限公司 Method and device for key negotiation of wireless network

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5506905A (en) * 1994-06-10 1996-04-09 Delco Electronics Corp. Authentication method for keyless entry system
US6590981B2 (en) * 2000-02-22 2003-07-08 Zyfer, Inc. System and method for secure cryptographic communications
CN1689268A (en) * 2003-05-22 2005-10-26 富士通株式会社 Encrypted data reception device and decryption key updating method
CN102025685A (en) * 2009-09-21 2011-04-20 华为技术有限公司 Authentication processing method and device
CN103888941A (en) * 2012-12-20 2014-06-25 杭州华三通信技术有限公司 Method and device for key negotiation of wireless network

Also Published As

Publication number Publication date
CN104270752A (en) 2015-01-07

Similar Documents

Publication Publication Date Title
US8788805B2 (en) Application-level service access to encrypted data streams
US7793103B2 (en) Ad-hoc network key management
US7660419B1 (en) System and method for security association between communication devices within a wireless personal and local area network
US8787572B1 (en) Enhanced association for access points
US7603557B2 (en) Communication device, communication system and authentication method
JP5324665B2 (en) Enhanced security for the direct link communication
JP4649513B2 (en) Authentication method and related key generation method of wireless mobile Internet system
CN1268093C (en) Distribution method of wireless local area network encrypted keys
US20020197979A1 (en) Authentication system for mobile entities
KR100843072B1 (en) Wireless network system and communication method using wireless network system
EP2232809B1 (en) Secure wireless communications system and related method
US20090300358A1 (en) Method for managing network key and updating session key
US8001381B2 (en) Method and system for mutual authentication of nodes in a wireless communication network
US20110291803A1 (en) Rfid security and mobility architecture
US7734280B2 (en) Method and apparatus for authentication of mobile devices
CN1964258B (en) A method for the safety device discovery and introduction
JP4002035B2 (en) Method for transmitting information for which security is required initially using a communication that is not sensitive of
JP5422835B2 (en) Method of network access authentication and authorization, and how to update the approval key
CN101507228B (en) Improved authentication for devices located in cable networks
CN101720539B (en) Key refresh sae/lte system
CN101133592B (en) Key distribution control apparatus, radio base station apparatus, and communication system
Vanhoef et al. Key reinstallation attacks: Forcing nonce reuse in WPA2
JP2014161027A (en) Encryption method for secure packet transmission
CN101529794A (en) Method and apparatus for establishing security associations between nodes of an AD HOC wireless network
US8627092B2 (en) Asymmetric cryptography for wireless systems

Legal Events

Date Code Title Description
C06 Publication
C10 Entry into substantive examination
CB02
GR01