CN106330654B - A kind of radio data transmission method between virtual LAN based on WPA2-PSK - Google Patents

A kind of radio data transmission method between virtual LAN based on WPA2-PSK Download PDF

Info

Publication number
CN106330654B
CN106330654B CN201610823473.0A CN201610823473A CN106330654B CN 106330654 B CN106330654 B CN 106330654B CN 201610823473 A CN201610823473 A CN 201610823473A CN 106330654 B CN106330654 B CN 106330654B
Authority
CN
China
Prior art keywords
access point
access
terminal
psk
simulation
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610823473.0A
Other languages
Chinese (zh)
Other versions
CN106330654A (en
Inventor
程克非
刘晓侠
林峰
唐新东
雒江涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chongqing University of Post and Telecommunications
Original Assignee
Chongqing University of Post and Telecommunications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chongqing University of Post and Telecommunications filed Critical Chongqing University of Post and Telecommunications
Priority to CN201610823473.0A priority Critical patent/CN106330654B/en
Publication of CN106330654A publication Critical patent/CN106330654A/en
Application granted granted Critical
Publication of CN106330654B publication Critical patent/CN106330654B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The present invention relates to the radio data transmission methods between a kind of virtual LAN based on WPA2-PSK, firstly, data sender terminal obtains certification PSK key from AP access point, and sends legitimate authentication request to AP access point.Then, the authorization of AP access point allows data sender terminal to access, and access terminal is divided into different virtual LAN VLANs, and access terminal retains the member identities of its affiliated VLAN network segment automatically.Subsequently, data sender terminal constantly sends interference information in need of immediate treatment to AP access point, can not work normally AP access point, while starting simulation AP.Finally, access terminal will simulate AP as new default router, re-initiates connection and carry out stable communication with simulation AP.The data that the present invention can be realized between different VLAN are directly transmitted, and are not also influenced by the client isolation of access point and MAC Address verification without former AP access point.

Description

A kind of radio data transmission method between virtual LAN based on WPA2-PSK
Technical field
The present invention relates to network communication technology fields, more particularly between a kind of virtual LAN based on WPA2-PSK Radio data transmission method.
Background technique
In recent years, receiving derived from permission all clients using a common GTK shared key occur in 196 loopholes of WPA2 Shared key can be used to pass the data using group shared key encryption back for broadcast singal from access point, the user authorized Packet, i.e. loophole 196 will lead to one and be similar to internuncial attack pattern (test of AirTight): by internal authorization user And open source software, can be decrypted in the air other users private data, injection malicious traffic stream to network, harm it is other authorization set It is standby, and then can control flow, initiate Denial of Service attack or sniff.
The wireless network based on WPA2-PSK is protected in order to solve this loophole, 802.11 security expert Gast mentions Out, this attack is limited in scope.Attacker requires shared encryption key, and (also referred to as BSSID) is close between virtual access point Key is not shared, so this attack occurs over just in the access terminal that identical SSID is connected on the same AP access point. So, so that it may be grouped, be divided into not using the client isolation of access point or by different access terminals Same virtual VLAN just cannot utilize GTK shared key to carry out immediate data transmission in this way.VLAN has been used in networking at present To following five kinds of division modes: divide by port, divided by MAC Address, being divided based on network layer, being divided based on IP broadcast group and Rule-based division.We believe that this five kinds of division modes can prevent the direct transmission of wireless data, and guarantee data The safety of transmission.2014, Chinese patent CN103905285A disclosed that a kind of to realize that same MAC Address user is divided into more The method of a difference VLAN proposes that same MAC Address user can be divided into different VLAN according to MAC Address, realizes same Its different Business Stream of the user of MAC Address is transmitted and is exchanged in the different vlans.2007, Chinese patent CN101110821 discloses a set of method for preventing data from transmitting using verification MAC Address.2015, Chinese patent CN105472622A broadcasts one or more message to one or more WiFi nodes by WiFi access point, one or more Message is configured as preventing WiFi node in channel.Therefore, the data solved between different virtual LAN are direct Transmission problem has realistic meaning.
Summary of the invention
The object of the present invention is to provide the radio data transmission method between a kind of virtual LAN based on WPA2-PSK, This method is based on WPA2-PSK technology, realizes that the data between different virtual LAN are directly transmitted, and connect without former AP Access point is not also influenced by the client isolation of access point and MAC Address verification.
It is as follows to reach the specific technical solution that goal of the invention uses:
A kind of radio data transmission method between virtual LAN based on WPA2-PSK:
(1) data sender terminal obtains PSK wildcard from AP access point, and sends legitimate authentication to AP access point Request.
(2) authorization of AP access point allows data sender terminal to access, and all access terminals are divided into different void Quasi- local area network VLAN, access terminal retain the member identities of its affiliated VLAN network segment automatically.
(3) data sender terminal constantly sends interference information in need of immediate treatment to AP access point, makes AP access point can not It works normally, while starting simulation AP.
(4) access terminal will simulate AP as new default router, re-initiates connection and is stablized with simulation AP Communication, realize virtual LAN VLAN between access terminal direct communication.
It specifically, include legal No. BSSID and the corresponding certification of acquisition of AP access point in the legitimate authentication request PSK key.
Specifically, it is the MAC Address and function according to access terminal that access terminal, which is divided into different virtual LAN VLANs, Energy attribute is completed.
Specifically, simulation AP is that wireless network card simulation is become wireless router by Soft AP;Specific steps are as follows: first It is introduced into the Soft AP setting page;Then the SSID item of Network Name is found in setting options " Basic " Shipping Options Page, SSID name of the input as original AP access point in the choice box of lower section;After setting up title, it is arranged identical with original AP Certification access key;Then channel is selected at " Channel ", selects the channel as original AP access point;The road that network interface card imitates By design parameter setting without modification;The MAC of virtual router is then set in " Access Control List " Location, the MAC Address being arranged as original AP access point.
Data sender passes through a large amount of connection request of transmission using data packet by way of this characteristic of router in the present invention It prevents default router from working normally with data packet, while re-establishing simulation AP but not changing the method for the MAC Address of former AP, Routed path is converted, to realize that the data between different VLAN are directly transmitted, and without former AP access point also not by access point Client isolation and MAC Address verification influence.
Detailed description of the invention
Fig. 1 is method flow schematic diagram of the invention;
Fig. 2 is the idiographic flow schematic diagram that data sender sends that legitimate authentication is requested to AP access point;
Fig. 3 is the configuration flow schematic diagram for simulating AP;
Fig. 4 is the flow diagram that interfering AP works normally;
Fig. 5 is the flow diagram that virtual client sends connection request;
Fig. 6 is the flow diagram for sending legal data packet interference.
Specific embodiment
The present invention is further described in conjunction with attached drawing.
As shown in Figure 1, a kind of specific step of the radio data transmission method between virtual LAN based on WPA2-PSK It is rapid:
Step 11: data sender terminal obtains certification PSK key from AP access point, and recognizes to the transmission of AP access point is legal Card request.
Legitimate authentication request includes legal No. BSSID and the corresponding certification PSK key of acquisition of AP access point.Data hair The person's of sending terminal successfully links up AP access point, becomes the legitimate client of AP access point.The detailed process of legitimate authentication request is such as Shown in Fig. 2, wireless terminal configures WPA2-PSK key to AP access point first.Then data sender terminal obtains AP's WPA2-PSK access pin, then initiated the connection to AP access point, password is inputted according to prompt, initiates certification request.AP connects later Access point checks the WPA2-PSK key of data sender terminal, if correctly, allowing for connecting.If allowing to connect, data are sent Person's wireless terminal can reply certification response confirmation, and WPA2-PSK key can transmit and be loaded, data sender wireless terminal with Start to execute Data Encryption Transmission between wireless aps access point.
User group is divided into different virtual VLAN by step 12:AP access point.
User group (including data sender) is divided into not by access point AP according to the function and MAC Address of access terminal Same VLAN.Each network interface card has a unique MAC Address, and MAC Address belongs to data link layer, in this, as division The foundation of VLAN can be a kind of network programming project based on user well independently of the various applications in network layer.Use this The VLAN that kind method is constituted is exactly the set of some MAC Address, it solves the problems, such as the mobile of network processes website.According to MAC The VLAN that address divides allows network to be moved to another physical location from a physical location, and retains belonging to it automatically The member identities of VLAN network segment, it is this to divide the small network for being similar to school, enterprise, family etc. and using for being suitable for a small amount of node Network.
But in order to preferably manage a variety of different access terminals, with the function division VLAN's according to access terminal In conjunction with also essential, classification includes: the end the common customer such as computer, notebook, mobile phone, and the households such as TV, air-conditioning, refrigerator are set It is standby, safeguards such as door lock, camera etc..This not only contributes to router administration, is also beneficial to the maintenance of access terminal.
Step 13: making and open and MAC Address, title, password, cipher mode, the working channel etc. of original AP access point Duplicate simulation AP access point.
As shown in figure 3, simulation AP is that wireless network card simulation is become wireless router by Soft AP;Specific steps are as follows: Initially enter the Soft AP setting page;Then the SSID of Network Name is found in setting options " Basic " Shipping Options Page , SSID name of the input as original AP access point in the choice box of lower section;After setting up title, it is arranged identical as original AP Certification access key;Then channel is selected at " Channel ", selects the channel as original AP access point;What network interface card imitated The design parameter setting of routing is without modification;The MAC of virtual router is then set in " Access Control List " Address, the MAC Address being arranged as original AP access point.
Step 14: data sender terminal constantly sends interference information in need of immediate treatment to AP and upsets AP access point, makes it It can not work normally.
As shown in figure 4, by legitimate authentication connect the data sender of upper AP access point by virtual client constantly to AP sends connection request, and constantly sends to AP access point and largely the legal data packet forwarded through AP access point is needed to carry out The normal work order of AP access point is upset in interference.The flow chart that interfering AP access point works normally.
As shown in figure 5, virtual client constantly sends connection request to AP, principle is exactly that data sender uses Seem that the legal MAC Address being randomly generated in fact carrys out virtual workstation, a large amount of connection then can be sent to AP and is asked It asks, lasting and fierce connection request is sent to AP access point, this number of requests has once been more than that wireless aps can bear Range, there is mistake in the wireless connection list that will lead to AP access point, and AP will also disconnect normally connecting for legitimate user automatically It connects, makes legitimate user can not normal use wireless network.
Largely the legal data packet forwarded through AP is needed to be done as shown in fig. 6, constantly sending simultaneously to AP access point It disturbs.The precondition of this mode is the legal access AP access point of data sender, and sends valid data with injection way Packet.To allow AP to receive data packet, it is necessary to be associated with the network interface card of data sender with AP access point.If not associated Words, target AP will ignore the data packet of all transmissions.Data sender's terminal could send injection order after being successfully connected, allow Router receive after injection order just can feedback data sent largely to generating ARP packet, then with injection attacks mode Data packet.
For large-scale router, the ability to bear of general AP access point is weaker, this when of both methods combines While interference AP can be allowed to disconnect with access terminal rapidly or working signal dies down, receive it can not normally rapidly Data packet from access terminal.
Step 15: access terminal thinks that simulating AP is only default router, is connected, and communicate with simulation AP.It is this In the case of, former AP can not work normally and (disconnect the connection or signal weaker with access terminal), and access terminal can misidentification It is problematic for AP, it then disconnects, exists at this time complete in title, password, cipher mode, working channel etc. with former AP automatically The same simulation AP access point signals are very strong, and then access terminal is mistakenly considered simulation AP and is only really default AP, then initiate Connection simulates AP with connect with original identical authentication mode, and with simulation AP Normal intercommunication, at this time using simulating AP Some data can be sent to access terminal, realize the immediate data transmission between virtual VLAN.
Step 16: stopping the interference to former default AP access point and close simulation AP, original default AP access point can restore just Often work;
After completing the immediate data transmission between virtual VLAN, if stopping constantly defaulting AP to original with virtual client Sending connection request and constantly sending to AP largely needs the legal data packet forwarded through AP to be interfered, and simultaneously closes off simulation AP, former default AP can restore to work normally at this time, and other access terminals will be linked into former default AP again, restore original number According to transmission work.

Claims (4)

1. the radio data transmission method between a kind of virtual LAN based on WPA2-PSK, which is characterized in that including following Step:
(1) data sender terminal obtains PSK wildcard from AP access point, and sends legitimate authentication to AP access point and ask It asks;
(2) authorization of AP access point allows data sender terminal to access, and all access terminals are divided into different virtual offices VLAN is netted in domain, and access terminal retains the member identities of its affiliated VLAN network segment automatically;
(3) data sender terminal constantly sends interference information in need of immediate treatment to AP access point, keeps AP access point normal Work, while starting simulation AP;
(4) access terminal will simulate AP as new default router, re-initiate connection and carry out stable lead to simulation AP Letter realizes the direct communication of the access terminal between virtual LAN VLAN.
2. radio data transmission method according to claim 1, it is characterised in that: the legitimate authentication request connects including AP Legal No. BSSID of access point and the corresponding certification PSK key of acquisition.
3. radio data transmission method according to claim 1, it is characterised in that: access terminal is divided into different virtual Local area network VLAN is completed according to the MAC Address and functional attributes of access terminal.
4. radio data transmission method according to claim 1, it is characterised in that: simulation AP is by Soft AP by nothing Gauze card mold is quasi- to become wireless router;Specific steps are as follows: initially enter the Soft AP setting page;Then in setting options The SSID item that Network Name is found in " Basic " Shipping Options Page, input is as original AP access point in the choice box of lower section SSID name;After setting up title, certification identical with original AP is set and accesses key;Then frequency is selected at " Channel " Road selects the channel as original AP access point;The design parameter setting of the routing of network interface card simulation is without modification;Then exist The MAC Address of setting virtual router, the MAC Address being arranged as original AP access point in " Access Control List ".
CN201610823473.0A 2016-09-14 2016-09-14 A kind of radio data transmission method between virtual LAN based on WPA2-PSK Active CN106330654B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610823473.0A CN106330654B (en) 2016-09-14 2016-09-14 A kind of radio data transmission method between virtual LAN based on WPA2-PSK

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610823473.0A CN106330654B (en) 2016-09-14 2016-09-14 A kind of radio data transmission method between virtual LAN based on WPA2-PSK

Publications (2)

Publication Number Publication Date
CN106330654A CN106330654A (en) 2017-01-11
CN106330654B true CN106330654B (en) 2019-03-22

Family

ID=57786878

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610823473.0A Active CN106330654B (en) 2016-09-14 2016-09-14 A kind of radio data transmission method between virtual LAN based on WPA2-PSK

Country Status (1)

Country Link
CN (1) CN106330654B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110602019A (en) * 2018-06-12 2019-12-20 平安社区(北京)科技有限公司 Data transmission method based on wireless broadband networking technology
CN112737948A (en) * 2020-12-30 2021-04-30 北京威努特技术有限公司 Data transmission method and device between VLANs and industrial control firewall equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101499952A (en) * 2008-01-31 2009-08-05 明泰科技股份有限公司 Network system capable of crossing regional limitation between different virtual local area networks
US7877080B2 (en) * 2001-12-20 2011-01-25 Microsoft Corporation Public access point
CN104602266A (en) * 2015-01-27 2015-05-06 深圳市泰信通信息技术有限公司 Software-defined wireless network realization method
CN105379227A (en) * 2013-05-07 2016-03-02 环球互连及数据中心公司 A direct connect virtual private interface for a one to many connection with multiple virtual private clouds

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP6434821B2 (en) * 2015-02-19 2018-12-05 アラクサラネットワークス株式会社 Communication apparatus and communication method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7877080B2 (en) * 2001-12-20 2011-01-25 Microsoft Corporation Public access point
CN101499952A (en) * 2008-01-31 2009-08-05 明泰科技股份有限公司 Network system capable of crossing regional limitation between different virtual local area networks
CN105379227A (en) * 2013-05-07 2016-03-02 环球互连及数据中心公司 A direct connect virtual private interface for a one to many connection with multiple virtual private clouds
CN104602266A (en) * 2015-01-27 2015-05-06 深圳市泰信通信息技术有限公司 Software-defined wireless network realization method

Also Published As

Publication number Publication date
CN106330654A (en) 2017-01-11

Similar Documents

Publication Publication Date Title
JP3585422B2 (en) Access point device and authentication processing method thereof
US10257161B2 (en) Using neighbor discovery to create trust information for other applications
AU2008213766B2 (en) Method and system for registering and verifying the identity of wireless networks and devices
CN103686709B (en) A kind of wireless mesh network authentication method and system
CN110087236A (en) For establishing the agreement of secure communication session by wireless network and anonymous host
CN105101206A (en) Automatic WIFI accessing method and system of device
KR20090081006A (en) Public access point
US20070082654A1 (en) System to extend service, expand access and protect user data across wireless networks
GB2418819A (en) System which transmits security settings in authentication response message
CN103596173A (en) Wireless network authentication method, client wireless network authentication device, and server wireless network authentication device
Dantu et al. EAP methods for wireless networks
US11805416B2 (en) Systems and methods for multi-link device privacy protection
CN101765057A (en) Method, equipment and system for providing multicast service to WiFi access terminal
CN107205208A (en) Method, terminal and the server of authentication
CN102571811A (en) User access authority control system and method thereof
CN106375123A (en) Configuration method and device for 802.1X authentication
CN106330654B (en) A kind of radio data transmission method between virtual LAN based on WPA2-PSK
CN116963050B (en) Trusted communication method and system based on end-to-end IPv6 password identification
CN101877852B (en) User access control method and system
CN100591068C (en) Method of transmitting 802.1X audit message via bridging device
CN106304400A (en) The IP address distribution method of wireless network and system
CN102447710B (en) A kind of access privilege control method and system
Scarfone et al. Guide to securing legacy IEEE 802.11 wireless networks
CN102136985A (en) Access method and equipment
KR101878713B1 (en) Method and System For Connecting User Equipment with Network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant