CN107690138B - Fast roaming method, device, system, access point and mobile station - Google Patents
Fast roaming method, device, system, access point and mobile station Download PDFInfo
- Publication number
- CN107690138B CN107690138B CN201610640221.4A CN201610640221A CN107690138B CN 107690138 B CN107690138 B CN 107690138B CN 201610640221 A CN201610640221 A CN 201610640221A CN 107690138 B CN107690138 B CN 107690138B
- Authority
- CN
- China
- Prior art keywords
- sta
- ptk
- feature information
- data
- random number
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/02—Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W36/00—Hand-off or reselection arrangements
- H04W36/0005—Control or signalling for completing the hand-off
- H04W36/0055—Transmission or use of information for re-establishing the radio link
- H04W36/0077—Transmission or use of information for re-establishing the radio link of access information of target access point
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W36/00—Hand-off or reselection arrangements
- H04W36/08—Reselecting an access point
Abstract
The invention discloses a fast roaming method, a device, a system, an access point and a mobile station, belonging to the technical field of networks. The method comprises the following steps: the fast roaming device acquires the characteristic information of the first AP; after determining that the STA is accessed to the second AP, the fast roaming device sends the characteristic information of the first AP to the STA; the STA generates and sends a random number and generates a PTK; the fast roaming device acquires the feature information of the STA; the fast roaming device sends the feature information of the STA to the first AP; the first AP generates a PTK, and link authentication, access authentication and key agreement are completed; after determining to switch to the first AP, the STA sends a data message encrypted by the PTK to the first AP; the first AP decrypts the encrypted data message by adopting the PTK; and the first AP completes association according to whether the internal information of the decrypted data message is consistent. The invention can reduce the time of roaming switching to 0.
Description
Technical Field
The present invention relates to the field of network technologies, and in particular, to a fast roaming method, apparatus, system, access point, and mobile station.
Background
Roaming refers to a function in which a mobile Station (STA) is handed over from one Access Point (AP) of a Wireless Local Area Network (WLAN) to another AP, and the WLAN can still provide services to the AP.
At present, the switching of the AP requires that four processes of link authentication, Association, access authentication and key agreement are realized between the STA and the AP through multiple interactions. If the above four processes are performed separately, the time consumed for the whole roaming process will reach several hundred milliseconds. In a standard 802.11r established by the Institute of Electrical and Electronics Engineers (IEEE) for Wireless Local Area Networks (WLANs), a method of increasing information load is adopted to reduce interaction flow, key agreement is performed in association and authentication processes, roaming time is reduced to within 100 milliseconds, and fast roaming is realized.
In the process of implementing the invention, the inventor finds that the prior art has at least the following problems:
in a standard defined by the International telecommunications Union (International telecommunications Union), for example, Voice over Internet Protocol (VoIP), a one-way delay is required to be less than 200ms, and a jitter is required to be less than 40 ms. The time spent in roaming in 802.11r is usually 50ms to 80ms, and if the communication network has a delay of about 160ms and a jitter of about 30ms due to burstiness of traffic, the one-way maximum delay in roaming is 160ms +80ms which is 240ms > 200ms, and the jitter is 30ms +80ms which is 110ms > 40ms, which cannot meet the service requirements of VoIP and the like.
Disclosure of Invention
In order to solve the problem that the prior art cannot meet the service requirements of VoIP and the like, embodiments of the present invention provide a fast roaming method, apparatus, system, access point and mobile station. The technical scheme is as follows:
in a first aspect, an embodiment of the present invention provides a fast roaming method, where the method includes:
the method comprises the steps that a fast roaming device obtains feature information of a first Access Point (AP), wherein the feature information of the first AP comprises a Medium Access Control (MAC) address of the first AP and a random number generated by the first AP;
after determining that a mobile Station (STA) accesses a second AP, the fast roaming device sends characteristic information of a first AP to the STA, wherein the first AP is a neighbor of the second AP;
the STA generates and sends a random number, and generates a Pairwise Temporary Key (PTK) based on the random number generated by the STA, the MAC address of the STA, a Pairwise Master Key (PMK) and the characteristic information of the first AP;
the fast roaming device acquires the feature information of the STA, wherein the feature information of the STA comprises the MAC address of the STA, the random number generated by the STA and the feature value of the PMK;
the fast roaming device sends the feature information of the STA to the first AP;
the first AP generates the PTK based on the feature information of the STA and the feature information of the first AP, and link authentication, access authentication and key agreement between the STA and the first AP are completed;
after determining to switch to the first AP, the STA sends a data message encrypted by the PTK to the first AP;
the first AP decrypts the encrypted data message by adopting the PTK;
and the first AP completes the association between the STA and the first AP according to whether the decrypted internal information of the data message is consistent.
Under the condition that the STA is determined to have access to the second AP, the STA can be determined to have passed the authentication at this time and the validity of the STA is preliminarily ensured in consideration of the fact that the STA can only have access to the second AP through the processes of link authentication, access authentication and the like of the second AP. In order to avoid consuming a large amount of time due to the fact that multiple times of message negotiation are carried out to realize access authentication, the method simplifies the process that the STA is switched from the second AP to the first AP: before the STA is switched to the first AP, information interaction between the STA and the first AP is realized, the STA and the first AP acquire the MAC address of the other party, configure the PMK and generate the PTK, and link authentication, access authentication and key agreement between the STA and the first AP are completed; after the STA determines to switch to the first AP, the first AP completes association between the STA and the first AP according to whether the internal information of the first data message sent by the STA to the first AP is consistent.
After the STA accesses the second AP, information such as MAC address, PMK, PTK and the like of a wireless link is interactively established between the STA and the first AP serving as the neighbor of the second AP, link authentication, access authentication and key agreement in the process of accessing the STA to the first AP are completed, and time consumed by information interaction in the process of roaming of the STA is greatly reduced. Meanwhile, when the STA determines to switch to the first AP, the AP completes association between the STA and the first AP according to whether the internal information of the first data message sent by the STA to the AP is consistent, so that no time is consumed in the roaming process of the STA (namely the roaming switching time is reduced to 0), the switching process is fast, the service requirements of VoIP and the like can be completely met, and the user experience is effectively guaranteed.
In a possible implementation manner of the first aspect, the data packet includes data and a data digest, and the first AP completes association between the STA and the first AP according to whether the internal information of the decrypted data packet is consistent, including:
the first AP calculates the decrypted data by adopting a data abstract algorithm to obtain a calculated data abstract;
the first AP compares the calculated data abstract with the decrypted data abstract;
when the calculated data digest is consistent with the decrypted data digest, the association between the STA and the first AP is completed.
The first AP detects whether the data in the data message and the data digest are consistent using the existing data digest algorithm, and applies it to the association process: association between the STA and the AP is completed by verifying the correctness of the abstract in the first data message, no independent association message exists, and the roaming time between the AP and the STA is reduced to 0 on the basis of completing link authentication, access authentication and key agreement through two interactions, so that the user experience is guaranteed.
In another possible implementation manner of the first aspect, the fast roaming device is disposed on an AP or an access controller AC, and the AC is configured to control and manage the AP.
The device for realizing the fast roaming is improved from the prior equipment, so that the realization cost is low.
In yet another possible implementation manner of the first aspect, the characteristic information of the first AP further includes at least one of an encryption manner of the first AP, a frequency point of the first AP, and a bandwidth of the first AP.
The characteristic information of the first AP may be adaptively adjusted according to information required for accessing the AP.
In a second aspect, an embodiment of the present invention provides a fast roaming method, where the method includes:
the method comprises the steps that a fast roaming device obtains feature information of a first Access Point (AP), wherein the feature information of the first AP comprises a Medium Access Control (MAC) address of the first AP and a random number generated by the first AP;
after determining that a mobile Station (STA) accesses a second AP, the fast roaming device sends feature information of a first AP to the STA, wherein the first AP is a neighbor of the second AP, the STA generates and sends a random number, and a Pairwise Temporary Key (PTK) is generated based on the random number generated by the STA, the MAC address of the STA, a Pairwise Master Key (PMK) and the feature information of the first AP;
the fast roaming device acquires the feature information of the STA, wherein the feature information of the STA comprises the MAC address of the STA, the random number generated by the STA and the feature value of the PMK;
the fast roaming device sends the feature information of the STA to the first AP, so that the first AP generates the PTK based on the feature information of the STA and the feature information of the first AP, and link authentication, access authentication and key agreement between the STA and the first AP are completed.
After the STA accesses the second AP, information such as MAC address, PMK, PTK and the like of a wireless link is interactively established between the STA and the first AP serving as the neighbor of the second AP, link authentication, access authentication and key agreement in the process of accessing the STA to the first AP are completed, and time consumed by information interaction in the process of roaming of the STA is greatly reduced.
In a possible implementation manner of the second aspect, the fast roaming device is disposed on an AP or an access controller AC, and the AC is used for controlling and managing the AP.
The device for realizing the fast roaming is improved from the prior equipment, so that the realization cost is low.
In a third aspect, an embodiment of the present invention provides a fast roaming method, where the method includes:
the method comprises the steps that a first Access Point (AP) completes link authentication, access authentication and key agreement with a mobile Station (STA) to obtain an MAC address, a Pairwise Master Key (PMK) and a Pairwise Temporary Key (PTK) of the STA;
the first AP receives a data message which is sent by the STA after the STA is determined to be switched from a second AP to the first AP and encrypted by the PTK, wherein the first AP is a neighbor of the second AP;
the first AP decrypts the encrypted data message by adopting the PTK;
and the first AP completes the association between the STA and the first AP according to whether the decrypted internal information of the data message is consistent.
The method comprises the steps that before the STA determines to be switched to the AP from the second AP, link authentication, access authentication and key agreement with the STA are completed, the MAC address, the PMK and the PTK of the STA are obtained, after the STA determines to be switched to the AP from the second AP, the data message sent by the STA after the PTK is encrypted is received, the PTK is used for decrypting the encrypted data message, and association between the STA and the first AP is completed according to the fact that whether the internal information of the decrypted data message is consistent or not, so that time consumption does not exist in the roaming process of the STA (namely the time of roaming switching is reduced to 0), the switching process is fast, the service requirements of VoIP and the like can be completely met, and user experience is effectively guaranteed.
In a possible implementation manner of the third aspect, the data packet includes data and a data digest, and the first AP completes association between the STA and the first AP according to whether the internal information of the decrypted data packet is consistent, where the method includes:
the first AP calculates the decrypted data by adopting a data abstract algorithm to obtain a calculated data abstract;
the first AP compares the calculated data abstract with the decrypted data abstract;
when the calculated data digest is consistent with the decrypted data digest, the association between the STA and the first AP is completed.
The first AP completes association between the STA and the AP by verifying the correctness of the abstract in the first data message, has no independent association message, and reduces the roaming time between the AP and the STA to 0 on the basis of completing link authentication, access authentication and key agreement through two interactions, thereby ensuring user experience.
In a fourth aspect, an embodiment of the present invention provides a fast roaming method, where the method includes:
after a mobile station STA accesses a second access point AP, link authentication, access authentication and key agreement with a first AP are completed to obtain an MAC address, a pairwise master key PMK and a pairwise temporary key PTK of the first AP, wherein the first AP is a neighbor of the second AP;
and after determining to switch to the first AP, the STA sends the data message encrypted by the PTK to the first AP.
The method comprises the steps that before the STA determines to be switched from the second AP to the first AP, link authentication, access authentication and key agreement with the first AP are completed, the MAC address, the PMK and the PTK of the first AP are obtained, after the STA determines to be switched from the second AP to the AP, the data message encrypted by the PTK is sent to the STA, the first AP decrypts the encrypted data message by the PTK, association between the STA and the first AP is completed according to the fact that whether the internal information of the decrypted data message is consistent, time consumption does not exist in the roaming process of the STA (namely the time of roaming switching is reduced to 0), the switching process is fast, the service requirements of VoIP and the like can be completely met, and user experience is effectively guaranteed.
In a fifth aspect, an embodiment of the present invention provides a fast roaming system, where the system includes an apparatus, such as a fast roaming device, a mobile station STA, a second access point AP, and a first AP, for implementing the method described in the first aspect.
In a sixth aspect, an embodiment of the present invention provides a fast roaming apparatus, where the apparatus includes a unit, such as an AP information obtaining unit, an AP information sending unit, an STA information obtaining unit, and an STA information sending unit, for implementing the method according to the second aspect.
In a seventh aspect, an embodiment of the present invention provides an access point AP, where the AP includes units, such as an access preparation unit, a packet receiving unit, a decryption unit, and a determining unit, for implementing the method according to the third aspect.
In an eighth aspect, an embodiment of the present invention provides a mobile station STA, where the STA includes units, such as an access preparation unit and an access completion unit, for implementing the method according to the fourth aspect.
In a ninth aspect, an embodiment of the present invention provides a fast roaming apparatus, where the apparatus includes: a memory for storing software programs and modules, and a processor coupled to the memory, wherein the processor is configured to execute the method of the second aspect when the processor is configured to run or execute the software programs and modules stored in the memory.
In a tenth aspect, an embodiment of the present invention further provides a computer-readable medium for storing a program code for execution by a terminal, where the program code includes instructions for executing the method according to the second aspect.
In an eleventh aspect, an embodiment of the present invention provides an access point AP, where the AP includes: a memory for storing software programs and modules, and a processor coupled to the memory, wherein the method of the third aspect may be performed when the processor is configured to run or execute the software programs and modules stored in the memory.
In a twelfth aspect, an embodiment of the present invention further provides a computer-readable medium for storing a program code for execution by a terminal, where the program code includes instructions for executing the method according to the third aspect.
In a thirteenth aspect, an embodiment of the present invention provides a mobile station STA, where the STA includes: a memory for storing software programs and modules, and a processor coupled to the memory, wherein the processor is configured to execute the method of the fourth aspect when the processor is configured to run or execute the software programs and modules stored in the memory.
In a fourteenth aspect, an embodiment of the present invention further provides a computer-readable medium for storing a program code for execution by a terminal, where the program code includes instructions for executing the method in the fourth aspect.
The technical scheme provided by the embodiment of the invention has the following beneficial effects:
after the STA accesses the second AP, information such as MAC address, PMK, PTK and the like of a wireless link is interactively established between the STA and the first AP serving as the neighbor of the second AP, link authentication, access authentication and key agreement in the process of accessing the STA to the first AP are completed, and time consumed by information interaction in the process of roaming of the STA is greatly reduced. Meanwhile, when the STA determines to switch to the first AP, the AP completes association between the STA and the first AP according to whether the internal information of the first data message sent by the STA to the AP is consistent, so that no time is consumed in the roaming process of the STA (namely the roaming switching time is reduced to 0), the switching process is fast, the service requirements of VoIP and the like can be completely met, and the user experience is effectively guaranteed.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is an application scenario diagram of a fast roaming method according to an embodiment of the present invention;
fig. 2 is a diagram of a network architecture for implementing AP handover according to an embodiment of the present invention;
fig. 3 is a hardware structure diagram of a fast roaming apparatus according to an embodiment of the present invention;
fig. 4 is a hardware configuration diagram of a first AP according to an embodiment of the present invention;
fig. 5 is a hardware configuration diagram of an STA according to an embodiment of the present invention;
fig. 6 is a flowchart of a fast roaming method according to an embodiment of the present invention;
fig. 7 is an interaction process diagram of an STA accessing a second AP according to an embodiment of the present invention;
fig. 8a and fig. 8b are schematic diagrams illustrating a process of discovering a second AP by a STA according to an embodiment of the present invention;
fig. 9a and 9b are schematic diagrams illustrating a STA and a second AP performing link authentication according to an embodiment of the present invention;
fig. 10 is a schematic diagram of association between an STA and a second AP according to an embodiment of the present invention;
fig. 11a and fig. 11b are schematic diagrams illustrating an access authentication performed between an STA and an AC and RADIUS server according to an embodiment of the present invention;
fig. 12a and 12b are schematic diagrams illustrating a key agreement between a STA and a second AP according to an embodiment of the present invention;
FIG. 13 is a schematic structural diagram of a PTK provided by an embodiment of the present invention;
fig. 14a and 14b are interaction process diagrams of another fast roaming method provided by the embodiment of the present invention;
fig. 15 is a schematic structural diagram of feature information of an AP according to an embodiment of the present invention;
fig. 16 is a schematic structural diagram of a message carrying a random number generated by an STA according to an embodiment of the present invention;
fig. 17 is a schematic structural diagram of a key in 802.11r according to an embodiment of the present invention;
fig. 18 is a schematic diagram of a data packet generation process according to an embodiment of the present invention;
fig. 19 is a schematic structural diagram of a fast roaming apparatus according to an embodiment of the present invention;
fig. 20 is a schematic structural diagram of an access point according to an embodiment of the present invention;
fig. 21 is a schematic structural diagram of a mobile station according to an embodiment of the present invention;
fig. 22a and fig. 22b are schematic structural diagrams of a fast roaming system according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, embodiments of the present invention will be described in detail with reference to the accompanying drawings.
Mobile office is that an office handles Anything related to business at any time (english: Anytime) and any place (english: Anywhere), also called "3A office". The brand-new office mode enables office staff to get rid of the restriction of time and space, and can access an enterprise network at any position to complete work.
Fig. 1 is a schematic diagram illustrating an application of the fast roaming method in a mobile office scenario according to an embodiment of the present invention. Referring to fig. 1, the first AP10 and the second AP20 access the same enterprise network 30, and the enterprise network 30 is substantially a Wireless Local Area Network (WLAN). The enterprise network 30, the customer premises network 41 and the data center 42 each have access to the carrier network 50. STA60 is currently located in the service area of the second AP20 (the service area of each AP is indicated by an oval in fig. 1), STA60 accesses the second AP20 (the second AP20 is referred to as the current AP of STA 60), the second AP20 accesses the enterprise network 30, and access to the network 41 where the client is located and the data center 42 can be achieved through the operator network 50; after the STA60 moves into the service area of the first AP10 (fig. 1 shows the moving direction of the STA by a straight line with an arrow), the STA60 switches to the first AP10 (the first AP10 is referred to as a target AP of the STA 60), the first AP10 also accesses the enterprise network 30, and the STA60 may continue to access the network 41 where the client is located and the data center 42, thereby implementing mobile office. When the STA60 switches from the second AP20 to the first AP10, the method provided by the embodiment of the present invention is used to implement fast roaming.
Fig. 2 is a network architecture diagram for specifically implementing AP handover in the application scenario shown in fig. 1. As shown in fig. 2, three first APs 10 and a second AP20 are arranged at different positions, and the three first APs 10 are neighbors of the second AP 20. Two APs which are adjacent to each other are controlled by the same Access Controller (AC) and have the same Service Set Identifier (SSID). STAs may roam between APs that are neighbors of each other, i.e., handoff from one AP to another. The number of the first APs shown in fig. 2 is only an example, and the embodiment of the present invention is not limited thereto.
In fig. 2, STA60 is currently accessing the second AP20, and STA60 may switch to a first AP10 after moving. The second AP20 and all the first APs 10 are connected (usually, wired) to an Access Controller (AC) 70, and the AC 70 manages and controls configuration, radio frequency, user Access, and the like of each AP. The AC 70 is also connected (typically by wired connection) to a Remote Authentication Dial-In User Service (RADIUS) server 80, and the RADIUS server 80 is used as an Authentication, Authorization, Accounting (AAA) server to perform User access Authentication.
The present invention adds a fast roaming device 90 to the network architecture, which mainly realizes the information interaction between the STA60 and the first AP10 before the STA60 switches to the first AP 10. Specifically, the fast roaming device may be provided on the AC 70, may be provided on each AP, and may be provided independently of the AC 70 and the AP. The fast roaming device 90 is illustrated in fig. 2 as being independent of the AC and AP settings, and in practical applications, the fast roaming device 90 may be located on the AC or each AP.
In a specific implementation, the STA60 is generally a client, and may be a computer equipped with a Wireless network card, or may be a smart phone, a tablet computer, or the like equipped with a Wireless-Fidelity (Wi-Fi) module. The first AP10, the second AP20, and the AC 70 are all network devices, such as routers.
It should be noted that the architectures shown in fig. 1 and fig. 2 are only examples, and the present invention is not limited thereto.
The fast roaming apparatus, the first AP, and the STA provided in the embodiment of the present invention are described below with reference to specific hardware structures.
Referring to fig. 3, the fast roaming device 90 may be a network device such as a router. The fast roaming device 9 may include one or more processors 91 of a processing core, one or more memories 92 of a computer readable storage medium, and a communication interface 93, and the processor 91 may be connected to the memories 92 and the communication interface 93 by a bus 94. Those skilled in the art will appreciate that the configuration shown in fig. 3 does not constitute a limitation of the apparatus and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components. Wherein:
the processor 91 is the control center of the fast roaming device 90, connects various parts of the entire fast roaming device 90 using various interfaces and lines, and performs various functions of the fast roaming device 90 and processes data by running or executing software programs and/or modules stored in the memory 92 and calling up data stored in the memory 92, thereby performing overall monitoring of the fast roaming device 90. Alternatively, the Processor 91 may include one or more Processing units, which may be a Central Processing Unit (CPU), a Network Processor (NP), or the like.
The memory 92 may be used to store software programs that may be executed by the processor 91. The memory 92 may mainly include a program storage area and a data storage area, wherein the program storage area may store an operating system, an AP information acquisition module, an AP information transmission module, an STA information acquisition module, and an STA information transmission module; the storage data area may store data created from use of the fast roaming device 90, such as pairwise master keys, pairwise temporary keys, and the like. Further, memory 92 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device. Accordingly, the memory 92 may also include a memory controller to provide the processor 91 access to the memory 92.
The communication interface 93 may include at least one of a wired network interface (such as an ethernet interface) and a wireless network interface (such as a WLAN interface). When the fast roaming device 90 is added to the AC or is independent of the AC and the AP, the communication interface 93 includes a wired network interface; when the fast roaming device 90 is added to the AP, the communication interface includes a wired network interface and a wireless network interface. The communication interface 93 is controlled by the processor 91.
Optionally, the fast-roaming apparatus 90 may further include an output device 95 and an input device 96. An output device 95 and an input device 96 are connected to the processor 91. The output device 95 may be a display for displaying information, a power amplifier device for playing sound, or a printer, and the like, and the output device 95 may further include an output controller for providing output to the display, the power amplifier device, or the printer. The input device 96 may be a device such as a mouse, keyboard, electronic stylus, or touch panel for user input of information, and the input device 96 may also include an output controller for receiving and processing input from the mouse, keyboard, electronic stylus, or touch panel device.
Referring to fig. 4, the first AP10 may be a network device such as a router. The first AP10 may include components such as a processor 11 of one or more processing cores, a memory 12 of one or more computer-readable storage media, and a communication interface 13, and the processor 11 may be connected to the memory 12 and the communication interface 13 by a bus 14. Those skilled in the art will appreciate that the configuration shown in fig. 4 does not constitute a limitation of the apparatus and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components. Wherein:
the processor 11 is a control center of the first AP10, connects various parts of the entire first AP10 by using various interfaces and lines, and performs various functions of the first AP10 and processes data by running or executing software programs and/or modules stored in the memory 12 and calling data stored in the memory 12, thereby performing overall monitoring of the first AP 10. Alternatively, the Processor 11 may include one or more Processing units, which may be a Central Processing Unit (CPU), a Network Processor (NP), or the like.
The memory 12 may be used to store software programs, which may be executed by the processor 11. The memory 12 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an access preparation module, a message receiving module, a decryption module, and a determination module; the storage data area may store data created according to the use of the first AP10, such as a pairwise master key, a pairwise temporary key, and the like. Further, the memory 12 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device. Accordingly, the memory 12 may also include a memory controller to provide the processor 11 access to the memory 12.
The communication interface 13 may include a wired network interface (such as an ethernet interface) and a wireless network interface (such as a WLAN interface). The communication interface 13 is controlled by the processor 11.
Optionally, the first AP10 may further include an output device 15 and an input device 16. An output device 15 and an input device 16 are connected to the processor 11. The output device 15 may be a display for displaying information, a power amplifier device for playing sound, or a printer, etc., and the output device 15 may further include an output controller for providing output to the display, the power amplifier device, or the printer. The input device 16 may be a device such as a mouse, keyboard, electronic stylus, or touch panel for user input of information, and the input device 16 may also include an output controller for receiving and processing input from the mouse, keyboard, electronic stylus, or touch panel device.
Fig. 5 shows a hardware structure of an STA provided by an embodiment of the present invention. STA60 may be a smartphone, tablet, laptop, etc. Taking a smart phone as an example, the STA60 may include Radio Frequency (RF) circuitry 61, a memory 62 including one or more computer-readable storage media, an input unit 63, a display unit 64, a sensor 65, an audio circuit 66, a wireless fidelity (WiFi) module 67, a processor 68 including one or more processing cores, and a power supply 69. Those skilled in the art will appreciate that the hardware configuration shown in fig. 5 does not constitute a limitation of the STA, and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components. Wherein:
The memory 62 may be used to store various data such as various configuration parameters, stored software programs and modules, and the processor 68 executes various functional applications and data processing by executing the software programs and modules stored in the memory 62. The memory 62 may mainly include a program storage area and a data storage area, wherein the program storage area may store an operating system, an access preparation module, and an access completion module; the stored data area may store data created from the use of STA60, such as pairwise master keys, pairwise temporary keys, and the like. Further, the memory 62 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device. Accordingly, the memory 62 may also include a memory controller to provide the processor 68 and the input unit 63 access to the memory 62.
The RF circuit 61 may be used for receiving and transmitting signals during a message transmission or call, and in particular, for receiving downlink information from a base station and processing the received downlink information by one or more processors 68. In general, the RF circuit 61 includes, but is not limited to, an antenna, at least one Amplifier, a tuner, one or more oscillators, a Subscriber Identity Module (SIM) card, a transceiver, a coupler, a Low Noise Amplifier (LNA), a duplexer, and the like. In addition, the RF circuit 61 may also communicate with a network and other devices through wireless communication. The wireless communication may use any communication standard or protocol, including but not limited to Global System for mobile communications (GSM), General Packet Radio Service (GPRS), Code Division Multiple Access (CDMA), Wideband Code Division Multiple Access (WCDMA), Long Term Evolution (LTE), email, Short Message Service (SMS), and the like.
Referring to fig. 6, it illustrates a fast roaming method provided by an embodiment of the present invention, which uses the network architecture shown in fig. 2 to implement fast roaming in the application scenario shown in fig. 1. As shown in fig. 6, the method includes:
step S301: the STA accesses the second AP.
In this embodiment, referring to fig. 7, the step S301 may include:
step S301a, the STA discovers the second AP;
step S301b, the STA and the second AP perform link authentication;
step S301c, after the link authentication passes, the STA associates with the second AP;
step S301d, the AC uses the RADIUS server to perform access authentication on the STA;
in step S301e, after the access authentication is passed, the STA and the second AP perform key agreement.
Among other things, the AC is used to manage and control the APs.
Link authentication is the AP granting the STA use of the wireless link between the two.
The association is to negotiate configuration parameters of the radio link and establish the radio link meeting the data transmission requirements.
The access authentication is to verify the identity of the STA and obtain a Pairwise Master Key (PMK) corresponding to both the STA and the AP, where the PMK is a source of all keys used for communication between the STA and the AP. For example, STA1 and AP1 generate keys for mutual communication using PMK1, STA1 and AP2 generate keys for mutual communication using PMK2, STA2 and AP1 generate keys for mutual communication using PMK3, and STA2 and AP2 generate keys for mutual communication using PMK 4.
The Key agreement is to obtain a Pairwise Temporary Key (PTK) based on the STA and AP interaction information and the PMK, where the PTK is used to encrypt data transmitted between the STA and the AP.
In one implementation manner of this embodiment, referring to fig. 8a, the step S301a may include:
1. the STA sequentially sends Probe requests (English) on the supported channels;
2. the second AP receives the Probe request and sends a Probe Response (english) to the STA.
In this implementation, the STA actively scans the accessible APs around to determine the accessible APs around, and the AP discovery speed is fast.
Further, the probe request may include a Service Set Identifier (SSID) of the AP, and each AP receiving the probe request may compare the SSID of the probe request with its own SSID, and send a probe response to the STA if the two SSDIs are the same, so that only the AP whose SSID is the same as the SSID of the probe request may send a response to the STA, thereby facilitating the STA to discover the desired AP.
In another implementation manner of this embodiment, referring to fig. 8b, the step S301a may include:
1. the second AP sends Beacon (English: Beacon) frames every set period;
2. the STA receives the beacon frame transmitted by the second AP.
In the implementation mode, the STA passively waits for the beacon frame sent by the AP that can be accessed around to determine the AP that can be accessed around.
In a specific implementation, the set period may be 100ms, and the beacon frame may include an SSID, a supported rate, and the like of the AP.
In one implementation manner of this embodiment, referring to fig. 9a, the step S301b may include:
1. the STA sends a link authentication request to the second AP;
2. the second AP sends a link authentication response to the STA.
This implementation is called Open System Authentication (Open System Authentication), and as long as the STA sends an Authentication request, the AP will allow the Authentication to be successful, and is currently widely used.
In another implementation manner of this embodiment, referring to fig. 9b, the step S301b may include:
1. the STA sends a link authentication request to the second AP;
2. the second AP generates a challenge phrase and sends the challenge phrase to the STA;
3. the STA encrypts the challenge phrase by adopting a pre-configured key and sends the encrypted challenge phrase to the second AP;
4. the second AP encrypts the challenge phrase sent to the STA by adopting a pre-configured key, and compares the obtained encrypted challenge phrase with the received encrypted challenge phrase;
5. when the two challenge phrases are the same, the second AP sends a link authentication response to the STA.
In practical applications, when the preconfigured key is a symmetric key (both sides that transmit and receive data must use the same key to encrypt and decrypt the plaintext), the second AP may also decrypt the encrypted challenge phrase using the preconfigured key in step 4, and compare the decrypted challenge phrase with the challenge phrase transmitted to the STA, which may also implement link authentication.
The implementation mode is called Shared-key Authentication (english), and only if the keys pre-configured in the STA and the second AP are the same, the link Authentication can be passed, and the security is high.
Alternatively, referring to fig. 10, the step S301c may include:
1. the STA sends an association request to a second AP;
2. and the second AP receives the association request and sends an association response to the STA.
The association request includes a support rate, a channel, a Quality of Service (QoS), an access authentication method, and an encryption algorithm of the STA. Generally, if the AP can meet the requirements of the STA in the association request, an association response is sent to the STA, and data is transmitted according to the requirements of the STA in the association request, so as to ensure that the data can be transmitted accurately and safely. It is to be appreciated that after association, the wireless link establishment between the STA and the AP is complete.
In one implementation manner of this embodiment, referring to fig. 11a, the step S301d may include:
1. the STA sends an access authentication request to the AC;
2. the AC receives the authentication request and sends an identity request to the STA;
3. the STA receives the identity request and sends identity information of the STA to the AC, wherein the identity information comprises a user identifier;
4. the AC forwards the identity information of the STA to the RADIUS server;
5. the RADIUS server receives the identity information and sends a certificate of the server including a public key to the AC;
6. the AC forwards the certificate of the server including the public key to the STA;
7. the STA receives a certificate of a server including a public key, verifies the certificate of the server, generates a random password string (also called as a pre-master-secret key) after the verification is successful, encrypts the random password string by adopting the public key, and generates a PMK (public Key) based on the random password string;
8. the STA sends a certificate of the STA and the encrypted random password string to the AC;
9. the AC forwards the certificate of the STA and the encrypted random password string to the RADIUS server;
10. the RADIUS server verifies the certificate of the STA, decrypts the encrypted random password string by adopting a private key after the certificate is successfully verified, and generates a PMK based on the random password string;
11. the RADIUS server sends an access authentication response and the PMK to the AC, and the AC obtains the PMK;
12. the AC forwards the access authentication response to the STA.
In another implementation manner of this embodiment, referring to fig. 11b, the step S301d may include:
1. the STA sends an access authentication request to the AC;
2. the AC receives the authentication request and sends an identity request to the STA;
3. the STA receives the identity request and sends identity information of the STA to the AC, wherein the identity information comprises a user identifier;
4. the AC forwards the identity information of the STA to the RADIUS server;
5. the RADIUS server receives the identity information and sends an authentication start message to the AC;
6. the AC forwards the authentication start message to the STA;
7. the STA receives an authentication start message and sends an authentication message to the AC, wherein the authentication message comprises an encryption algorithm list, a Security Transport Layer (TLS) protocol version, a session identifier and the like;
8. the AC forwards an authentication message to the RADIUS server;
9. the RADIUS server receives the authentication information and sends a certificate of the server including a public key to the AC;
10. the AC forwards the certificate of the server including the public key to the STA;
11. the STA receives a certificate of a server including a public key, verifies the certificate of the server, generates a random password string after the verification is successful, encrypts the random password string by adopting the public key, and generates a PMK based on the random password string;
12. the STA sends a certificate of the STA and the encrypted random password string to the AC;
13. the AC forwards the certificate of the STA and the encrypted random password string to the RADIUS server;
14. the RADIUS server verifies the certificate of the STA, decrypts the encrypted random password string by adopting a private key after the certificate is successfully verified, and generates a PMK based on the random password string;
15. the RADIUS server sends an access authentication response and the PMK to the AC, and the AC obtains the PMK;
16. the AC forwards the access authentication response to the STA.
It should be noted that after the AC obtains the PMK, the AC can inform the corresponding AP of the PMK, so that the PMK is set in both the AP and the STA.
Further, taking the certificate of the authentication server as an example, the authentication certificate may be implemented as follows:
the RADIUS server encrypts explanatory information by adopting a private key to obtain a signature, wherein the explanatory information comprises an issuing organization, expiration time and the like;
the RADIUS forms a digital certificate by the description information, the public key matched with the private key and the signature and sends the digital certificate to the STA;
the STA receives the digital certificate, decrypts the signature in the digital certificate by adopting a public key in the digital certificate, and compares the decryption result with the description information in the digital certificate;
when the decryption result is consistent with the description information in the digital certificate, the verification is successful;
when the decryption result is different from the specification information in the digital certificate, the authentication fails.
It will be appreciated that the certificate of the authenticating STA may be similar to the above-described process and will not be described in detail herein.
Alternatively, referring to fig. 12a, the step S301e may include:
1. the STA and the second AP respectively generate random numbers;
2. the second AP sends the random number generated by the second AP to the STA;
3. the STA generates a PTK (packet transport protocol) based on a random number generated by the second AP, a Media Access Control (MAC) address of the second AP, the random number generated by the STA, the MAC address of the STA and the PMK and by adopting a Hash (English: Hash) algorithm;
4. the STA sends the random number generated by the STA to the second AP;
5. the second AP generates a PTK (packet transport protocol) by adopting a Hash algorithm based on the random number generated by the STA, the MAC address of the STA, the random number generated by the second AP, the MAC address of the second AP and the PMK;
6. the second AP sends a notification of installing the PTK to the STA;
7. the STA receives the notification of the PTK installation, installs the PTK and sends the notification of the PTK installation to the second AP;
8. and the second AP receives the notification of the installation of the PTK and installs the PTK.
FIG. 13 is a schematic diagram of the structure of PTK. As shown in fig. 13, when a Counter mode Cipher Block Message integrity Code Protocol (CCMP) is used, bits 0-127 (english: bit) of the PTK are Key Confirmation Keys (KCK), bits 128-255 are Key Encryption Keys (KEK), and bits 256-383 are Temporary Encryption Keys (TEK); when a Temporal Key Integrity Protocol (TKIP) is used, 0-127 bits of the PTK are KCK, 128-255 bits are KEK, 256-383 bits are TEK, and 384-511 bits are Temporal Message Integrity Check Key (TMK).
Preferably, referring to fig. 12b, the step S301e may further include:
1. the second AP generates a Group Master Key (GMK for short), calculates a Group temporary Key (GTK for short) based on the GMK, and encrypts the GTK by adopting the PTK;
2. the second AP sends the encrypted GTK to the STA;
3. the STA decrypts the encrypted GTK by adopting the PTK to obtain the GTK and installs the GTK;
4. the STA sends a notification indicating installation of the GTK to the second AP;
5. the second AP receives a notification indicating installation of the GTK, and installs the GTK.
Wherein GMK is a group of random numbers used for generating GTK; the GTK is used for encrypting multicast and broadcast messages; the PTK is used to encrypt unicast messages.
In the STA and the AP, the installation of the key such as the PTK and the GTK means that the key is stored in the device for use at any time.
Since the STA accesses the second AP through the five complete procedures of service discovery, link authentication, association, access authentication and key agreement, the second AP is usually the AP that the STA accesses in the WLAN for the first time.
After step S301, the STA has access to one AP (the second AP in this embodiment) in the WLAN, which indicates that the STA has passed the access authentication of the WLAN, and the validity of the STA is primarily guaranteed. In order to avoid consuming a lot of time due to performing multiple message negotiations to implement access authentication, when the STA is handed over to another AP in the WLAN due to the movement of the location, the STA access process is simplified, and a wireless link for safely and accurately transmitting data is mainly established between the STA and the AP to which the STA is handed over. Specifically, in the roaming process, the fast roaming device is used to implement information interaction between the STA and the AP before the STA is switched to the AP, and both the STA and the AP acquire the MAC address of the other party, configure the PMK, and generate the PTK, thereby completing link authentication, access authentication, and key agreement between the STA and the AP; in addition, after the STA determines to switch to the AP, the AP completes the association between the STA and the AP according to whether the internal information of the first data message sent by the STA to the AP is consistent. See specifically below:
step S302: and the first AP sends the characteristic information of the first AP to the fast roaming device. Step S302 is not in the order of execution of step S301.
In this embodiment, the first AP is a neighbor of the second AP. The characteristic information of the first AP includes a MAC address of the first AP and a random number (Nonce) generated by the first AP. Wherein the random number is generated by the first AP for the STA of the next access.
Optionally, the feature information of the first AP may further include an encryption algorithm, a bandwidth, and a frequency point adopted by the first AP, and may be specifically set according to information that the STA needs to interact with the AP.
In a specific implementation, the step S302 may include:
the fast roaming device determines that the STA is accessed to a second AP;
the fast roaming device determines all first APs according to the positions of all APs and sends characteristic information acquisition requests to all the first APs;
and the first AP receives the characteristic information acquisition request and sends the characteristic information of the first AP to the fast roaming device.
Specifically, when the fast roaming device is additionally arranged on the AC, the AC is in wired connection with the second AP, and can control and manage the second AP, so that the AC can determine that the STA accesses the second AP by actively inquiring the second AP, and can also determine that the STA accesses the second AP by receiving information reported by the second AP.
Meanwhile, the AC controls and manages the APs, so that the AC knows the positions of the APs, further determines all the first APs serving as neighbors of the second AP, respectively sends characteristic information acquisition requests to the first APs, and receives the characteristic information replied after the first APs receive the characteristic information acquisition requests.
When the fast roaming device is added to the AP, the fast roaming device added to the second AP may certainly determine that the STA accesses the second AP.
Meanwhile, the second AP is in wired connection with the AC, and the AC can control and manage all the APs and know the positions of all the APs, so that the second AP can acquire all the first APs serving as neighbors of the second AP in a mode of sending requests to the AC, and all the APs are also in wired connection, and further can send characteristic information acquisition requests to all the first APs and receive the characteristic information replied after the first AP receives the characteristic information acquisition requests.
When the fast roaming device is set independently of the AC and the APs, the fast roaming device may be in wired connection with the AC and the APs, determine that the STA accesses the second AP and acquires all the first APs as neighbors of the second AP by sending a request to the AC, and also determine that the STA accesses the second AP and acquires all the first APs as neighbors of the second AP by sending a request to the APs, and further send a feature information acquisition request to each first AP and receive feature information replied by the first AP after receiving the feature information acquisition request.
Fig. 6 is a schematic diagram of a process for implementing fast roaming of a STA from a second AP to a first AP in a case where the fast roaming device is independent of an AC and an AP; in the case that the fast roaming device is set on the AC, the process of implementing fast roaming may be seen in fig. 14 a; in the case that the fast roaming apparatus is provided on each AP, a process of implementing fast roaming may be as shown in fig. 14 b.
Step S303: the fast roaming device forwards the feature information of the first AP to the STA. This step S303 is executed after step S301.
Specifically, when the fast roaming device is additionally arranged on the AC or is arranged independently of the AC and the AP, the AC sends the feature information of the first AP to the second AP, and the second AP sends the feature information to the STA; when the fast roaming device is additionally arranged on the AP, the fast roaming device on the second AP directly sends the characteristic information of the first AP to the STA.
In a specific implementation, the feature information of the first AP sent by the fast roaming device may include an AP identifier, a physical feature, a security feature, a radio frequency feature, and a random number. For example, referring to fig. 15, the feature information of a first AP sent by the fast roaming device is AP ID1(AP ID), MAC1 (physical feature), Advanced encryption standard (AES for short) (security feature), frequency 2.418G (radio frequency feature), and Nounce1 (random number); the feature information of another first AP sent by the fast roaming device includes AP ID2(AP ID), MAC2 (physical feature), AES encryption (security feature), frequency point 2.438G (radio frequency feature), and Nounce2 (random number).
Step S304: the STA generates a random number and transmits it to the fast roaming device.
Specifically, when the fast roaming device is additionally arranged on the AC or is arranged independently of the AC and the AP, the STA sends the random number generated by the STA to the second AP, and the second AP forwards the random number generated by the STA to the AC; when the fast roaming device is additionally arranged on the AP, the STA directly sends the random number generated by the STA to the fast roaming device additionally arranged on the second AP.
It should be noted that there may be multiple first APs that are neighbors of the second AP, and at this time, the STA generates a random number for each first AP and sends the random number to the corresponding first AP. The random numbers corresponding to the first APs may be the same or different. In implementation, the random number generated by the STA is sent to the first AP, and the MAC address of the first AP is carried, so that the fast roaming device can distinguish the first AP corresponding to each random number according to the carried MAC address of the first AP.
In a specific implementation, the message sent for each first AP may include an AP identification and a random number. For example, referring to fig. 16, the messages transmitted for one first AP are AP ID1(AP identity), Nounce1 (random number); the message sent for the other first AP is AP ID2(AP identity), Nounce2 (random number).
Step S305: the STA determines the PMK of each first AP and calculates the PTK based on the PMK of each first AP.
As described above, the PMKs correspond to the STAs and the APs together, and since only one STA is involved in the present embodiment, the AP is directly used to distinguish the PMKs.
Optionally, the STA determining the PMK of the first AP may include:
the STA determines whether PMK security Association (PMKSA for short) of the first AP is cached according to the MAC address of the first AP;
when the STA caches the PMKSA of the first AP, acquiring the cached PMKID of the first AP;
when the STA does not cache the PMKSA of the first AP, the PMK of the first AP is determined through the 802.1X negotiation step.
In practical application, since obtaining PMK through the 802.1X negotiation step involves multiple frame exchanges, which takes a long time, the STA caches the obtained PMK to avoid performing the 802.1X negotiation step again, and what the STA specifically caches is PMKSA. The PMKSA comprises an MAC address of the AP, a life cycle of the PMK and a PMK Identifier (PMKID for short), and the PMKID is obtained by carrying out hash calculation on the PMK, the MAC address of the AP, the MAC address of the STA and other information.
In the 802.11R standard, see fig. 17, the keys are divided into three layers, PMK _ R0, PMK _ R1, PTK, respectively. PMK _ R0 is the second tier key, PMK _ R0 for each AP is the same; the PMK _ R1 is a first-layer key, the PMK _ R1 is obtained by calculation based on the PMK _ R0 and information (such as the identification of the AP) with different values of each AP, and the PMK _ R1 of each AP is different; the PTK is a second layer key, and is calculated based on PMK _ R1. On one hand, when the STA roams, the PMK _ R1 is transmitted, and as the PMK _ R1 of each AP is different, even if the PMK _ R1 is cracked, only one AP is affected, and the safety is high; on the other hand, when the PMK _ R1 of one AP is known, the PMK _ R0 can be obtained, then based on the information of the PMK _ R0 and another AP, the PMK _ R1 of the AP can be obtained, and then based on the PMK _ R1, the PTK is negotiated, thereby avoiding the time-consuming 802.1x authentication and shortening the switching time.
In the above situation, the STA determining the PMK of the first AP may include:
the STA calculates PMK _ R1 of the first AP based on the PMK _ R0 and the identity of the first AP.
For example, a Key Derivation Function (KDF) defined in 802.11R may be used to calculate PMK _ R0 based on the length of the accessed Service Set Identifier (SSID), the SSID, the Message Digest Algorithm Identifier (MDID), the length of the PMK _ R0 bearer container, the Identifier of the PMK _ R0 bearer container, and other information; further, using KDF defined in 802.11R, PMK _ R1 is calculated based on information such as PMK _ R0, the identification of the container carrying PMK _ R1, and the like.
Specifically, calculating the PTK based on the PMK of each first AP may include:
the STA calculates the PTK based on the MAC address of the first AP, the random number generated by the first AP, the MAC address of the STA, the random number generated by the STA and the PMK of the first AP by utilizing a hash algorithm.
As described above, when switching from an accessed AP to another AP, the process may be simplified, and only some necessary parameters need to be acquired to establish a wireless link for safe and accurate data transmission, and in practical applications, a cache list may be established in an STA to record parameters required for establishing the wireless link, as shown in the following table one:
watch 1
The MAC address of each first AP, the random number generated by the STA, the random number generated by the first AP, PMKID, PMK _ R1, encryption key, digest key, and validity time are listed in the table. The encryption key is TEK in the PTK, and the digest key is TMK in the PTK. It should be noted that the entries in the table may be pruned according to the parameters actually required for accessing the AP.
Step S306: the fast roaming device acquires the feature information of the STA.
In this embodiment, the STA feature information includes a MAC address of the STA, a random number generated by the STA, and a feature value of the PMK generated by the STA for the first AP.
In a specific implementation, the random number generated by the STA is sent to the fast roaming device by the STA, and meanwhile, a message carrying the random number generated by the STA carries the MAC address of the STA, and the fast roaming device can acquire the MAC address of the STA from the message. In addition, the fast roaming device may also determine the MAC address of the STA through the second AP. The feature value of the PMK generated by the STA for the first AP is generally the PMKID of the first AP or the PMK _ R1 of the first AP, and the RADIUS server may determine the feature value of the PMK generated by the STA for the first AP in the same manner as the STA determines the PMK of the first AP in step S305, and then send the feature value of the PMK to the AC. If the rapid device is additionally arranged on the AC, the characteristic value of the PMK generated by the STA for the first AP can be directly obtained; if the fast roaming device is additionally arranged at the AP or is arranged independently of the AC and the AP, the characteristic value of the PMK generated by the STA for the first AP can be acquired through interaction with the AC.
Step S307: the fast roaming device transmits the feature information of the STA to the first AP.
Specifically, the APs are connected with each other by wires, the APs and the AC are connected with each other by wires, and the fast roaming device is arranged on the AC or the AP, and can directly send the STA feature information to the AP. When the fast roaming device is set independently of the AC and the AP, the fast roaming device is in wired connection with the AC and each AP, and can directly send the feature information of the STA to the AP.
Step S308: the first AP receives the feature information of the STA, and calculates the PTK based on the feature information of the STA.
Specifically, the step S308 may include:
the first AP calculates the PTK by utilizing a hash algorithm based on the MAC address of the first AP, the random number generated by the first AP, the MAC address of the STA, the random number generated by the STA and the PMK of the STA and the first AP.
In practical applications, a cache list is also built in the AP, as shown in table two below:
watch two
The table includes the MAC address of the STA, the random number generated by the first AP, PMKID, PMK _ R1, encryption key, digest key, and validity time. The encryption key is TEK in the PTK, and the digest key is TMK in the PTK. It should be noted that the entries in the table may be pruned according to the parameters actually required for accessing the AP.
In practical application, if each entry in the cache list has a record, it is marked that link authentication, access authentication and key agreement between the STA and the AP are completed. The fast roaming device may also inform the STA and the AP of the completion of link authentication, access authentication, and key agreement.
As described above, in the roaming process, the present embodiment simplifies the access process, and uses the fast roaming apparatus to implement information interaction between the STA and the AP, obtain the MAC address of the other party, configure the PMK, and generate the PTK. It is easy to know that link authentication, access authentication, and key agreement have been completed through information interaction between the fast roaming device and the STA and the respective APs in the above-described steps S302 to S308.
Step S309: after the STA determines to switch from the second AP to the first AP, the STA encrypts the data message by using the PTK and sends the encrypted data message to the first AP.
In this embodiment, the data packet includes a data digest and data. The data digest is to extract fingerprint information from all data to realize functions of data signature, data integrity check, and the like. The data summarization Algorithm is called hash Algorithm, and common algorithms are Cyclic Redundancy Check (CRC), Message summarization Algorithm version 5 (MD 5), and Secure Hash Algorithm (SHA).
Specifically, in the Advanced Encryption Standard (AES), Cipher Block message integrity Code (CBC-MAC) may be used as the digest.
Further, referring to fig. 18, the data packet is generated as follows:
calculating the data by adopting a data abstract algorithm to obtain a data abstract and adding the data abstract behind the data;
adding an 802.11 header to the front of the data;
a Frame Check Sequence (FCS for short) is added after the data summary.
In practical applications, the STA may determine whether to perform the AP handover and the AP to which the AP is handed over based on the signal strength or the busy level of the channel.
Specifically, the STA encrypting the data message by using the PTK may include:
the data message is encrypted with the PTK that determines the first AP to switch to.
Step S310: and the first AP receives the encrypted data message, decrypts the encrypted data message by adopting the PTK, and obtains decrypted data and a data abstract.
Specifically, the step S310 may include:
and selecting the PTK according to the MAC address of the STA to decrypt the encrypted data message to obtain a decrypted data abstract and data.
Step S311: and the first AP calculates the decrypted data by adopting a data abstract algorithm and compares the calculated data abstract with the decrypted data abstract.
As described above, in the roaming process, the association is simplified to that the data transmitted between the STA and the AP is accurate. When the calculated data digest is consistent with the decrypted data digest, it can be shown that the wireless link between the STA and the first AP can safely and accurately transmit data, so that association between the STA and the first AP is completed, and the STA accesses the first AP.
According to the embodiment of the invention, after the STA accesses the second AP, the information such as the MAC address, the PMK, the PTK and the like of the wireless link is interactively established between the STA and the first AP serving as the neighbor of the second AP, so that the link authentication, the access authentication and the key negotiation in the process of accessing the STA into the first AP are completed, and the time consumed by information interaction in the roaming process of the STA is greatly reduced. Meanwhile, when the STA determines to switch to the first AP, the AP completes association between the STA and the first AP according to whether the internal information of the first data message sent by the STA to the AP is consistent, so that no time is consumed in the roaming process of the STA (namely the roaming switching time is reduced to 0), the switching process is fast, the service requirements of VoIP and the like can be completely met, and the user experience is effectively guaranteed.
The execution of the above steps may be performed by the base station according to the aforementioned software program. For example, step S302 is performed by the fast roaming device according to the AP information obtaining module in fig. 3, step S303 is performed by the fast roaming device according to the AP information transmitting module in fig. 3, steps S304 and S305 are performed by the STA according to the access preparation module in fig. 6, step S306 is performed by the fast roaming device according to the STA information obtaining module in fig. 3, step S307 is performed by the fast roaming device according to the STA information transmitting module in fig. 3, step S308 is performed by the first AP according to the access preparation module in fig. 4, step S309 is performed by the STA according to the access completion module in fig. 5, step S310 is performed by the first AP according to the message receiving module and the decryption module in fig. 4, and step S311 is performed by the first AP according to the determination module in fig. 4.
Referring to fig. 19, an embodiment of the present invention provides a fast roaming apparatus, which may be implemented by software, hardware, or a combination of the two as all or a part of a base station. The device includes: AP information acquisition section 602, AP information transmission section 603, STA information acquisition section 604, and STA information transmission section 605.
The AP information obtaining unit 602 is configured to obtain feature information of the first AP, where the feature information of the first AP includes a MAC address of the first AP and a random number generated by the first AP. The AP information sending unit 603 is configured to send, to the STA, the feature information of a first AP after it is determined that the STA accesses a second AP, where the first AP is a neighbor of the second AP, so that the STA generates and sends a random number, and generates a PTK based on the random number generated by the STA, the MAC address of the STA, the PMK, and the feature information of the first AP. The STA information obtaining unit 604 is configured to obtain STA feature information, where the STA feature information includes a MAC address of the STA, a random number generated by the STA, and a feature value of the PMK. The STA information sending unit 605 is configured to send the feature information of the STA to the first AP, so that the first AP generates the PTK based on the feature information of the STA and the feature information of the first AP, and link authentication, access authentication, and key agreement between the STA and the first AP are completed.
Alternatively, the apparatus may be provided on the AP or on an access controller AC, the AC being used to control and manage the AP.
According to the embodiment of the invention, after the STA accesses the second AP, the information such as the MAC address, the PMK, the PTK and the like of the wireless link is interactively established between the STA and the first AP serving as the neighbor of the second AP, so that the link authentication, the access authentication and the key negotiation in the process of accessing the STA into the first AP are completed, and the time consumed by information interaction in the roaming process of the STA is greatly reduced.
Referring to fig. 20, an embodiment of the present invention provides an AP, which may be implemented by software, hardware, or a combination of both, as all or part of a base station. The AP includes: an access preparation unit 701, a message receiving unit 702, a decryption unit 703 and a determination unit 704.
The access preparation unit 701 is configured to complete link authentication, access authentication, and key agreement with the STA, and obtain an MAC address, a PMK, and a PTK of the STA. The message receiving unit 702 is configured to receive a data message encrypted by using a PTK and sent by an STA after determining that the STA is switched to the AP from a second AP, where the AP is a neighbor of the second AP. The decryption unit 703 is configured to decrypt the encrypted data packet by using the PTK. The determining unit 704 is configured to complete association between the STA and the AP according to whether the decrypted internal information of the data packet is consistent.
Optionally, the determining unit 704 may be configured to calculate the decrypted data by using a data summarization algorithm, so as to obtain a calculated data summary; comparing the calculated data abstract with the decrypted data abstract; when the calculated data digest is consistent with the decrypted data digest, the association between the STA and the first AP is completed.
According to the embodiment of the invention, before the STA determines to be switched from the second AP to the AP, link authentication, access authentication and key agreement with the STA are completed to obtain the MAC address, the PMK and the PTK of the STA, after the STA determines to be switched from the second AP to the AP, the data message sent by the STA after being encrypted by the PTK is received, the PTK is used for decrypting the encrypted data message, and the association between the STA and the first AP is completed according to whether the internal information of the decrypted data message is consistent, so that no time is consumed in the roaming process of the STA (namely the time for roaming switching is reduced to 0), the switching process is fast, the service requirements of VoIP and the like can be completely met, and the user experience is effectively guaranteed.
Referring to fig. 21, an embodiment of the present invention provides an STA, which may be implemented by software, hardware, or a combination of both as all or part of a base station. The STA comprises: an access preparation unit 801 and an access completion unit 803.
The access preparation unit 801 is configured to complete link authentication, access authentication, and key agreement with the first AP after accessing the second AP, to obtain the MAC address, the PMK, and the PTK of the first AP, where the first AP is a neighbor of the second AP. The access completion unit 803 is configured to send the data packet encrypted by using the PTK to the first AP after determining to switch to the first AP.
According to the embodiment of the invention, before the STA determines to switch from the second AP to the first AP, link authentication, access authentication and key agreement with the first AP are completed to obtain the MAC address, the PMK and the PTK of the first AP, and after the STA determines to switch from the second AP to the AP, the data message encrypted by the PTK is sent to the STA, so that the first AP decrypts the encrypted data message by the PTK, and association between the STA and the first AP is completed according to whether the internal information of the decrypted data message is consistent, so that no time is consumed in the roaming process of the STA (namely the time for roaming switching is reduced to 0), the switching process is fast, the service requirements of VoIP and the like can be completely met, and the user experience is effectively guaranteed.
Referring to fig. 22a and fig. 22b, the fast roaming system provided by the embodiment of the present invention is shown, and the system includes a fast roaming apparatus 901, an STA902, at least one first AP904, and a second AP 903, where the first AP904 is a neighbor of the second AP 903.
Specifically, the fast roaming apparatus 901 may be the same as the fast roaming apparatus provided in the embodiment shown in fig. 19, the STA902 may be the same as the STA provided in the embodiment shown in fig. 21, and the first AP904 may be the same as the AP provided in the embodiment shown in fig. 20, and will not be described in detail herein.
Optionally, when the fast roaming device 901 is disposed on the AC or is independent of the AC and the AP, the fast roaming device 901 is in wired connection with the first AP904 and the second AP 903, the first AP904 is in wired connection with the second AP 903, and the STA902 is in wireless connection with the first AP 904; when the fast roaming device 901 is set on an AP, a first AP904 is in wired connection with a second AP 903, and the STA902 is in wireless connection with the first AP 904.
According to the embodiment of the invention, after the STA accesses the second AP, the information such as the MAC address, the PMK, the PTK and the like of the wireless link is interactively established between the STA and the first AP serving as the neighbor of the second AP, so that the link authentication, the access authentication and the key negotiation in the process of accessing the STA into the first AP are completed, and the time consumed by information interaction in the roaming process of the STA is greatly reduced. Meanwhile, when the STA determines to switch to the first AP, the AP completes association between the STA and the first AP according to whether the internal information of the first data message sent by the STA to the AP is consistent, so that no time is consumed in the roaming process of the STA (namely the roaming switching time is reduced to 0), the switching process is fast, the service requirements of VoIP and the like can be completely met, and the user experience is effectively guaranteed.
It should be noted that: in the fast roaming device and the fast roaming system provided in the above embodiments, only the division of the above functional modules is used for illustration when fast roaming is performed, and in practical applications, the above function allocation may be completed by different functional modules according to needs, that is, the internal information structures of the device and the system are divided into different functional modules, so as to complete all or part of the above described functions. In addition, the fast roaming device, the fast roaming system and the fast roaming method provided by the above embodiments belong to the same concept, and specific implementation processes thereof are detailed in the method embodiments and are not described herein again.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program instructing relevant hardware, where the program may be stored in a computer-readable storage medium, and the above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.
Claims (10)
1. A fast roaming method, characterized in that the method comprises:
the method comprises the steps that a fast roaming device obtains feature information of a first Access Point (AP), wherein the feature information of the first AP comprises a Medium Access Control (MAC) address of the first AP and a random number generated by the first AP;
after determining that a mobile Station (STA) accesses a second AP, the fast roaming device sends characteristic information of a first AP to the STA, wherein the first AP is a neighbor of the second AP;
the STA generates and sends a random number, and generates a Pairwise Temporary Key (PTK) based on the random number generated by the STA, the MAC address of the STA, a Pairwise Master Key (PMK) and the characteristic information of the first AP;
the fast roaming device acquires the feature information of the STA, wherein the feature information of the STA comprises the MAC address of the STA, the random number generated by the STA and the feature value of the PMK;
the fast roaming device sends the feature information of the STA to the first AP;
the first AP generates the PTK based on the feature information of the STA and the feature information of the first AP, and link authentication, access authentication and key agreement between the STA and the first AP are completed;
after determining to switch to the first AP, the STA sends a data message encrypted by the PTK to the first AP, wherein the data message comprises data and a data abstract;
the first AP decrypts the encrypted data message by adopting the PTK;
the first AP calculates the decrypted data by adopting a data abstract algorithm to obtain a calculated data abstract;
the first AP compares the calculated data abstract with the decrypted data abstract;
when the calculated data digest is consistent with the decrypted data digest, the association between the STA and the first AP is completed.
2. The method according to claim 1, wherein the characteristic information of the first AP further includes at least one of an encryption scheme of the first AP, a frequency point of the first AP, and a bandwidth of the first AP.
3. A fast roaming method, characterized in that the method comprises:
the method comprises the steps that a fast roaming device obtains feature information of a first Access Point (AP), wherein the feature information of the first AP comprises a Medium Access Control (MAC) address of the first AP and a random number generated by the first AP;
after determining that a mobile Station (STA) accesses a second AP, the fast roaming device sends feature information of a first AP to the STA, wherein the first AP is a neighbor of the second AP, the STA generates and sends a random number, and a Pairwise Temporary Key (PTK) is generated based on the random number generated by the STA, the MAC address of the STA, a Pairwise Master Key (PMK) and the feature information of the first AP;
the fast roaming device acquires the feature information of the STA, wherein the feature information of the STA comprises the MAC address of the STA, the random number generated by the STA and the feature value of the PMK;
the fast roaming device sends the feature information of the STA to the first AP, so that the first AP generates the PTK based on the feature information of the STA and the feature information of the first AP, and link authentication, access authentication and key agreement between the STA and the first AP are completed.
4. A fast roaming method, characterized in that the method comprises:
the first access point AP generates a pairwise temporary key PTK based on the characteristic information of the mobile station STA and the characteristic information of the first AP, completes link authentication, access authentication and key negotiation with the STA to obtain the MAC address of the STA, a pairwise master key PMK and the PTK, wherein the STA characteristic information is transmitted by a fast roaming device, the STA characteristic information comprises the STA MAC address, the random number generated and transmitted by the STA, and the characteristic value of the PMK, the PTK is generated by the STA based on the random number generated by the STA, the MAC address of the STA, the PMK and the characteristic information of the first AP, the characteristic information of the first AP is transmitted to the STA by the fast roaming device after determining that the STA accesses the second AP, the characteristic information of the first AP comprises a MAC address of the first AP and a random number generated by the first AP;
the first AP receives a data message which is sent by the STA after the STA is determined to be switched from a second AP to the first AP and encrypted by the PTK, wherein the first AP is a neighbor of the second AP, and the data message comprises data and a data abstract;
the first AP decrypts the encrypted data message by adopting the PTK;
the first AP calculates the decrypted data by adopting a data abstract algorithm to obtain a calculated data abstract;
the first AP compares the calculated data abstract with the decrypted data abstract;
when the calculated data digest is consistent with the decrypted data digest, the association between the STA and the first AP is completed.
5. A fast roaming system is characterized in that the system comprises a fast roaming device, a mobile station STA, a first access point AP and a second AP, wherein the first AP is a neighbor of the second AP;
the fast roaming device is configured to acquire feature information of a first AP, and send the feature information to the STA after determining that the STA accesses a second AP, where the feature information of the first AP includes a MAC address of the first AP and a random number generated by the first AP;
the STA is used for generating and sending a random number, and generating a Pairwise Temporary Key (PTK) based on the random number generated by the STA, the MAC address of the STA, a Pairwise Master Key (PMK) and the characteristic information of the first AP;
the fast roaming device is further configured to obtain feature information of the STA and send the feature information to the first AP, where the feature information of the STA includes an MAC address of the STA, a random number generated by the STA, and a feature value of the PMK;
the first AP is used for generating the PTK based on the feature information of the STA and the feature information of the first AP, and link authentication, access authentication and key agreement between the STA and the first AP are completed;
the STA is further configured to send a data packet encrypted by using the PTK to the first AP after the STA is determined to be switched to the first AP, where the data packet includes data and a data digest;
the first AP is further used for decrypting the encrypted data message by adopting the PTK; calculating the decrypted data by adopting a data abstract algorithm to obtain a calculated data abstract; comparing the calculated data digest with the decrypted data digest; when the calculated data digest is consistent with the decrypted data digest, the association between the STA and the first AP is completed.
6. The system according to claim 5, wherein the characteristic information of the first AP further includes at least one of an encryption scheme of the first AP, a frequency point of the first AP, and a bandwidth of the first AP.
7. A fast roaming apparatus, characterized in that the apparatus comprises:
an AP information obtaining unit, configured to obtain feature information of a first AP, where the feature information of the first AP includes a MAC address of the first AP and a random number generated by the first AP;
an AP information sending unit, configured to send feature information of a first AP to a mobile Station (STA) after the STA is determined to access a second AP, where the first AP is a neighbor of the second AP, enable the STA to generate and send a random number, and generate a Pairwise Temporary Key (PTK) based on the random number generated by the STA, the MAC address of the STA, a Pairwise Master Key (PMK), and the feature information of the first AP;
an STA information obtaining unit, configured to obtain feature information of the STA, where the feature information of the STA includes an MAC address of the STA, a random number generated by the STA, and a feature value of the PMK;
an STA information sending unit, configured to send feature information of the STA to the first AP, so that the first AP generates the PTK based on the feature information of the STA and the feature information of the first AP, and link authentication, access authentication, and key agreement between the STA and the first AP are completed.
8. A first access point, AP, wherein the first AP comprises:
an access preparation unit, configured to generate a pairwise temporary key PTK based on the feature information of the mobile station STA and the feature information of the first AP, complete link authentication, access authentication, and key agreement with the STA, and obtain a MAC address of the STA, a pairwise master key PMK, and the PTK, wherein the STA characteristic information is transmitted by a fast roaming device, the STA characteristic information comprises the STA MAC address, the random number generated and transmitted by the STA, and the characteristic value of the PMK, the PTK is generated by the STA based on the random number generated by the STA, the MAC address of the STA, the PMK and the characteristic information of the first AP, the characteristic information of the first AP is transmitted to the STA by the fast roaming device after determining that the STA accesses the second AP, the characteristic information of the first AP comprises a MAC address of the first AP and a random number generated by the first AP;
a message receiving unit, configured to receive a data message encrypted by using the PTK and sent by the STA after determining that the STA is switched from a second AP to the first AP, where the first AP is a neighbor of the second AP, and the data message includes data and a data digest;
the decryption unit is used for decrypting the encrypted data message by adopting the PTK;
the determining unit is used for calculating the decrypted data by adopting a data abstract algorithm to obtain a calculated data abstract; comparing the calculated data digest with the decrypted data digest; when the calculated data digest is consistent with the decrypted data digest, the association between the STA and the first AP is completed.
9. A fast roaming apparatus, characterized in that the apparatus comprises a processor, a memory and a communication interface; the memory is used for storing software programs, and the processor realizes the following by running or executing the software programs stored in the memory:
acquiring feature information of a first Access Point (AP), wherein the feature information of the first AP comprises a Media Access Control (MAC) address of the first AP and a random number generated by the first AP;
after determining that a mobile Station (STA) accesses a second AP, transmitting characteristic information of the first AP to the STA, wherein the first AP is a neighbor of the second AP, enabling the STA to generate and transmit a random number, and generating a Pairwise Temporary Key (PTK) based on the random number generated by the STA, the MAC address of the STA, a Pairwise Master Key (PMK) and the characteristic information of the first AP;
acquiring the feature information of the STA, wherein the feature information of the STA comprises the MAC address of the STA, a random number generated by the STA and a feature value of the PMK;
and sending the feature information of the STA to the first AP, enabling the first AP to generate the PTK based on the feature information of the STA and the feature information of the first AP, and completing link authentication, access authentication and key agreement between the STA and the first AP.
10. A first access point, AP, wherein the first AP comprises a processor, a memory, and a communication interface; the memory is used for storing software programs, and the processor realizes the following by running or executing the software programs stored in the memory:
generating a pairwise temporary key PTK based on the characteristic information of the STA and the characteristic information of the first AP, completing link authentication, access authentication and key agreement with the STA, obtaining the MAC address of the STA, a pairwise master key PMK and the PTK, wherein the STA characteristic information is transmitted by a fast roaming device, the STA characteristic information comprises the STA MAC address, the random number generated and transmitted by the STA, and the characteristic value of the PMK, the PTK is generated by the STA based on the random number generated by the STA, the MAC address of the STA, the PMK and the characteristic information of the first AP, the characteristic information of the first AP is transmitted to the STA by the fast roaming device after determining that the STA accesses the second AP, the characteristic information of the first AP comprises a MAC address of the first AP and a random number generated by the first AP;
receiving a data message which is sent by the STA after the STA is determined to be switched from a second AP to the first AP and encrypted by the PTK, wherein the first AP is a neighbor of the second AP, and the data message comprises data and a data abstract;
decrypting the encrypted data message by using the PTK;
calculating the decrypted data by adopting a data abstract algorithm to obtain a calculated data abstract;
comparing the calculated data digest with the decrypted data digest;
when the calculated data digest is consistent with the decrypted data digest, the association between the STA and the first AP is completed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610640221.4A CN107690138B (en) | 2016-08-05 | 2016-08-05 | Fast roaming method, device, system, access point and mobile station |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610640221.4A CN107690138B (en) | 2016-08-05 | 2016-08-05 | Fast roaming method, device, system, access point and mobile station |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107690138A CN107690138A (en) | 2018-02-13 |
| CN107690138B true CN107690138B (en) | 2020-08-14 |
Family
ID=61152050
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610640221.4A Active CN107690138B (en) | 2016-08-05 | 2016-08-05 | Fast roaming method, device, system, access point and mobile station |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107690138B (en) |
Families Citing this family (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110891272B (en) * | 2018-09-10 | 2022-12-09 | 奇点新源国际技术开发(北京)有限公司 | Wireless network access authentication method and device |
| CN111328066B (en) * | 2018-12-14 | 2023-09-01 | 中国电信股份有限公司 | Heterogeneous wireless network fast roaming method and system, master and slave access point devices |
| CN109462875B (en) | 2019-01-16 | 2020-10-27 | 展讯通信(上海)有限公司 | Wireless roaming method, access point device and mobile station |
| CN109890029B (en) * | 2019-01-29 | 2022-06-03 | 珠海迈科智能科技股份有限公司 | Automatic network distribution method of intelligent wireless equipment |
| CN111479248B (en) * | 2020-03-19 | 2022-03-01 | 烽火通信科技股份有限公司 | Fast roaming automatic configuration method and system |
| CN116508292A (en) * | 2020-12-03 | 2023-07-28 | Oppo广东移动通信有限公司 | Access authentication method, device, equipment and storage medium |
| CN114745718A (en) * | 2021-01-07 | 2022-07-12 | 华为技术有限公司 | Roaming control method in local area network and related device thereof |
| CN113316141B (en) * | 2021-05-21 | 2022-11-18 | 中国联合网络通信集团有限公司 | Wireless network access method, sharing server and wireless access point |
| US11902775B2 (en) | 2021-05-28 | 2024-02-13 | Cisco Technology, Inc. | Encrypted nonces as rotated device addresses |
| CN114173334A (en) * | 2021-10-26 | 2022-03-11 | 新华三大数据技术有限公司 | Method for accessing AP, AP and storage medium |
| CN116156493A (en) * | 2021-11-23 | 2023-05-23 | 华为技术有限公司 | Roaming method and system |
| CN116709208A (en) * | 2022-02-24 | 2023-09-05 | 华为技术有限公司 | WLAN system, wireless communication method and device |
| CN114786177B (en) * | 2022-04-07 | 2023-05-30 | 武汉联影医疗科技有限公司 | Edge node access processing method, mobile terminal and edge node |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7480939B1 (en) * | 2000-04-28 | 2009-01-20 | 3Com Corporation | Enhancement to authentication protocol that uses a key lease |
| CN101111056B (en) * | 2006-07-17 | 2010-05-12 | 西安电子科技大学 | Fast switching method for wireless local area network |
| CN103888941A (en) * | 2012-12-20 | 2014-06-25 | 杭州华三通信技术有限公司 | Method and device for key negotiation of wireless network |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7275157B2 (en) * | 2003-05-27 | 2007-09-25 | Cisco Technology, Inc. | Facilitating 802.11 roaming by pre-establishing session keys |
| CN1298194C (en) * | 2004-03-22 | 2007-01-31 | 西安电子科技大学 | Radio LAN security access method based on roaming key exchange authentication protocal |
-
2016
- 2016-08-05 CN CN201610640221.4A patent/CN107690138B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7480939B1 (en) * | 2000-04-28 | 2009-01-20 | 3Com Corporation | Enhancement to authentication protocol that uses a key lease |
| CN101111056B (en) * | 2006-07-17 | 2010-05-12 | 西安电子科技大学 | Fast switching method for wireless local area network |
| CN103888941A (en) * | 2012-12-20 | 2014-06-25 | 杭州华三通信技术有限公司 | Method and device for key negotiation of wireless network |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107690138A (en) | 2018-02-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107690138B (en) | Fast roaming method, device, system, access point and mobile station | |
| US20230353379A1 (en) | Authentication Mechanism for 5G Technologies | |
| US11178584B2 (en) | Access method, device and system for user equipment (UE) | |
| EP1707024B1 (en) | Improvements in authentication and authorization in heterogeneous networks | |
| JP5597676B2 (en) | Key material exchange | |
| KR101901448B1 (en) | Method and apparatus for associating statinon (sta) with access point (ap) | |
| EP1414262B1 (en) | Authentication method for fast handover in a wireless local area network | |
| US10798082B2 (en) | Network authentication triggering method and related device | |
| KR101097709B1 (en) | Authenticating access to a wireless local area network based on security value(s) associated with a cellular system | |
| KR20180119651A (en) | Authentication mechanisms for 5G technologies | |
| CN103581901B (en) | A kind of Wi Fi wireless networks access the processing method of configuration information and equipment | |
| US20170359719A1 (en) | Key generation method, device, and system | |
| US8661510B2 (en) | Topology based fast secured access | |
| WO2010130191A1 (en) | Authentication method of switching access networks, system and device thereof | |
| EP2648437B1 (en) | Method, apparatus and system for key generation | |
| US11206576B2 (en) | Rapidly disseminated operational information for WLAN management | |
| US11310724B2 (en) | Key management for fast transitions | |
| US20170331688A1 (en) | Method Performed by a WLAN Node in an Integrated Wireless Communications Network, for Applying Security to Received Traffic Data | |
| WO2022237561A1 (en) | Communication method and apparatus | |
| US20240073690A1 (en) | Transmission of network access information for wireless device | |
| WO2021109770A1 (en) | Wireless network switching method and device | |
| Yao | Secure fast handoff in IEEE 802.11-based wireless mesh networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |