CN104394180A - Wireless terminal authentication method, wireless router and system - Google Patents

Wireless terminal authentication method, wireless router and system Download PDF

Info

Publication number
CN104394180A
CN104394180A CN201410798321.0A CN201410798321A CN104394180A CN 104394180 A CN104394180 A CN 104394180A CN 201410798321 A CN201410798321 A CN 201410798321A CN 104394180 A CN104394180 A CN 104394180A
Authority
CN
China
Prior art keywords
wireless terminal
clock drift
value
similarity
wireless router
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201410798321.0A
Other languages
Chinese (zh)
Other versions
CN104394180B (en
Inventor
鲁力
王润喆
毛武斌
陈伟
丁菁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
University of Electronic Science and Technology of China
Original Assignee
University of Electronic Science and Technology of China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by University of Electronic Science and Technology of China filed Critical University of Electronic Science and Technology of China
Priority to CN201410798321.0A priority Critical patent/CN104394180B/en
Publication of CN104394180A publication Critical patent/CN104394180A/en
Application granted granted Critical
Publication of CN104394180B publication Critical patent/CN104394180B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/08Protocols specially adapted for terminal emulation, e.g. Telnet
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L1/00Arrangements for detecting or preventing errors in the information received
    • H04L1/12Arrangements for detecting or preventing errors in the information received by using return channel
    • H04L1/16Arrangements for detecting or preventing errors in the information received by using return channel in which the return channel carries supervisory signals, e.g. repetition request signals
    • H04L1/1607Details of the supervisory signal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Abstract

The invention discloses a wireless terminal authentication method, a wireless router and a system. The system comprises the following steps: by using the wireless router, receiving an authentication request transmitted by a measured wireless terminal, and acquiring an IP (Internet Protocol) address; transmitting a timestamp request packet to the measured wireless terminal, and receiving a returned timestamp reply data packet; determining a timestamp difference value; calculating a clock drift value by utilizing a curve-fitting algorithm according to the timestamp difference value; calculating the similarity between the clock drift value and a clock drift reference value of each legal wireless terminal which is registered in the wireless router; judging whether the measured wireless terminal meets an authentication condition according to the similarity. According to the method disclosed by the embodiment of the invention, authentication information is obtained according to the clock drift value of the wireless terminal; the clock drift values of the wireless terminals have difference, so that the authentication information also has distinct uniqueness; therefore, the probability that the authentication information is faked is reduced; the security of an authentication process of the wireless terminal is improved.

Description

A kind of wireless terminal authentication method, wireless router and system
Technical field
The present invention relates to wireless local area network technology field, particularly a kind of wireless terminal authentication method, wireless router and system.
Background technology
Along with social economy and scientific and technical development, wireless terminal obtains to be applied more widely, is very easy to the daily work of people and life.
WLAN (wireless local area network) is one of main channel realizing internet access, and the fail safe improving WLAN (wireless local area network) is then the important mission of wireless local area network technology.In order to improve the fail safe of WLAN (wireless local area network), wireless router needs to carry out certification to wireless terminal.
In the prior art, for realizing the certification of wireless router to wireless terminal, a kind of important mode is the MAC (MAC to wireless terminal, Media Access Control, i.e. medium access control) address binds, is about to allow the legal Wireless terminal-MAC address of access to be stored in the built-in Access Control List (ACL) of wireless router.During tested wireless terminal attempted authentication, tested wireless terminal need provide and log in password, if log in password mistake, then authentification failure, if it is correct to log in password, then in above-mentioned Access Control List (ACL), the MAC Address of tested wireless terminal is inquired about, if include the MAC Address entry identical with the MAC Address of tested wireless terminal in above-mentioned Access Control List (ACL), then certification is passed through, tested wireless terminal can pass through wireless router access network, if MAC Address entry not identical with the MAC Address of tested wireless terminal in above-mentioned Access Control List (ACL), then authentification failure, tested wireless terminal is not by wireless router access network.
Prior art is before inquiring about the MAC Address of tested wireless terminal, tested wireless terminal needs to provide to log in password, and to log in password be can by other people by as social engineering, the modes such as personation router intercept, thus make the fail safe of wireless terminal verification process not high, reduce the fail safe of WLAN (wireless local area network), and want the MAC Address obtaining legal wireless terminal, except normal channel, ARP (ARP can also be passed through, Address Resolution Protocol, i.e. address resolution protocol) agreement initiates inquiry to legal wireless terminal and intercepts, because the response inquired about ARP automatically occurs, therefore the wireless terminal of any wireless compatible 802.11 standards all can obtain the MAC Address of legal wireless terminal, so also make the fail safe of wireless terminal verification process not high, thus reduce the fail safe of WLAN (wireless local area network), in addition, the MAC Address of wireless terminal is easily forged, because MAC Address is included in link-layer frame, and link-layer frame can easily by upper layer network modification of program, therefore other people are after detecting the MAC Address of legal wireless terminal by simple ARP inquiry, further the MAC Address of its machine can be revised as legal Wireless terminal-MAC address, the fail safe that this results in wireless terminal verification process is not high, reduce the fail safe of WLAN (wireless local area network).
Can find out in sum, the fail safe how improving wireless terminal verification process is current problem demanding prompt solution.
Summary of the invention
In view of this, the object of this invention is to provide a kind of wireless terminal authentication method, wireless router and system, improve the fail safe of wireless terminal verification process.Its concrete scheme is as follows:
A kind of wireless terminal authentication method, comprises the following steps:
Step 101: wireless router receives the authentication request that tested wireless terminal sends, obtain the IP address of described tested wireless terminal, timestamp request data package is sent to described tested wireless terminal, receive the timestamp reply data bag returned after making response by described tested wireless terminal, according to described timestamp request data package and described timestamp reply data bag, determine time tolerance;
Step 102: according to described time tolerance, utilize curve fitting algorithm, calculates the clock drift value of described tested wireless terminal;
Step 103: calculate the similarity between the clock drift fiducial value of each the legal wireless terminal registered in described clock drift value and described wireless router respectively, judge whether described tested wireless terminal meets authentication condition according to described similarity, if, then described tested wireless terminal passes through certification, if not, then described tested wireless terminal authentification failure.
Preferably, in described step 101, also comprise after the step of the timestamp reply data bag that described wireless router returns after receiving and making response by described tested wireless terminal:
Described wireless router is sampled to described timestamp request data package and described timestamp reply data bag, obtains time stamp data ladle sample originally;
Described wireless router originally divides into groups to described time stamp data ladle sample, obtains the time stamp data bag small sample of at least two groups.
Preferably, in described step 101, described wireless router determines that the step of described time tolerance comprises:
Described wireless router, respectively according to the described timestamp request data package in each group time stamp data bag small sample and described timestamp reply data bag, correspondingly calculates the initial time stamp difference of each group time stamp data bag small sample described;
Described wireless router carries out deviation delete processing to each group initial time stamp difference described respectively, correspondingly obtains the time tolerance of each group time stamp data bag small sample described.
Preferably, described step 102 comprises, and described wireless router utilizes described curve fitting algorithm, carries out matching respectively, correspondingly obtain the clock drift value of each group of described tested wireless terminal to each group time tolerance described.
Preferably, in described step 103, the process of the similarity that described wireless router calculates respectively in described clock drift value and described wireless router between the clock drift fiducial value of each legal wireless terminal register comprises, and described wireless router utilizes Gaussian Profile to calculate similarity between the clock drift fiducial value of each legal wireless terminal that process is registered in each group clock drift value described and described wireless router respectively.
Preferably, in described step 103, described wireless router also comprises after calculating the step of the similarity in described clock drift value and described wireless router between the clock drift fiducial value of each the legal wireless terminal registered respectively, described wireless router by the value storage of described similarity in similarity matrix, the numerical value of every a line of described similarity matrix is the similarity between each group clock drift value and clock drift fiducial value of a described legal wireless terminal of described tested wireless terminal, the numerical value of each row of described similarity matrix is the similarity between one group of clock drift value of described tested wireless terminal and the clock drift fiducial value of each legal wireless terminal described.
Preferably, in described step 103, according to described similarity, described wireless router judges that the process whether described tested wireless terminal meets authentication condition comprises:
Described wireless router judges whether the maximum of the similarity of every a line in described similarity matrix is more than or equal to maximum threshold respectively, if, then the columns sequence number corresponding to described maximum is recorded to array vector, if not, is then recorded to described array vector by zero;
Described wireless router judges the data of preserving in described array vector, judge whether the ratio that the total degree that the mode of the nonzero value in described data occurs accounts for total number of described data is more than or equal to mode rate threshold, if, then described tested wireless terminal passes through certification, if not, then described tested wireless terminal authentification failure.
Preferably, in described step 103, according to described similarity, described wireless router judges that the process whether described tested wireless terminal meets authentication condition comprises:
Described wireless router calculates the mean value of each row similarity in described similarity matrix respectively, judge whether the maximum in described mean value is more than or equal to mean value threshold value, if so, then described tested wireless terminal passes through certification, if not, then described tested wireless terminal authentification failure.
A kind of wireless router, comprising:
Acquisition module, for receiving the authentication request that tested wireless terminal sends over, obtain the IP address of described tested wireless terminal, timestamp request data package is sent to described tested wireless terminal, receive the timestamp reply data bag returned after making response by described tested wireless terminal, according to described timestamp request data package and described timestamp reply data bag, determine time tolerance;
Clock drift value computing module, for calculating the clock drift value of described tested wireless terminal according to described time tolerance;
Terminal authentication module, for calculating the similarity in described clock drift value and described wireless router between the clock drift fiducial value of each the legal wireless terminal registered respectively, judge whether described tested wireless terminal meets authentication condition according to described similarity, if, then described tested wireless terminal passes through certification, if not, then described tested wireless terminal authentification failure;
Memory module, for storing the clock drift fiducial value of each the legal wireless terminal through registration.
A kind of wireless terminal Verification System, comprises tested wireless terminal, also comprises wireless router as claimed in claim 9.
As can be seen from technique scheme, in the present invention, authentication information needed for wireless terminal verification process obtains based on the clock drift value of wireless terminal, the clock drift value of wireless terminal is determined by the physical behavior of the crystal oscillator of wireless terminal, and due to the mechanical processing process property of there are differences of crystal oscillator, even also there is the otherness of physical behavior between the crystal oscillator of same batch that processes on same machining equipment, make between the clock drift value of each wireless terminal different, therefore, the authentication information obtained based on the clock drift value of wireless terminal has distinct uniqueness, so significantly reduce the possibility that authentication information is forged, improve the fail safe of wireless terminal verification process.
Accompanying drawing explanation
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, be briefly described to the accompanying drawing used required in embodiment or description of the prior art below, apparently, accompanying drawing in the following describes is only embodiments of the invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to the accompanying drawing provided.
Fig. 1 is the flow chart of wireless terminal authentication method disclosed by the invention;
The flow chart of Fig. 2 wireless terminal authentication method disclosed in the embodiment of the present invention one;
The flow chart of Fig. 3 deviation delete processing disclosed in the embodiment of the present invention one;
The flow chart of Fig. 4 legal wireless terminal registration disclosed in the embodiment of the present invention one;
The flow chart of Fig. 5 exceptional value delete processing disclosed in the embodiment of the present invention one;
Fig. 6 is the structural representation of wireless router disclosed by the invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, be clearly and completely described the technical scheme in the embodiment of the present invention, obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtained under creative work prerequisite, belong to the scope of protection of the invention.
The invention discloses a kind of wireless terminal authentication method, shown in Figure 1, the step of this wireless terminal authentication method comprises:
Step S101: wireless router receives the authentication request that tested wireless terminal sends, and obtains the IP address of tested wireless terminal;
Step S102: send timestamp request data package to tested wireless terminal, receives the timestamp reply data bag returned after making response by tested wireless terminal;
Step S103: according to timestamp request data package and timestamp reply data bag, determine time tolerance;
Step S104: according to time tolerance, utilizes curve fitting algorithm, calculates the clock drift value of tested wireless terminal;
Step S105: calculate the similarity in clock drift value and wireless router between the clock drift fiducial value of each the legal wireless terminal registered respectively;
Step S106: judge whether tested wireless terminal meets authentication condition according to similarity, if so, then performs step S107, if not, then performs step S108;
Step S107: tested wireless terminal passes through certification;
Step S108: tested wireless terminal authentification failure.
In above-mentioned disclosed wireless terminal authentication method, authentication information needed for wireless terminal verification process obtains based on the clock drift value of wireless terminal, the clock drift value of wireless terminal is determined by the physical behavior of the crystal oscillator of wireless terminal, and due to the mechanical processing process property of there are differences of crystal oscillator, even also there is the otherness of physical behavior between the crystal oscillator of same batch that processes on same machining equipment, make between the clock drift value of each wireless terminal different, therefore, the authentication information obtained based on the clock drift value of wireless terminal has distinct uniqueness, so significantly reduce the possibility that authentication information is forged, improve the fail safe of wireless terminal verification process.
The wireless terminal authentication method that Fig. 2 is concrete disclosed in the embodiment of the present invention one, this wireless terminal authentication method comprises the following steps:
Step S201: wireless router receives the authentication request that tested wireless terminal sends, and obtains the IP address of tested wireless terminal.
Step S202: send the ICMP13 timestamp request data package (ICMP formed by No. 13 Internet Control Message to tested wireless terminal, Internet Control Message Protocol, i.e. Internet Control Message Protocol), receive the ICMP14 timestamp reply data bag formed by No. 14 Internet Control Message returned after making response by tested wireless terminal.
ICMP13 timestamp request data package and ICMP14 timestamp reply data bag generate according to ICMP Internet Control Message Protocol, in case there is a need, timestamp request data package in the present invention and timestamp reply data bag also can according to TCP (TCP, Transmission Control Protocol, i.e. transmission control protocol) generate.
Step S203: in order to save the time of verification process, timestamp request data package and timestamp reply data bag are sampled, obtain time stamp data ladle sample originally, namely, wireless router is sampled to all ICMP13 timestamp request data package of sending and all ICMP14 timestamp reply data bags received, the time stamp data ladle sample basis by ICMP13 timestamp request data package sample and the composition of sample of ICMP14 timestamp reply data bag is obtained after sampling, in order to improve the accuracy rate of authentication result, above-mentioned time stamp data ladle sample is originally divided into groups, define the time stamp data bag small sample of at least two groups.
Step S204: respectively according to the timestamp request data package in each group time stamp data bag small sample and timestamp reply data bag, correspondingly calculate the initial time stamp difference of each group time stamp data bag small sample.
Each above-mentioned group initial time stamp difference comprises multiple initial time stamp difference, can be identical between the number of the initial time stamp difference that the number of the initial time stamp difference that one group of initial time stamp difference comprises and another group initial time stamp difference comprise, also can be different, wherein, a transmitting time stamp difference and a time of reception stamp difference is included in an initial time stamp difference.
Step S205: respectively deviation delete processing is carried out to each the group initial time stamp difference obtained, correspondingly obtain the time tolerance of each group time stamp data bag small sample.
Step S206: utilize curve fitting algorithm, carries out matching to each group time tolerance above-mentioned respectively, correspondingly obtains each group clock drift value of tested wireless terminal.
Preferred curve fitting algorithm is least square method, when wireless router utilizes least square method to carry out process of fitting treatment to one group of time tolerance, obtain a fitting a straight line, the slope of this fitting a straight line is this clock drift value corresponding to group time tolerance, certainly, wireless router, when calculating clock drift value, in the case of necessary, also can adopt linear programming technique to carry out matching to each group time tolerance.
Step S207: utilize Gaussian Profile to calculate similarity in each group clock drift value and wireless router between the clock drift fiducial value of each legal wireless terminal registered respectively, conveniently the carrying out of subsequent contrast's deterministic process, improve the convenience of verification process, above-mentioned similarity is stored in similarity matrix.
The numerical value of every a line of similarity matrix is the similarity between each group clock drift value and clock drift fiducial value of a legal wireless terminal of tested wireless terminal, accordingly, the numerical value of each row of similarity matrix is the similarity between one group of clock drift value of tested wireless terminal and the clock drift fiducial value of each legal wireless terminal.
Certainly, wireless router, when calculating similarity, is not got rid of yet and other some probability distribution can be adopted to calculate, as Poisson distribution etc.
Step S208: judge whether the maximum of the similarity of every a line in similarity matrix is more than or equal to maximum threshold respectively, if so, then performs step S209, if not, then performs step S210.
Wherein, preferred maximum threshold is 68.26%.
Step S209: the columns sequence number corresponding to the maximum of the similarity of every a line is recorded to array vector.
Step S210: be recorded to array vector by zero.
Step S211: wireless router judges the data of preserving in array vector, judge whether the ratio that the total degree that the mode of the nonzero value in above-mentioned data occurs accounts for total number of above-mentioned data is more than or equal to mode rate threshold, if, then perform step S212, if not, then step S213 is performed.
Wherein, preferred mode rate threshold is 50%.
Step S212: tested wireless terminal passes through certification.
Step S213:: tested wireless terminal authentification failure.
Assumed wireless router obtains the clock drift value of 7 groups of tested wireless terminals, uses X respectively 1~ X 7represent, hypothesis has 5 legal wireless terminals by registering in above-mentioned wireless router simultaneously, represent with A ~ E respectively, then similarity matrix is as shown in table 1, columns in similarity matrix is identical with total number of registered in wireless router legal wireless terminal, and total number of the clock drift value of the tested wireless terminal that line number and the wireless router of similarity matrix finally obtain is identical.
Table 1
Can know from table 1, the first row, second row, the third line, fourth line, the maximum of the similarity of the 6th row and the 7th row is all large than 68.26%, and the maximum of the similarity of fifth line is less than 68.26%, according to the description of step 203, now wireless router can with the first row, second row, the third line, fourth line, the columns sequence number corresponding to maximum of the similarity of the 6th row and the 7th row, namely 4, be recorded to array vector, its midrange sequence number 4 correspondence be legal wireless terminal D, the columns sequence number corresponding with the maximum of the similarity of fifth line then cannot be recorded in array vector, can only be recorded in array vector by 0, like this, the data result of the final preservation of array vector is (4, 4, 4, 4, 0, 4, 4), wherein, 4 is the mode in these group data, then known 4 total degrees occurred account for the ratio of total number of the data of preserving in this array vector is 6/7 ≈ 85.71%, this ratio is obviously greater than 50%, thus judge that tested wireless terminal passes through certification.
In step S203, wireless router is when sampling, in order to reduce the complexity of sampling process, preferably, can according to timestamp order successively, all ICMP13 timestamp request data package of sending and all ICMP14 timestamp reply data bags received equally spaced are sampled, a time stamp data bag is gathered in such as every ten time stamp data bags, if wireless router is before sampling, acquisition 1000 time stamp data bags altogether, so after sampling, the time stamp data bag of 100 is just included in the time stamp data ladle sample basis obtained, an ICMP13 timestamp request data package and a corresponding ICMP14 timestamp reply data bag is included in an above-mentioned time stamp data bag, certainly, when not considering the time length of verification process, also can not sample to ICMP13 timestamp request data package and ICMP14 timestamp reply data bag.Same, wireless router is when dividing into groups, in order to reduce the complexity of grouping process, preferably, according to timestamp order successively, all time stamp data bags in time stamp data ladle sample basis can be divided into groups, obtain the time stamp data bag small sample of at least two groups, certainly, in order to reduce the time of verification process further, also originally packet transaction can not be carried out to above-mentioned time stamp data ladle sample.
Certainly, wireless router also first can carry out packet transaction to all ICMP13 timestamp request data package of sending and all ICMP14 timestamp reply data bags received, obtain the time stamp data bag of many groups, and then respectively sampling processing is carried out to all time stamp data bags in each group time stamp data bag, obtain many group time stamp data bag small samples.
In step S204, transmitting time stamp difference passes through t i-t 1obtain, time of reception stamp difference is by (T i-T 1)-(t i-t 1) obtain, wherein, t ibe the transmitting time stamp of i-th timestamp request data package in one group of time stamp data bag small sample, t 1be then the transmitting time stamp of the 1st timestamp request data package in this group time stamp data bag small sample, T ifor the time of reception of i-th timestamp reply data bag in this group time stamp data bag small sample stabs, T 1for the time of reception of the 1st timestamp reply data bag in this group time stamp data bag small sample stabs.
In step S205, wireless router needs to carry out deviation delete processing to each group initial time stamp difference respectively, and refer to Fig. 3, the process of this deviation delete processing comprises the following steps:
Step 3001: wireless router deletes the time tolerance meeting extreme value filter condition in each group initial time stamp difference, obtains the first filter time tolerance;
Step 3002: wireless router deletes the time tolerance meeting level and smooth filter condition in the first filter time tolerance, obtains the time tolerance of each group time stamp data bag small sample.
Preferred extreme value filter condition is:
O>0.5N or o<-0.5N,
Wherein, o is the time of reception stamp difference in each group time tolerance, and N is total number of the time tolerance in each group time tolerance.The object arranging extreme value filter condition is to get rid of maximum value or minimum value a small amount of in each group time of reception stamp difference, greatly reducing the harmful effect of these maximum value or minimum values to clock drift value computational accuracy.
Preferred level and smooth filter condition, comprise the first level and smooth filter condition and the second level and smooth filter condition, wireless router deletes the time tolerance meeting the first level and smooth filter condition in the first filter time tolerance, obtain the second filter time tolerance, wireless router deletes the time tolerance meeting the second level and smooth filter condition in the second filter time tolerance, obtains the time tolerance of each group time stamp data bag small sample.The object arranging level and smooth filter condition is to make the standard deviation of the stamp of the time of reception after level and smooth filtration treatment difference diminish, thus makes the distribution of time tolerance more level and smooth, and this is conducive to the accuracy and the stability that improve clock drift value.
Preferred first level and smooth filter condition is:
O 1>Mean 1+ 2*Std 1or o 1<Mean 1-2*Std 1,
Wherein, o 1be the time of reception stamp difference in the first filter time tolerance, Mean 1be the average of the time of reception stamp difference in the first filter time tolerance, Std 1it is the standard deviation of the time of reception stamp difference in the first filter time tolerance.
Preferred second level and smooth filter condition is:
O 2>Mean 2+ 2*Std 2or o 2<Mean 2-2*Std 2,
Wherein, o 2be the time of reception stamp difference in the second filter time tolerance, Mean 2be the average of the time of reception stamp difference in the second filter time tolerance, Std 2it is the standard deviation of the time of reception stamp difference in the second filter time tolerance.
Wireless router is when carrying out deviation delete processing, also the time tolerance of satisfied level and smooth filter condition can first be deleted, and then delete the time tolerance meeting extreme value filter condition, or only delete the time tolerance meeting extreme value filter condition, or only delete the time tolerance meeting level and smooth filter condition.
In step S207, shown in Figure 4, the registration process of legal wireless terminal comprises:
Step S4001: wireless terminal to be registered sends registration request to wireless router, when wireless terminal to be registered meets default registration condition, determines that wireless terminal to be registered is legal wireless terminal;
Step S4002: the MAC Address of legal wireless terminal is written in wireless router;
Step S4003: legal wireless terminal is connected to wireless router, wireless router obtains the IP address of legal wireless terminal;
Step S4004: wireless router sends legal time stamp request data package to legal wireless terminal, and legal wireless terminal makes response to legal timestamp request data package, returns legal time stamp reply data bag to wireless router;
Step S4005: wireless router, according to legal time stamp request data package and legal time stamp reply data bag, determines the legal time stamp difference of legal wireless terminal;
Step S4006: wireless router divides into groups to legal time tolerance, determines each combined method time tolerance of legal wireless terminal;
Step S4007: wireless router, according to each combined method time tolerance, utilizes curve fitting algorithm, determines each combined method clock drift value of legal wireless terminal;
Step S4008: wireless router carries out exceptional value delete processing to each combined method clock drift value, determines the clock drift fiducial value of legal wireless terminal;
Step S4009: above-mentioned MAC Address and clock drift fiducial value are written in wireless router by wireless router, complete the registration of legal wireless terminal.
Above-mentioned legal time stamp request data package is the timestamp request data package that wireless router sends to legal wireless terminal, legal time stamp reply data bag is the timestamp reply data bag that legal wireless terminal returns to wireless router, legal time stamp difference is the time tolerance of the legal wireless terminal that wireless router is determined, legal clock drift value is the clock drift value of the legal wireless terminal that wireless router is determined.
In above-mentioned steps S4008, wireless router has carried out exceptional value delete processing to each combined method clock drift value, such object is the accuracy rate in order to ensure the clock drift fiducial value obtained in registration process, certainly, when needing the time reducing registration process, wireless router also can not carry out exceptional value delete processing.
Refer to Fig. 5, wireless router comprises the process that each combined method clock drift value carries out exceptional value delete processing:
Step S5001: wireless router deletes the legal clock drift value meeting extreme value exceptional condition in each combined method clock drift value, obtains the legal clock drift value of the first filter;
Step S5002: wireless router deletes the legal clock drift value meeting the first deviation exclusion condition in the legal clock drift value of the first filter, obtains the legal clock drift value of the second filter;
Step S5003: wireless router deletes the legal clock drift value meeting the second deviation exclusion condition in the legal clock drift value of the second filter, obtains the legal clock drift value of the 3rd filter;
Step S5004: wireless router carries out average to the legal clock drift value in the legal clock drift value of the 3rd filter and standard value calculates, and obtains clock drift fiducial value.
Preferred extreme value exceptional condition is:
K>10 -3or K<-10 -3,
Wherein, K is the legal clock drift value of legal wireless terminal.The object arranging extreme value exceptional condition is to get rid of excessive or too small clock drift value, these excessive or too small clock drift values are the time delays because the process scheduling of operating system causes, the instability of wireless signal or some other unpredictable factor cause, so need by extreme value exceptional condition, the clock drift value of these exceptions is filtered out.
Preferred first deviation exclusion condition is:
K 1>Mean k1+ 2*Std k1or K 1<Mean k1-2*Std k1,
Wherein, K 1be the legal clock drift value in the first filter legal clock drift value, Mean k1be the average of the legal clock drift value in the first filter legal clock drift value, Std k1it is the standard deviation of the legal clock drift value in the first filter clock drift value.
Preferred second deviation exclusion condition is:
Std k2>10 -5and K 2>Mean k2+ 10 -5
Or
Std k2>10 -5and K 2<Mean k2-10 -5,
Wherein, K 2be the legal clock drift value in the second filter legal clock drift value, Mean k2be the average of the legal clock drift value in the second filter legal clock drift value, Std k2it is the standard deviation of the legal clock drift value in the second filter legal clock drift value.
The object arranging the first deviation exclusion condition and the second deviation exclusion condition is that this is conducive to the accuracy improving clock drift fiducial value in order to make the standard deviation of the clock drift value got rid of after process through deviation diminish.
Certainly, wireless router is when carrying out exceptional value delete processing, also the legal clock drift value of satisfied first deviation exclusion condition or the second deviation exclusion condition can first be deleted, and then delete the legal clock drift value meeting extreme value exceptional condition, or only delete the legal clock drift value meeting extreme value exceptional condition, or only delete the legal clock drift value meeting the first deviation exclusion condition or the second deviation exclusion condition.
In wireless terminal authentication method disclosed in embodiment one, wireless router is after receiving the timestamp reply data bag that tested wireless terminal returns, can all time stamp data bags finally obtained be sampled and be divided into groups, thus the time decreased needed for verification process, in addition, wireless router, before calculating clock drift value, can stab difference to initial time and carry out deviation delete processing, improve accuracy and the stability of follow-up calculative clock drift value.
In order to simplify the verification process of wireless terminal further, wireless router in above-described embodiment one being judged that the process whether tested wireless terminal meets authentication condition is optimized below, obtaining embodiment two and embodiment three.
In embodiment two, wireless router judges that the process whether tested wireless terminal meets authentication condition is:
Wireless router calculates the median of each row similarity in similarity matrix respectively, judge whether the maximum in above-mentioned median is more than or equal to median threshold value, if so, then tested wireless terminal passes through certification, if not, then tested wireless terminal authentification failure.
Preferred median threshold value is 68.26%.
In similarity matrix shown in table 1, first row approximates 0 to the median of tertial similarity, the median of the 4th row similarity is 94.263%, the median of the 5th row similarity is 5.7569%, so the maximum in above-mentioned median is 94.263%, be greater than 68.26%, therefore judge that tested wireless terminal passes through certification.
In wireless terminal authentication method disclosed in embodiment two, wireless router has carried out certification to tested wireless terminal according to the median of each row similarity in similarity matrix, last only need judge whether the maximum of above-mentioned median is more than or equal to median threshold value and just can completes certification to tested wireless terminal, simplify deterministic process, improve the authentication efficiency to tested wireless terminal.
In embodiment three, wireless router judges that the process whether tested wireless terminal meets authentication condition is:
Wireless router calculates the mean value of each row similarity in similarity matrix respectively, judge whether the maximum in above-mentioned mean value is more than or equal to mean value threshold value, if so, then tested wireless terminal passes through certification, if not, then tested wireless terminal authentification failure.
Preferred mean value threshold value is 68.26%.
In similarity matrix shown in table 1, first row approximates 0 to the mean value of tertial similarity, the mean value of the 4th row similarity is 85.32%, the mean value of the 5th row similarity is 7.77%, so the maximum in above-mentioned mean value is 85.32%, be greater than 68.26%, therefore judge that tested wireless terminal passes through certification.
Compared to embodiment two, in wireless terminal authentication method disclosed in the present embodiment, wireless router has carried out certification to tested wireless terminal according to the mean value of each row similarity in similarity matrix, due to only addition and division arithmetic need be used when the mean value of calculating one columns, without the need to judging through complicated numerical values recited, thus the verification process that further simplify tested wireless terminal, improve authentication efficiency.
Based on above-mentioned wireless terminal authentication method, the present invention discloses a kind of wireless router, its structure as shown in Figure 6, includes acquisition module 61, clock drift value computing module 62, terminal authentication module 63 and memory module 64.
The authentication request that acquisition module 61 sends over for receiving tested wireless terminal, obtain the IP address of tested wireless terminal, timestamp request data package is sent to tested wireless terminal, receive the timestamp reply data bag returned after making response by tested wireless terminal, according to timestamp request data package and timestamp reply data bag, determine time tolerance;
Clock drift value computing module 62, for according to above-mentioned time tolerance, utilizes curve fitting algorithm, calculates the clock drift value of tested wireless terminal;
Terminal authentication module 63 is for calculating the similarity in clock drift value and wireless router between the clock drift fiducial value of each the legal wireless terminal registered, judge whether tested wireless terminal meets authentication condition according to similarity, if, then tested wireless terminal passes through certification, if not, then tested wireless terminal authentification failure;
Memory module 64 is for storing the clock drift fiducial value of each the legal wireless terminal through registration.
Pretreatment module 611 is also included in above-mentioned acquisition module 61, for carrying out deviation delete processing to initial time stamp difference, the process of concrete deviation delete processing, please refer to Fig. 3, in addition, before carrying out Similarity Measure in terminal authentication module 63, memory module 64 has prestored the clock drift fiducial value that legal wireless terminal obtains in registration process, in order to the calculating of the registration and clock drift fiducial value that realize legal wireless terminal, accordingly, endpoint registration module 65 is also included in wireless router, for calculating clock drift fiducial value and registering legal wireless terminal, concrete registration process, please refer to Fig. 4.
The invention also discloses a kind of wireless terminal Verification System, comprise tested wireless terminal and wireless router.
Tested wireless terminal is used for sending authentication request to wireless router, and makes response to the timestamp request data package that wireless router sends to it, to wireless router return time stamp reply data bag;
The authentication request that wireless router sends over for receiving tested wireless terminal, obtain the IP address of tested wireless terminal, timestamp request data package is sent to tested wireless terminal, receive the timestamp reply data bag returned after making response by tested wireless terminal, according to timestamp request data package and timestamp reply data bag, determine time tolerance; According to above-mentioned time tolerance, utilize curve fitting algorithm, calculate the clock drift value of tested wireless terminal; Calculate clock drift value and the similarity in wireless router between the clock drift fiducial value of each the legal wireless terminal registered, judge whether tested wireless terminal meets authentication condition according to similarity, if, then tested wireless terminal passes through certification, if not, then tested wireless terminal authentification failure, wherein, clock drift fiducial value is stored in advance in wireless router.
Wireless router also can be used for carrying out deviation delete processing to initial time stamp difference, and concrete deviation delete processing process please refer to Fig. 3, and further, wireless router also can be used for registering legal wireless terminal, and concrete registration process please refer to Fig. 4.
In wireless terminal Verification System disclosed in the embodiment of the present application, authentication information needed for wireless terminal verification process obtains based on the clock drift value of wireless terminal, the clock drift value of wireless terminal is determined by the physical behavior of the crystal oscillator of wireless terminal, and due to the mechanical processing process property of there are differences of crystal oscillator, even also there is the otherness of physical behavior between the crystal oscillator of same batch that processes on same machining equipment, make between the clock drift value of each wireless terminal different, therefore, the authentication information obtained based on the clock drift value of wireless terminal has distinct uniqueness, so significantly reduce the possibility that authentication information is forged, improve the fail safe of wireless terminal verification process.
It should be noted that, each embodiment in this specification all adopts the mode of going forward one by one to describe, and what each embodiment stressed is the difference with other embodiments, between each embodiment identical similar part mutually see.
Finally, also it should be noted that, in this article, the such as relational terms of first and second grades and so on is only used for an entity or operation to separate with another entity or operating space, and not necessarily requires or imply the relation that there is any this reality between these entities or operation or sequentially.And, term " comprises ", " comprising " or its any other variant are intended to contain comprising of nonexcludability, thus make to comprise the process of a series of key element, method, article or equipment and not only comprise those key elements, but also comprise other key elements clearly do not listed, or also comprise by the intrinsic key element of this process, method, article or equipment.When not more restrictions, the key element limited by statement " comprising ... ", and be not precluded within process, method, article or the equipment comprising described key element and also there is other identical element.
Above a kind of wireless terminal authentication method provided by the present invention, wireless router and system are described in detail, apply specific case herein to set forth principle of the present invention and execution mode, the explanation of above embodiment just understands method of the present invention and core concept thereof for helping; Meanwhile, for one of ordinary skill in the art, according to thought of the present invention, all will change in specific embodiments and applications, in sum, this description should not be construed as limitation of the present invention.

Claims (10)

1. a wireless terminal authentication method, is characterized in that, comprises the following steps:
Step 101: wireless router receives the authentication request that tested wireless terminal sends, obtain the IP address of described tested wireless terminal, timestamp request data package is sent to described tested wireless terminal, receive the timestamp reply data bag returned after making response by described tested wireless terminal, according to described timestamp request data package and described timestamp reply data bag, determine time tolerance;
Step 102: according to described time tolerance, utilize curve fitting algorithm, calculates the clock drift value of described tested wireless terminal;
Step 103: calculate the similarity between the clock drift fiducial value of each the legal wireless terminal registered in described clock drift value and described wireless router respectively, judge whether described tested wireless terminal meets authentication condition according to described similarity, if, then described tested wireless terminal passes through certification, if not, then described tested wireless terminal authentification failure.
2. wireless terminal authentication method according to claim 1, is characterized in that, in described step 101, also comprises after the step of the timestamp reply data bag that described wireless router returns after receiving and making response by described tested wireless terminal:
Described wireless router is sampled to described timestamp request data package and described timestamp reply data bag, obtains time stamp data ladle sample originally;
Described wireless router originally divides into groups to described time stamp data ladle sample, obtains the time stamp data bag small sample of at least two groups.
3. wireless terminal authentication method according to claim 2, is characterized in that, in described step 101, described wireless router determines that the step of described time tolerance comprises:
Described wireless router, respectively according to the described timestamp request data package in each group time stamp data bag small sample and described timestamp reply data bag, correspondingly calculates the initial time stamp difference of each group time stamp data bag small sample described;
Described wireless router carries out deviation delete processing to each group initial time stamp difference described respectively, correspondingly obtains the time tolerance of each group time stamp data bag small sample described.
4. wireless terminal authentication method according to claim 3, it is characterized in that, described step 102 comprises, described wireless router utilizes described curve fitting algorithm, respectively matching is carried out to each group time tolerance described, correspondingly obtain the clock drift value of each group of described tested wireless terminal.
5. wireless terminal authentication method according to claim 4, it is characterized in that, in described step 103, the process of the similarity that described wireless router calculates respectively in described clock drift value and described wireless router between the clock drift fiducial value of each legal wireless terminal register comprises, and described wireless router utilizes Gaussian Profile to calculate similarity between the clock drift fiducial value of each legal wireless terminal that process is registered in each group clock drift value described and described wireless router respectively.
6. wireless terminal authentication method according to claim 5, it is characterized in that, in described step 103, described wireless router also comprises after calculating the step of the similarity in described clock drift value and described wireless router between the clock drift fiducial value of each the legal wireless terminal registered respectively, described wireless router by the value storage of described similarity in similarity matrix, the numerical value of every a line of described similarity matrix is the similarity between each group clock drift value and clock drift fiducial value of a described legal wireless terminal of described tested wireless terminal, the numerical value of each row of described similarity matrix is the similarity between one group of clock drift value of described tested wireless terminal and the clock drift fiducial value of each legal wireless terminal described.
7. wireless terminal authentication method according to claim 6, is characterized in that, in described step 103, according to described similarity, described wireless router judges that the process whether described tested wireless terminal meets authentication condition comprises:
Described wireless router judges whether the maximum of the similarity of every a line in described similarity matrix is more than or equal to maximum threshold respectively, if, then the columns sequence number corresponding to described maximum is recorded to array vector, if not, is then recorded to described array vector by zero;
Described wireless router judges the data of preserving in described array vector, judge whether the ratio that the total degree that the mode of the nonzero value in described data occurs accounts for total number of described data is more than or equal to mode rate threshold, if, then described tested wireless terminal passes through certification, if not, then described tested wireless terminal authentification failure.
8. wireless terminal authentication method according to claim 6, is characterized in that, in described step 103, according to described similarity, described wireless router judges that the process whether described tested wireless terminal meets authentication condition comprises:
Described wireless router calculates the mean value of each row similarity in described similarity matrix respectively, judge whether the maximum in described mean value is more than or equal to mean value threshold value, if so, then described tested wireless terminal passes through certification, if not, then described tested wireless terminal authentification failure.
9. a wireless router, is characterized in that, comprising:
Acquisition module, for receiving the authentication request that tested wireless terminal sends over, obtain the IP address of described tested wireless terminal, timestamp request data package is sent to described tested wireless terminal, receive the timestamp reply data bag returned after making response by described tested wireless terminal, according to described timestamp request data package and described timestamp reply data bag, determine time tolerance;
Clock drift value computing module, for calculating the clock drift value of described tested wireless terminal according to described time tolerance;
Terminal authentication module, for calculating the similarity in described clock drift value and described wireless router between the clock drift fiducial value of each the legal wireless terminal registered respectively, judge whether described tested wireless terminal meets authentication condition according to described similarity, if, then described tested wireless terminal passes through certification, if not, then described tested wireless terminal authentification failure;
Memory module, for storing the clock drift fiducial value of each the legal wireless terminal through registration.
10. a wireless terminal Verification System, comprises tested wireless terminal, it is characterized in that, also comprises wireless router as claimed in claim 9.
CN201410798321.0A 2014-12-18 2014-12-18 A kind of wireless terminal authentication method, wireless router and system Expired - Fee Related CN104394180B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410798321.0A CN104394180B (en) 2014-12-18 2014-12-18 A kind of wireless terminal authentication method, wireless router and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410798321.0A CN104394180B (en) 2014-12-18 2014-12-18 A kind of wireless terminal authentication method, wireless router and system

Publications (2)

Publication Number Publication Date
CN104394180A true CN104394180A (en) 2015-03-04
CN104394180B CN104394180B (en) 2017-09-19

Family

ID=52612015

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410798321.0A Expired - Fee Related CN104394180B (en) 2014-12-18 2014-12-18 A kind of wireless terminal authentication method, wireless router and system

Country Status (1)

Country Link
CN (1) CN104394180B (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104869117A (en) * 2015-05-14 2015-08-26 杭州华三通信技术有限公司 Safety authentication method and device
CN106254370A (en) * 2016-08-30 2016-12-21 成都源知信息技术有限公司 A kind of network equipment fingerprint generation method and detecting devices
CN106375301A (en) * 2016-08-30 2017-02-01 成都源知信息技术有限公司 Network device authentication method and device
CN106789995A (en) * 2016-12-11 2017-05-31 北京坤腾畅联科技有限公司 Router identification discrimination method and terminal device based on clock skew feature
CN107547307A (en) * 2017-07-28 2018-01-05 新华三技术有限公司 A kind of time parameter determines method and device
CN107888615A (en) * 2017-12-01 2018-04-06 郑州云海信息技术有限公司 A kind of safety certifying method of Node registry

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101895886A (en) * 2009-05-22 2010-11-24 南京中兴软件有限责任公司 Method and device for selecting access point
CN102377620A (en) * 2011-12-09 2012-03-14 浙江大学 Method for detecting broadband private connection based on open system interconnection (OSI) transmission layer timestamp
CN102572780A (en) * 2012-01-12 2012-07-11 广东盛路通信科技股份有限公司 Method for automatically registering wireless terminal by utilizing physical characteristics
CN102868529A (en) * 2012-08-31 2013-01-09 飞天诚信科技股份有限公司 Method for identifying and calibrating time

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101895886A (en) * 2009-05-22 2010-11-24 南京中兴软件有限责任公司 Method and device for selecting access point
CN102377620A (en) * 2011-12-09 2012-03-14 浙江大学 Method for detecting broadband private connection based on open system interconnection (OSI) transmission layer timestamp
CN102572780A (en) * 2012-01-12 2012-07-11 广东盛路通信科技股份有限公司 Method for automatically registering wireless terminal by utilizing physical characteristics
CN102868529A (en) * 2012-08-31 2013-01-09 飞天诚信科技股份有限公司 Method for identifying and calibrating time

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104869117A (en) * 2015-05-14 2015-08-26 杭州华三通信技术有限公司 Safety authentication method and device
CN104869117B (en) * 2015-05-14 2018-08-24 新华三技术有限公司 A kind of safety certifying method and device
CN106254370A (en) * 2016-08-30 2016-12-21 成都源知信息技术有限公司 A kind of network equipment fingerprint generation method and detecting devices
CN106375301A (en) * 2016-08-30 2017-02-01 成都源知信息技术有限公司 Network device authentication method and device
CN106375301B (en) * 2016-08-30 2020-01-03 成都源知信息技术有限公司 Network equipment authentication method and authentication equipment
CN106789995A (en) * 2016-12-11 2017-05-31 北京坤腾畅联科技有限公司 Router identification discrimination method and terminal device based on clock skew feature
CN107547307A (en) * 2017-07-28 2018-01-05 新华三技术有限公司 A kind of time parameter determines method and device
CN107547307B (en) * 2017-07-28 2021-04-30 新华三技术有限公司 Time parameter determination method and device
CN107888615A (en) * 2017-12-01 2018-04-06 郑州云海信息技术有限公司 A kind of safety certifying method of Node registry
CN107888615B (en) * 2017-12-01 2021-07-02 郑州云海信息技术有限公司 Safety authentication method for node registration

Also Published As

Publication number Publication date
CN104394180B (en) 2017-09-19

Similar Documents

Publication Publication Date Title
CN104394180A (en) Wireless terminal authentication method, wireless router and system
CN108206814B (en) Method, device and system for defending DNS attack
CN103797766B (en) For agreement fingerprint recognition and the relevant system and method for prestige
CN101267313B (en) Flooding attack detection method and detection device
Gowda et al. Technologies for Comprehensive Information Security in the IoT
CN102469091A (en) Method for processing verification codes of pages, device and terminal
CN103491069A (en) Filtering method for network data package
CN112073444B (en) Data set processing method and device and server
CN101227318A (en) Method for overtrick real-time detection of high speed network flow quantity
CN102186173A (en) Identity authentication method and system
CN103685224A (en) A network invasion detection method
CN103685221A (en) A network invasion detection method
CN110581835B (en) Vulnerability detection method and device and terminal equipment
CN105978717A (en) Network account recognition method and device
Salinas et al. A tutorial on secure outsourcing of large-scale computations for big data
Jeon et al. Design of an LPWAN communication module based on secure element for smart parking application
Kamaldeep et al. Implementation of single‐packet hybrid IP traceback for IPv4 and IPv6 networks
CN103685222A (en) A data matching detection method based on a determinacy finite state automation
CN105516302A (en) Data processing method and network device
CN106209907A (en) A kind of method and device detecting malicious attack
Shi et al. A quantum hash function with grouped coarse-grained boson sampling
Weigert et al. Mining large distributed log data in near real time
CN109495500A (en) A kind of double factor authentication method based on smart phone
Bartos et al. IFS: Intelligent flow sampling for network security–an adaptive approach
Haghighat et al. Payload attribution via character dependent multi-bloom filters

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20170919

Termination date: 20191218

CF01 Termination of patent right due to non-payment of annual fee