CN105553981B - A kind of wlan network rapid authentication and cryptographic key negotiation method - Google Patents

A kind of wlan network rapid authentication and cryptographic key negotiation method Download PDF

Info

Publication number
CN105553981B
CN105553981B CN201510949601.1A CN201510949601A CN105553981B CN 105553981 B CN105553981 B CN 105553981B CN 201510949601 A CN201510949601 A CN 201510949601A CN 105553981 B CN105553981 B CN 105553981B
Authority
CN
China
Prior art keywords
sqn
mobile terminal
ssid
access point
mac
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510949601.1A
Other languages
Chinese (zh)
Other versions
CN105553981A (en
Inventor
曾勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CHENGDU 30RUITONG MOBILE COMMUNICATION Co Ltd
Original Assignee
CHENGDU 30RUITONG MOBILE COMMUNICATION Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by CHENGDU 30RUITONG MOBILE COMMUNICATION Co Ltd filed Critical CHENGDU 30RUITONG MOBILE COMMUNICATION Co Ltd
Priority to CN201510949601.1A priority Critical patent/CN105553981B/en
Publication of CN105553981A publication Critical patent/CN105553981A/en
Application granted granted Critical
Publication of CN105553981B publication Critical patent/CN105553981B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses a kind of wlan network rapid authentication and cryptographic key negotiation methods.In this method, mobile terminal and wireless access point share WLAN initial key, when mobile terminal application accesses wireless network, mobile terminal and access point are based on symmetric cryptographic algorithm and realize quick two-way authentication, session key when intercommunication is derived, simultaneously to realize the secure accessing of WLAN and data encryption feature of eating dishes without rice or wine.The present invention is without certificate server and X.509 certificate mechanism realizes the quick two-way authentication of mobile terminal Yu SSID access point, has the characteristics that safe and efficient, the suitable WLAN application scenarios for having strict demand to safety and turn-on time.

Description

A kind of wlan network rapid authentication and cryptographic key negotiation method
Technical field
The present invention relates to mobile communication security technology areas, and in particular to a kind of wlan network rapid authentication and key agreement Method.
Background technique
It is also faced with network unauthorized access in a wlan and wireless communication information is ravesdropping equal security threats.Therefore WLAN is mentioned The standard of user identity authentication and data encryption is gone out.
Early stage WLAN supports shared key authentication and WEP(Wired Equivalent Privacy) data encryption.But shared key authentication is not It supports two-way authentication, only supports certification of the AP to STA, therefore there is the risk of personation AP.Secondly that there is also encryption keys is long by WEP Spend (40bit) and initialization vector IV(24bit) too short problem.Furthermore the encryption key of WEP immobilizes, and has had now Software can crack easily, therefore not be very safe.
For the safety defect of WEP, IEEE has worked out the safer shielded access of standard WPA(Wi-Fi), for increasing The safety of strong wlan network.WPA provides EAP(Extensible Authentication Protocol simultaneously) it authenticates and TKIP(Temporal Key Integrity association View) data encryption.But WPA also faces some problems, and if WPA certification is needed using certificate server, it is some special to be not suitable for Application scenarios.Certification can not achieve quick authentication etc. using X.509 certificate mechanism, process complexity and inefficiency.
Above-mentioned safety approach makes WLAN be not suitable for some pairs of particular fields that authenticated time requirement is stringent, security requirement is high It closes.
Summary of the invention
To solve the above problems, the present invention provides a kind of wlan network rapid authentication and cryptographic key negotiation methods, including such as Lower step:
Step 1: mobile terminal enters access SSID access point overlay area, generates random number R 1 and sequence number SQN.
Step 2: mobile terminal is using initial key Ki to MAC_Addr | | R1 | | SQN is encrypted, and obtains E(Ki, MAC_Addr | | R1 | | SQN), SSID access point then is sent to using it as certification request, wherein MAC_Addr is mobile whole Hold MAC Address.
Step 3: SSID access point receives E(Ki, MAC_Addr | | R1 | | SQN) after, it is handled as follows:
S1. the initial key Ki of corresponding mobile terminal is searched by the MAC Address of data frame, and with Ki ciphertext data Frame obtains the value of MAC_Addr2, R1 and SQN.MAC_Addr2 is the mobile terminal MAC Address that the end SSID is decrypted.
S2. compare and receive the MAC_Addr2 that the MAC_Addr of data frame is obtained with decryption, terminate certification if not equal. Prove that mobile terminal is legal, progress step S3 if equal.
S3. this SQN decrypted is compared with previously saved SQN, is Replay Attack if equal, if not Deng then be normal certification request, carry out step S4.
For S4.SSID access point by the certification to mobile terminal, SSID access point then saves R1 and SQN, at the same generate with Machine number R2.
Step 4: the R1 that SSID access point is obtained using decryption is as key pair SSID | | R2 | | SQN is encrypted, and is obtained E(R1, SSID | | R2 | | SQN), then mobile terminal is sent to using it as certification response.
Step 5: mobile terminal receives E(R1, SSID | | R2 | | SQN) after, using R1 ciphertext data frame, obtain SSID2, The value of R2 and SQN2.
Step 5: mobile terminal receives E(R1, SSID | | R2 | | SQN) after, it is handled as follows:
S1. R1 ciphertext data frame is utilized, the value of SSID2, R2 and SQN2 are obtained, SSID2, SQN2 are that decryption obtains Value.
S2. compare and receive the SSID2 that the SSID of plaintext is obtained with decryption, certification is terminated if not equal, if equal Prove that SSID access point is legal, progress step S3.
S3. the SQN2 that more original SQN and decryption obtain terminates certification if not waiting, indicates to receive if equal The certification response arrived is corresponding with certification request, carries out step S4.
S4. R2 is recorded.
Step 6: completing two-way authentication, and mobile terminal sends confirmation message ACK to SSID access point.
Step 7: mobile terminal and SSID access point are simultaneously by R1 | | R2 derives meeting by hash function (such as SHA-1) Key SK is talked about, SQN is derived into initial vector IV by hash function (such as SHA-1).
Step 8: mobile terminal and SSID access point are encrypted using data of the SK and IV to transmission, while every encryption IV adds 1 after one frame data.
Further, mobile terminal uses AES encryption algorithm to MAC_Addr in step 2 | | R1 | | SQN is encrypted.
Further, access point uses AES encryption algorithm to SSID in step 4 | | R2 | | SQN is encrypted.
Detailed description of the invention
Fig. 1 is WLAN wireless security access system composition schematic diagram.
Fig. 2 is flow chart of the present invention.
Fig. 3 is the hierarchical structure schematic diagram of key agreement.
Specific embodiment
Design concept of the invention are as follows: as shown in Figure 1, WLAN wireless security access system is by mobile terminal and wireless access Point composition, mobile terminal realize the access to the various application servers of IP network by wireless access point.Mobile terminal and nothing Line access point shares WLAN initial key, and when mobile terminal application accesses wireless network, mobile terminal and access point are based on pair Session key when claiming the quick two-way authentication of cryptographic algorithms' implementation, while deriving intercommunication, to realize that the safety of WLAN connects Enter and data encryption feature of eating dishes without rice or wine.
Fig. 2 show flow chart of the invention.It comprises the following steps:
Step 1: mobile terminal enters access SSID access point overlay area, generates random number R 1 and sequence number SQN.This Field technical staff should be understood that sequence number is disposable.
Step 2: mobile terminal is using initial key Ki to MAC_Addr | | R1 | | SQN encrypted (can be used AES or Other symmetric encipherment algorithms), obtain E(Ki, MAC_Addr | | R1 | | SQN), then access is sent to using it as certification request Point.Wherein, MAC_Addr is MAC Address.
Step 3: SSID access point receives E(Ki, MAC_Addr | | R1 | | SQN) after, it is handled as follows:
S1. the initial key Ki of corresponding mobile terminal is searched by the MAC Address of data frame, and with Ki ciphertext data Frame obtains the value of MAC_Addr2, R1 and SQN.MAC_Addr2 is the mobile terminal MAC Address that the end SSID is decrypted.
S2. compare and receive the MAC_Addr2 that the MAC_Addr of data frame is obtained with decryption, terminate certification if not equal. Prove that mobile terminal is legal, progress step S3 if equal.
S3. this SQN decrypted is compared with previously saved SQN, is Replay Attack if equal, if not Deng then be normal certification request, carry out step S4.
For S4.SSID access point by the certification to mobile terminal, SSID access point then saves R1 and SQN, at the same generate with Machine number R2.
Step 4: the R1 that SSID access point is obtained using decryption is as key pair SSID | | R2 | | SQN is encrypted, and is obtained E(R1, SSID | | R2 | | SQN), then mobile terminal is sent to using it as certification response.KE is calculated using AES encryption or other To this Encryption Algorithm to SSID | | R2 | | SQN is encrypted.
Step 5: mobile terminal receives E(R1, SSID | | R2 | | SQN) after, it is handled as follows:
S1. R1 ciphertext data frame is utilized, the value of SSID2, R2 and SQN2 are obtained, SSID2, SQN2 are that decryption obtains Value.
S2. compare and receive the SSID2 that the SSID of plaintext is obtained with decryption, certification is terminated if not equal, if equal Prove that SSID access point is legal, progress step S3.
S3. the SQN2 that more original SQN and decryption obtain, certification is terminated if not waiting, indicates to receive if equal The certification response arrived is corresponding with certification request, carries out step S4.
S4. R2 is recorded.
Step 6: completing two-way authentication, and mobile terminal sends confirmation message ACK to SSID access point.
Step 7: mobile terminal and SSID access point are simultaneously by R1 | | R2 derives meeting by hash function (such as SHA-1) Key SK is talked about, SQN is derived into initial vector IV by hash function (such as SHA-1).
Step 8: mobile terminal and SSID access point are encrypted using data of the SK and IV to transmission, while every encryption IV adds 1 after one frame data.
The hierarchical structure of key agreement is as shown in Figure 3.Ki realizes the encipherment protection to R1.R1 realizes that the encryption to R2 is protected Shield.R1 by hash function exports SK after merging with R2.Ki realizes the encipherment protection to SQN.SQN is exported by hash function IV.SK is realized together with IV encrypts the communication data of WLAN, and one frame data IV of every encryption adds 1.
The invention has the benefit that
1. the present invention is without certificate server and X.509, certificate mechanism realizes the quick of mobile terminal and SSID access point Two-way authentication has the characteristics that safe and efficient, the suitable WLAN application scenarios for having strict demand to safety and turn-on time.
2. SSID access point can will solve in the MAC Address and data frame of the data frame received by encrypting to MAC Address The MAC Address of close extraction is compared, and can effectively resist personation mobile terminal access wlan network.
3. mobile terminal can will decrypt the SSID of extraction by encrypting to SSID in the plaintext SSID received and data frame It is compared, can effectively resist personation SSID access point and mobile terminal is cheated.
4. identification sequences SQN is randomly generated every time, Replay Attack can be effectively resisted.
5. both sides' session key temporarily generates when passing through two-way authentication, one-time pad security mechanism is realized, it is with higher Safety.
6. being used directly for WPA and WPA2 etc. by session key SK and initial vector IV derived from key agreement mechanisms In WLAN cryptographic protocol, good compatibility.

Claims (3)

1. a kind of wlan network rapid authentication and cryptographic key negotiation method, which comprises the steps of:
Step 1: mobile terminal accesses SSID access point overlay area, generates random number R 1 and sequence number SQN;
Step 2: mobile terminal is using initial key Ki to MAC_Addr | | R1 | | SQN is encrypted, and obtains E (Ki, MAC_ Addr | | R1 | | SQN), SSID access point then is sent to using it as certification request, wherein MAC_Addr is mobile terminal MAC Address;
Step 3: SSID access point receive E (Ki, MAC_Addr | | R1 | | SQN) after, be handled as follows:
S1. it searches the initial key Ki of corresponding mobile terminal by the MAC Address of data frame, and with Ki ciphertext data frame, obtains To the value of MAC_Addr2, R1 and SQN;MAC_Addr2 is the mobile terminal MAC Address that the end SSID is decrypted;
S2. compare and receive the MAC_Addr2 that the MAC_Addr of data frame is obtained with decryption, terminate certification if not equal;If It is equal, prove mobile terminal be it is legal, carry out the step S3 of step 3;
S3. this SQN decrypted is compared with previously saved SQN, is Replay Attack if equal, if not waiting For normal certification request, the step S4 of step 3 is carried out;
For S4.SSID access point by the certification to mobile terminal, SSID access point then saves R1 and SQN, while generating random number R2;
Step 4: the R1 that SSID access point is obtained using decryption is as key pair SSID | | R2 | | SQN is encrypted, and E is obtained (R1, SSID | | R2 | | SQN), then mobile terminal is sent to using it as certification response;
Step 5: mobile terminal receive E (R1, SSID | | R2 | | SQN) after, be handled as follows:
B1. R1 ciphertext data frame is utilized, the value of SSID2, R2 and SQN2 are obtained, SSID2, SQN2 are the value that decryption obtains;
B2. compare and receive the SSID2 that the SSID of plaintext is obtained with decryption, terminate certification if not equal, proved if equal SSID access point be it is legal, carry out the step S3 of step 5;
B3. the SQN2 that more original SQN and decryption obtain terminates certification if not waiting, and expression receives if equal It is corresponding with certification request to authenticate response, carries out the step S4 of step 5;
B4. R2 is recorded;
Step 6: completing two-way authentication, and mobile terminal sends confirmation message ACK to SSID access point;
Step 7: mobile terminal and SSID access point are simultaneously by R1 | | R2 derives session key SK by hash function, by SQN Initial vector IV is derived by hash function;
Step 8: mobile terminal and SSID access point are encrypted using data of the SK and IV to transmission, while one frame of every encryption IV adds 1 after data.
2. wlan network rapid authentication as described in claim 1 and cryptographic key negotiation method, which is characterized in that moved in step 2 Terminal is using AES encryption algorithm to MAC_Addr | | R1 | | SQN is encrypted.
3. wlan network rapid authentication as claimed in claim 1 or 2 and cryptographic key negotiation method, which is characterized in that in step 4 SSID access point is using AES encryption algorithm to SSID | | R2 | | SQN is encrypted.
CN201510949601.1A 2015-12-18 2015-12-18 A kind of wlan network rapid authentication and cryptographic key negotiation method Active CN105553981B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510949601.1A CN105553981B (en) 2015-12-18 2015-12-18 A kind of wlan network rapid authentication and cryptographic key negotiation method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510949601.1A CN105553981B (en) 2015-12-18 2015-12-18 A kind of wlan network rapid authentication and cryptographic key negotiation method

Publications (2)

Publication Number Publication Date
CN105553981A CN105553981A (en) 2016-05-04
CN105553981B true CN105553981B (en) 2019-03-22

Family

ID=55832917

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510949601.1A Active CN105553981B (en) 2015-12-18 2015-12-18 A kind of wlan network rapid authentication and cryptographic key negotiation method

Country Status (1)

Country Link
CN (1) CN105553981B (en)

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106375301B (en) * 2016-08-30 2020-01-03 成都源知信息技术有限公司 Network equipment authentication method and authentication equipment
CN108377495B (en) * 2016-10-31 2021-10-15 华为技术有限公司 Data transmission method, related equipment and system
CN107124724A (en) * 2017-05-24 2017-09-01 中国运载火箭技术研究院 A kind of Rare Book Use case system cross-network segment multinode network managing device
CN107302544B (en) * 2017-08-15 2019-09-13 迈普通信技术股份有限公司 Certificate request method, wireless access control equipment and wireless access point device
EP3584991A1 (en) * 2018-06-18 2019-12-25 Koninklijke Philips N.V. Device for data encryption and integrity
CN111163468A (en) * 2018-11-08 2020-05-15 北京华为数字技术有限公司 Communication connection method and device
CN109474438B (en) * 2018-12-24 2021-08-17 公安部第三研究所 Intelligent terminal access authentication method based on selective leakage
CN111800788B (en) * 2020-09-08 2021-02-02 全讯汇聚网络科技(北京)有限公司 Method, terminal and system for Wi-Fi connection management
CN112260987B (en) * 2020-09-10 2021-12-21 西安电子科技大学 Bidirectional security authentication method and system in digital content protection system
CN113573307B (en) * 2021-07-28 2024-01-30 西安热工研究院有限公司 Rapid authentication method based on extensible authentication protocol
CN117641339B (en) * 2024-01-18 2024-04-09 中国电子科技集团公司第三十研究所 System and method for fast application layer authentication and key agreement

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003077467A1 (en) * 2002-03-08 2003-09-18 Huawei Technologies Co., Ltd. The method for distributes the encrypted key in wireless lan
CN1534935A (en) * 2003-03-31 2004-10-06 华为技术有限公司 Key distribution method based on preshared key
CN102223633A (en) * 2011-07-06 2011-10-19 华为技术有限公司 Method, device and system for authenticating wireless local area network (WLAN)
CN103002442A (en) * 2012-12-20 2013-03-27 邱华 Safe wireless local area network key distribution method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003077467A1 (en) * 2002-03-08 2003-09-18 Huawei Technologies Co., Ltd. The method for distributes the encrypted key in wireless lan
CN1534935A (en) * 2003-03-31 2004-10-06 华为技术有限公司 Key distribution method based on preshared key
CN102223633A (en) * 2011-07-06 2011-10-19 华为技术有限公司 Method, device and system for authenticating wireless local area network (WLAN)
CN103002442A (en) * 2012-12-20 2013-03-27 邱华 Safe wireless local area network key distribution method

Also Published As

Publication number Publication date
CN105553981A (en) 2016-05-04

Similar Documents

Publication Publication Date Title
CN105553981B (en) A kind of wlan network rapid authentication and cryptographic key negotiation method
CN107005927B (en) Access method, device and system of User Equipment (UE)
US9392453B2 (en) Authentication
US20060094401A1 (en) Method and apparatus for authentication of mobile devices
US20090287922A1 (en) Provision of secure communications connection using third party authentication
EP2296392A1 (en) Authentication method, re-certification method and communication device
KR20120101523A (en) Secure multi-uim authentication and key exchange
Wong The evolution of wireless security in 802.11 networks: WEP, WPA and 802.11 standards
KR20080089500A (en) Authentication method, system and authentication center based on end to end communication in the mobile network
WO2014180198A1 (en) Access method, system, and device of terminal, and computer storage medium
WO2019051776A1 (en) Key transmission method and device
WO2017080136A1 (en) Key distribution and reception method, first key management center, and first network element
Kwon et al. Evolution of Wi-Fi protected access: security challenges
CN105141629A (en) Method for improving network security of public Wi-Fi based on WPA/WPA2 PSK multiple passwords
JP2000115161A (en) Method for protecting mobile object anonymity
WO2015180399A1 (en) Authentication method, device, and system
CN105591748B (en) A kind of authentication method and device
CN106992866A (en) It is a kind of based on wireless network access methods of the NFC without certificate verification
Gu et al. A green and secure authentication for the 4th generation mobile network
Moroz et al. Methods for ensuring data security in mobile standards
Yang et al. Link-layer protection in 802.11 i WLANS with dummy authentication
Jain et al. Penetration Testing of Wireless EncryptionProtocols
Liu et al. Extensible authentication protocols for IEEE standards 802.11 and 802.16
Lin et al. Performance Evaluation of the Fast Authentication Schemes in GSM-WLAN Heterogeneous Networks.
Raghavendra et al. SECURE EFFICIENT AND CERTIFICATELESS, AUTHENTICATION SCHEME FOR WIRED AND WIRELESS NETWORKS

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant