CN112887974B - Management frame protection method for WAPI wireless network - Google Patents
Management frame protection method for WAPI wireless network Download PDFInfo
- Publication number
- CN112887974B CN112887974B CN202110093282.4A CN202110093282A CN112887974B CN 112887974 B CN112887974 B CN 112887974B CN 202110093282 A CN202110093282 A CN 202110093282A CN 112887974 B CN112887974 B CN 112887974B
- Authority
- CN
- China
- Prior art keywords
- wapi
- management frame
- signature
- message
- certlet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses a management frame protection method of a WAPI wireless network, which comprises the following specific steps: s1, when the sender sends out the wireless management frame, adding three Vendor information elements VIE1, VIE2 and VIE3 in sequence at the end of the broadcast and unicast general management frame message body to form a new management frame message body, respectively realizing sender identity, data grouping sequence number marking and message signature; s2, after receiving the wireless management frame message, the receiver firstly extracts VIE1, VIE2 and VIE3 in the management frame, then checks VIE1 and VIE2 respectively, and verifies the signature of the management frame message to determine the credibility of the wireless management frame. The invention adopts a unified method to protect the unicast and multicast WAPI wireless management frames, and can carry out the full-time protection of counterfeiting prevention, tampering prevention and replay prevention on the WAPI wireless management frames.
Description
Technical Field
The invention relates to the technical field of WAPI (WLAN Authentication and Privacy Infrastructure), in particular to a management frame protection method of a WAPI wireless network.
Background
The WAPI (Wireless LAN Authentication and Privacy Infrastructure) is a WLAN security solution specified in the national standard GB15629.11 for Wireless local area networks in China. The WAPI identifies the identities of a wireless Access Point (AP) and a wireless terminal (STA) by adopting the certificate, and the identities of the AP and the STA are authenticated based on a ternary authentication system, so that the security of wireless access authentication is ensured. Besides wireless access, wireless security has an important aspect, namely, security of a wireless control plane, that is, control management frames needed to ensure interaction between an AP and a STA in the control plane cannot be spoofed. If the management frame of the WAPI network is forged, an attacker may cheat the STA to be connected to the forged AP, and normal network access is affected although authentication fails; alternatively, an attacker may fool an AP into disconnecting a connection that the STA has established, fool the STA into disconnecting a connection that the AP has established, and so on. With the increasing application of the WAPI in the fields of office, industrial field, key infrastructure and the like, the security of the WAPI wireless network control layer is more important.
CN2010105185237A "a method for protecting management frame based on wap" provides a method for protecting management frame of WAPI wireless network, which uses symmetric cipher negotiated between STA and AP to encrypt and perform integrity calculation on the management frame between STA and AP after the STA and AP complete WAPI authentication and key negotiation. The method improves the security of the WAPI network control layer management frame, but has the following defects:
(1) the problem of non-full-time management protection. The management frame can not be protected before the STA and the AP complete WAPI access authentication and password negotiation, and an attacker still can have a multiplicative opportunity for carrying out destructive attack by impersonation, which has the possibility that the STA just starts to access a wireless network or is switched to another AP from one AP.
(2) There is a possibility of being replay-attacked. The patent management frame has a data packet serial number PN, but the PN part is not included when data encryption and message authentication code calculation are carried out, an attacker can acquire the management frame from an air interface and then increase the PN to a certain extent and send the management frame.
Disclosure of Invention
The technical problem to be solved by the invention is a management frame protection method of a WAPI wireless network, which provides full-time management frame protection, has the capability of preventing replay attack of management frames, and can solve the problems of 'non-full-time management protection' and 'possibility of replay attack' in the 'management frame protection method based on wap (wireless LAN authentication and privacy infrastructure)' of the patent CN 2010105185237A.
The invention is realized by the following technical scheme: a management frame protection method of a WAPI wireless network comprises the following specific steps:
s1, when the sender sends out the wireless management frame, adding three Vendor information elements VIE1, VIE2 and VIE3 in sequence at the end of the general management frame message body including broadcast and unicast to form a new management frame message body;
s2, after the receiver receives the wireless management frame message, the first step is to extract VIE1, VIE2 and VIE3 in the management frame;
the second step of operation is to check the WAPI-certLet, including calling a locally stored AS certificate to perform signature verification and WAPI-certLet time validity check on the WAPI-certLet in the VIE 1;
the third step is to use the public key in VIE1 to carry out signature verification on the rest parts of the management frame message body except for VIE 3;
the fourth step is to check whether the MAC address in VIE1 is consistent with the management frame BSSID, check whether it is not a replay message according to the PN value in VIE2, and if all the above checks pass, the management frame is a trusted management frame.
As a preferred technical solution, the value field of VIE1 in S1 is the extended attribute WAPI-CertLet of the WAPI certificate, the value field of VIE2 is the frame grouping sequence number PN, and the value field of VIE3 is the message signature of the rest of the new management frame message body except VIE 3.
As a preferred technical solution, the extended attribute WAPI-CertLet of the WAPI certificate in S1 includes a message characteristic value and identity information of a user AP or a terminal of the WAPI certificate, and has signature information to perform tamper-proof verification on the information included therein, and the total data length of the WAPI certificate does not exceed 250 bytes.
As a preferred technical solution, the information content of the extended attribute WAPI-CertLet of the WAPI certificate includes: the user MAC address, the public key certificate Validity and Subject, the public key and the signature value, wherein the signature value is obtained by signing the information content of the WAPI-certLet except the signature value by adopting a WAPI signature algorithm and parameters specified by the China national code administration.
The invention has the beneficial effects that: the invention discloses a management frame protection method of a WAPI wireless network, which is compared with a management frame protection method based on wap 2010105185237A:
(1) the time range of protection varies. The invention is a full-time protection, including the period of time for which WAPI access authentication and key agreement is not completed between STA and AP; while the management frame protection of patent CN2010105185237A is not full-time, for the period of time when WAPI access authentication and key agreement is not completed between STA and AP, the management frame protection method of the aforementioned patent technology cannot implement protection because there is no available symmetric cipher. One advantage of the present invention is that it provides full-time management frame protection with greater security.
(2) The protection for the frame data sequence number PN is different. The invention takes PN data as the content of signature protection; while the management frame protection method of patent CN2010105185237A does not use the PN as the calculation range of the message integrity identifier MIC, the PN may still be modified and there is a possibility of replay attack. One advantage of the invention is that the integrity of the frame sequence number PN is protected, the replay attack implemented by modifying the PN can be avoided, and the security is higher.
(3) The encryption protection for the frame message body is different. The invention does not encrypt the management frame of the WAPI wireless network, and the change does not reduce the security of the WAPI network control layer; in fact, the protection of the wireless network management frame needs to be reliable, complete and playback-resistant, namely the management frame can be ensured not to be counterfeited, tampered and attacked by playback, but does not need confidentiality, the management frame can be disclosed from the technical point of view, encryption protection is not needed, and even if the management frame is kept secret, the result is explicit, so that the action instruction in the management frame can be reversely deduced; since the management frame does not need to be encrypted, the management frame protection can be realized in the whole period of the interaction between the wireless terminal and the AP. The management frame of patent CN2010105185237A is protected by frame message body encryption, so that it is necessary to implement management frame protection after completing the WAPI authentication and key agreement, that is, after completing the WAPI unicast key agreement, implementing unicast management frame message encryption, and after completing the multicast key notification based on the unicast key, generating the multicast management frame message authentication code by using the multicast key.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a schematic diagram of a WAPI wireless management frame structure after implementing the present invention;
FIG. 2 is a diagram of a WAPI wireless management frame structure without frame protection;
FIG. 3 is a diagram illustrating the structure of a WAPI certificate with extended WAPI private attributes;
fig. 4 is a schematic diagram of the private extension attribute of the WAPI certificate.
Detailed Description
All of the features disclosed in this specification, or all of the steps in any method or process so disclosed, may be combined in any combination, except combinations of features and/or steps that are mutually exclusive.
Any feature disclosed in this specification (including any accompanying claims, abstract and drawings), may be replaced by alternative features serving equivalent or similar purposes, unless expressly stated otherwise. That is, unless expressly stated otherwise, each feature is only an example of a generic series of equivalent or similar features.
In the description of the present invention, it is to be understood that the terms "one end", "the other end", "outside", "upper", "inside", "horizontal", "coaxial", "central", "end", "length", "outer end", and the like, indicate orientations or positional relationships based on those shown in the drawings, and are used only for convenience in describing the present invention and for simplicity in description, and do not indicate or imply that the device or element being referred to must have a particular orientation, be constructed in a particular orientation, and be operated, and thus, should not be construed as limiting the present invention.
Further, in the description of the present invention, "a plurality" means at least two, e.g., two, three, etc., unless specifically limited otherwise.
The use of terms such as "upper," "above," "lower," "below," and the like in describing relative spatial positions herein is for the purpose of facilitating description to describe one element or feature's relationship to another element or feature as illustrated in the figures. The spatially relative positional terms may be intended to encompass different orientations of the device in use or operation in addition to the orientation depicted in the figures. For example, if the device in the figures is turned over, elements described as "below" or "beneath" other elements or features would then be oriented "above" the other elements or features. Thus, the exemplary term "below" can encompass both an orientation of above and below. The device may be otherwise oriented (rotated 90 degrees or at other orientations) and the spatially relative descriptors used herein interpreted accordingly
In the present invention, unless otherwise explicitly specified or limited, the terms "disposed," "sleeved," "connected," "penetrating," "plugged," and the like are to be construed broadly, e.g., as a fixed connection, a detachable connection, or an integral part; can be mechanically or electrically connected; they may be directly connected or indirectly connected through intervening media, or they may be connected internally or in any other suitable relationship, unless expressly stated otherwise. The specific meanings of the above terms in the present invention can be understood by those skilled in the art according to specific situations.
As shown in fig. 1-4, an embodiment of a management frame protection method for a WAPI wireless network according to the present invention includes: the WAPI certificate comprises a private non-criticca certificate extension WAPI-certLet400, and the extension attribute value domain information comprises: user MAC address 411, public key certificates Validity and Subject and public key 412, signature value 420. When issuing a certificate of an AP or a terminal, the WAPI certificate issuing system obtains a signature value 420 by applying a signature algorithm and parameters defined by the WAPI standard to signed content (410) including a user MAC address 411, public key certificates Validity and Subject, and a public key 412. Adding the private extended attribute WAPI-CertLet300 of the WAPI wireless application field in the WAPI user certificate and setting the key attribute as non-criticai is based on the existing certificate mechanism of X.509. In order to realize that the WAPI-CertLet can be accommodated in the wireless management frame, the length of the WAPI-CertLet is less than 250 bytes, which is feasible in a common WAPI certificate.
When a sender sends a wireless management frame outwards, three vector information elements VIE1120, VIE2130 and VIE3140 are sequentially added to the last of a general management frame message body 200 comprising broadcast and unicast to form a new management frame message body 100, wherein the value field of VIE1 is the WAPI-certLet300, the value field of VIE2 is a frame grouping sequence number PN120, and the value field of VIE3 is a message signature 140 of the rest 123 of the new management frame message body 100 except VIE 3. After receiving the wireless management frame message, the receiver firstly extracts VIE1120, VIE2130 and VIE3140 in the management frame, secondly checks WAPI-CertLet120, including calling locally stored AS certificate to sign and verify WAPI-CertLet120 in VIE1, and checks WAPI-CertLet120 time validity, thirdly uses public key in VIE1 to sign and verify the rest part 123 of the management frame message body except VIE3140, fourthly checks whether the MAC address in VIE1 is consistent with the BSSID of the management frame, checks whether the management frame is a replay message according to the PN value in VIE2130, if all the checks pass, the management frame is a credible management frame, if any check does not pass, stops further checking, and can determine that the management frame is not credible and discards the management frame.
The invention provides a WAPI wireless management frame protection method, which adopts a unified method to protect unicast and multicast WAPI wireless management frames and can carry out full-time protection of counterfeiting prevention, tampering prevention and replay prevention on the WAPI wireless management frames. The method comprises the steps that three vector information elements of wireless management frame information elements are added into a wireless management frame, namely the information elements respectively comprise a WAPI-CertLet, a packet data serial number PN and a signature value, wherein the extended attribute WAPI-CertLet of a WAPI certificate is increased based on an X.509 certificate standard mechanism to provide a management frame message authentication basis for protecting the WAPI wireless management frame, the signature value provides protection capability for the authenticity of the WAPI management frame message, and the PN value provides anti-replay capability for the WAPI management frame.
The above description is only an embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that are not thought of through the inventive work should be included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope defined by the claims.
Claims (4)
1. A management frame protection method of a WAPI wireless network is characterized by comprising the following specific steps:
s1, when the sender sends out the wireless management frame, adding three Vendor information elements VIE1, VIE2 and VIE3 in sequence at the end of the broadcast and unicast general management frame message body to form a new management frame message body, realizing management frame sender identity, data grouping sequence number marking and message signature;
s2, after the receiver receives the wireless management frame message, the first step is to extract VIE1, VIE2 and VIE3 in the management frame;
the second step of operation is to check the WAPI-certLet, including calling a locally stored AS certificate to perform signature verification and WAPI-certLet time validity check on the WAPI-certLet in the VIE 1;
the third step is to use the public key in VIE1 to carry out signature verification on the rest parts of the management frame message body except for VIE 3;
the fourth step is to check whether the MAC address in VIE1 is consistent with the BSSID of the management frame, check whether the message is not a replay message according to the PN value in VIE2, and if the check is passed, the management frame is a credible management frame;
the WAPI-certLet is a kind of reduced public key certificate for WAPI wireless network application.
2. The method of claim 1 for management frame protection for a WAPI wireless network, comprising: the value field of the VIE1 in S1 is the extended attribute WAPI-CertLet of the WAPI certificate, the value field of the VIE2 is the frame grouping sequence number PN, and the value field of the VIE3 is the message signature of the rest of the new management frame message body except the VIE 3.
3. The method of claim 1 for management frame protection for a WAPI wireless network, comprising: the extended attribute WAPI-CertLet of the WAPI certificate in S1 includes a message characteristic value and identity information of the user AP or terminal of the WAPI certificate, and has signature information to perform tamper-proof verification on the information included therein, and the total data length of the WAPI certificate does not exceed 250 bytes.
4. The method of claim 1 for management frame protection for a WAPI wireless network, comprising: the information content of the extended attribute WAPI-certLet of the WAPI certificate comprises the following steps: the user MAC address, the public key certificate Validity and Subject, the public key and the signature value, wherein the signature value is obtained by signing the information content of the WAPI-certLet except the signature value by adopting a WAPI signature algorithm and parameters specified by the China national code administration.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110093282.4A CN112887974B (en) | 2021-01-23 | 2021-01-23 | Management frame protection method for WAPI wireless network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110093282.4A CN112887974B (en) | 2021-01-23 | 2021-01-23 | Management frame protection method for WAPI wireless network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112887974A CN112887974A (en) | 2021-06-01 |
| CN112887974B true CN112887974B (en) | 2022-02-11 |
Family
ID=76050717
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110093282.4A Active CN112887974B (en) | 2021-01-23 | 2021-01-23 | Management frame protection method for WAPI wireless network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112887974B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2024148616A1 (en) * | 2023-01-13 | 2024-07-18 | 北京小米移动软件有限公司 | Wireless communication method and wireless communication device |
Family Cites Families (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050086465A1 (en) * | 2003-10-16 | 2005-04-21 | Cisco Technology, Inc. | System and method for protecting network management frames |
| US8713626B2 (en) * | 2003-10-16 | 2014-04-29 | Cisco Technology, Inc. | Network client validation of network management frames |
| US7805603B2 (en) * | 2004-03-17 | 2010-09-28 | Intel Corporation | Apparatus and method of protecting management frames in wireless LAN communications |
| FR2885753A1 (en) * | 2005-05-13 | 2006-11-17 | France Telecom | COMMUNICATION METHOD FOR WIRELESS NETWORKS BY MANAGEMENT FRAMES COMPRISING AN ELECTRONIC SIGNATURE |
| US7881475B2 (en) * | 2005-05-17 | 2011-02-01 | Intel Corporation | Systems and methods for negotiating security parameters for protecting management frames in wireless networks |
| US8767758B2 (en) * | 2009-11-03 | 2014-07-01 | Intel Corporation | Apparatus, system and method of prioritizing a management frame of a wireless network |
| CN101986726B (en) * | 2010-10-25 | 2012-11-07 | 西安西电捷通无线网络通信股份有限公司 | Method for protecting management frame based on wireless local area network authentication and privacy infrastructure (WAPI) |
| US11229023B2 (en) * | 2017-04-21 | 2022-01-18 | Netgear, Inc. | Secure communication in network access points |
| US11121871B2 (en) * | 2018-10-22 | 2021-09-14 | International Business Machines Corporation | Secured key exchange for wireless local area network (WLAN) zero configuration |
-
2021
- 2021-01-23 CN CN202110093282.4A patent/CN112887974B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN112887974A (en) | 2021-06-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106656510B (en) | A kind of encryption key acquisition methods and system | |
| JP5438017B2 (en) | Access authentication method applied to IBSS network | |
| US20030200433A1 (en) | Method and apparatus for providing peer authentication for an internet key exchange | |
| Ahmad et al. | Short paper: security evaluation of IEEE 802.11 w specification | |
| TW201014314A (en) | Techniques for secure channelization between UICC and a terminal | |
| CN103079200A (en) | Wireless access authentication method, system and wireless router | |
| WO2012055204A1 (en) | A management frame protection method and device based on wlan authentication and privacy infrastructure | |
| CN100525182C (en) | Authentication and encryption method for wireless network | |
| CN101192927B (en) | Authorization based on identity confidentiality and multiple authentication method | |
| CN114553430A (en) | SDP-based novel power service terminal safe access system | |
| CN112887974B (en) | Management frame protection method for WAPI wireless network | |
| Xu et al. | Pairing and authentication security technologies in low-power Bluetooth | |
| CN108966214A (en) | Authentication method, the wireless network safety communication method and device of wireless network | |
| Teyou et al. | Solving downgrade and dos attack due to the four ways handshake vulnerabilities (WIFI) | |
| Lei et al. | Comparative studies on authentication and key exchange methods for 802.11 wireless LAN | |
| Tiejun et al. | M-commerce security solution based on the 3rd generation mobile communication | |
| Jain et al. | SAP: a low-latency protocol for mitigating evil twin attacks and high computation overhead in WI-FI networks | |
| WO2024183628A1 (en) | Communication method, terminal, device, and medium | |
| Liu et al. | The Wi-Fi device authentication method based on information hiding | |
| Pervaiz et al. | Security in wireless local area networks | |
| Lang et al. | Research on the authentication scheme of WiMAX | |
| Buttyán et al. | WiFi Security–WEP and 802.11 i | |
| Pagliusi et al. | PANA/GSM authentication for Internet access | |
| Sadikin | Cyber-security Defense in Large-scale M2M System: Actual Issues and Proposed Solutions | |
| Hong et al. | Supporting secure authentication and privacy in wireless computing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |