CN1671136A - A method for expanding WLAN authentication protocol - Google Patents
A method for expanding WLAN authentication protocol Download PDFInfo
- Publication number
- CN1671136A CN1671136A CN 200410003451 CN200410003451A CN1671136A CN 1671136 A CN1671136 A CN 1671136A CN 200410003451 CN200410003451 CN 200410003451 CN 200410003451 A CN200410003451 A CN 200410003451A CN 1671136 A CN1671136 A CN 1671136A
- Authority
- CN
- China
- Prior art keywords
- frame
- agreement
- wapi
- packet type
- new
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
A method for adding other authentication protocol in IEEE802.11 WAPI (WLAN Authentication and Privacy Infrastructure), especially adding the authentication protocol based on key shared by access point and mobile terminal, and based on EAP (Extensible Authentication Protocol), said method realizes adding new protocol in original WAPI and selecting between original WAPI and new added protocol, permitting the mutual authentication between the access point with/without new added protocol and mobile terminal, insuring compatible with original WAPI protocol, said invention can escalate access point with WAPI and mobile terminal, in authentication, both of original WAPI and new added protocol can be set forced use, and also can set use access point and terminal neachievediation protocol, in all supporting new added protocol using WAPI or new added protocol, in one part does not support new added protocol using original WAPI.
Description
Technical field
The present invention relates to the implementation method of the reciprocity WLAN (wireless local area network) of a kind of center authentication, be meant that especially a kind of (Institute of Electrical and Electric Engineers, is Institute of Electrical and ElectronicsEngineers at IEEE802.11 and IEEE802.11i, the IEEE802.11 and the IEEE802.11i protocol of wireless local area network that are called for short IEEE, issue) on the basis of agreement support function, finish authentication and the method that is connected by the help of access point and certificate server between the customer rs site, belong to wireless communication technology and Internet technical field.
Background technology
1, WLAN (wireless local area network)
The WLAN (wireless local area network) here (WLAN or Wireless Local Area Network) refers to the wireless network based on the IEEE802.11 protocol family.WLAN (wireless local area network) has been broken away from wired restriction by the transmission of wireless signals data.WLAN (wireless local area network) (infrastructure, be infrastructure mode) serve as central station with access point AP (Access Point) and cover a certain zone, with the portable terminal MT (Mobile Terminal) in wireless mode connection, the control area, comprise notebook computer, desktop computer, hand-held device, with the formation local area network (LAN), and serve as local area network (LAN) and extraneous door (Portal) of getting in touch.In other words, portable terminal only is connected with access point; Portable terminal is communicated by letter with external network, and the communication between the portable terminal, all finishes by access point.
2, WLAN (wireless local area network) WEP safety standard
Existing IEEE802.11 WLAN (wireless local area network) adopts WEP (Wired Equivalent Privacy) to differentiate that encryption mechanism guarantees wireless LAN safety.WEP requires all portable terminals that are connected to same access point to share same key; Access point is differentiated each portable terminal with this key, and is used this key and RC4 cryptographic algorithm that the data communication of access point and portable terminal is encrypted.In ciphering process, the key of RC4 appropriate adoption is made up of a standing part and a variable part: standing part is above-mentioned shared key; Variable part is called initialization vector, changes according to certain rules in communication process.
WEP mechanism has many safety problems.For example, WEP requires all portable terminals that are connected to same access point to share same key, and this brings bigger trouble for the key management of motor-driven terminal, shows that mainly any one portable terminal can have influence on all portable terminals to the leakage part of key.Again for example, it has been found that now that the RC4 cryptographic algorithm in the WEP mechanism itself has problem, mainly show, after enciphered data sent to certain quantity, the listener-in just can progressively go out key value according to the data computation through agreeing secret key encryption, thereby can decipher through ciphered data.
3, wireless LAN WAPI safety standard
Wireless LAN secure standard WAPI among the standard GB15629.11-2003 of the People's Republic of China (PRC) (WLANAuthentication and Privacy Infrastructure) protocol definition portable terminal in new WLAN (wireless local area network) and the authentication and the data encryption feature of access point.WAPI has adopted discriminating and the cryptographic algorithm that has better security property than RC4; In addition, WAPI will produce different encryption keys to different portable terminals, overcome the cipher key management considerations in the WEP mechanism.
From technological layer, WAPI requires each portable terminal and access point to have digital certificate, and has introduced management and discriminating that the authentication server (AS or Authentication Server) that links to each other with all access points (generally speaking by wired) is responsible for digital certificate.
Between portable terminal and access point, the WAPI agreement uses proprietary " WAPI (ether) frame " be made up of following six territories to communicate:
(authentication protocol style number, version number differentiate packet type, keep data length, data)
Wherein
◆ the authentication protocol style number is the proprietary packet number 0x88B4 of WAPI Ether frame;
◆ the implication of differentiating packet type is as follows:
" differentiate and activate " type that ■ " 0 " expression (1.1) is mentioned, its Ether frame is called " WAPI frame/discriminating activates ";
" inserting the request of discriminating " type that ■ " 1 " expression (1.2) is mentioned, its Ether frame is called " request is differentiated in WAPI frame/access ";
" insert and differentiate response " type that ■ " 2 " expression (1.3) is mentioned, its Ether frame is called " response is differentiated in WAPI frame/access ";
" key negotiation request " type that ■ " 3 " expression (1.6) is mentioned, its Ether frame is called " WAPI frame/key negotiation request ";
" key negotiation response " type that ■ " 4 " expression (1.7) is mentioned, its Ether frame is called " WAPI frame/key negotiation response ".
Between access point and authentication server, the WAPI agreement uses " the WAPI message " be made up of following five territories to communicate on udp port:
(version number differentiates type of message, keeps data length, data)
The implication of wherein differentiating type of message is as follows:
" request of certificate authentication " type that ■ " 5 " expression (1.4) is mentioned, its message is called " WAPI message/request of certificate authentication ";
" certificate is differentiated response " type that ■ " 6 " expression (1.5) is mentioned, its message is called " WAPI message/certificate is differentiated response ".
Fig. 1 shown the WAPI definition when certain portable terminal MT1 attempts to access to access point AP1, MT1 and AP1 carry out 5 steps of bidirectional identity authentication under the help of an authentication server AS1.Being explained as follows of these steps:
(1.1) differentiate to activate: related or when being associated to AP1 again as MT1 by the IEEE802.11 agreement, send " WAPI frame/discriminatings activation " by AP1 to MT1, to start whole discrimination process;
(1.2) inserting discriminating asks: after the discriminating of receiving AP1 activated, MT1 sent " request is differentiated in WAPI frame/access " to AP1, and this frame comprises that the current system time of MT1 certificate and MT1 is as access discriminating request time;
(1.3) request of certificate authentication: after request was differentiated in the access of receiving MT1, AP1 at first write down the access of sending and differentiates request time, sends " WAPI message/request of certificate authentication " to AS1 then; This request has the MT1 certificate, insert to differentiate request time, AP1 certificate and with the private key of the AP1 signature etc. to them;
(1.4) certificate is differentiated response: after receiving the request of certificate authentication of AP1, and the signature of AS1 checking AP1 and the validity of AP1 certificate; If incorrect, then discrimination process failure; Otherwise further verify the MT1 certificate.After verifying, AS1 is with MT1 certificate identification result information, AP1 certificate identification result information and with the AS1 private key their signature etc. is constituted " WAPI message/certificate is differentiated response " together and send back to AP1;
(1.5) insert discriminating response: AP1 signature verification is carried out in the certificate discriminating response that AS1 returns, obtain the identification result of MT1 certificate, MT1 is carried out access control according to this result.AP1 differentiates that with the certificate of receiving response heavily is packaged into " response is differentiated in WAPI frame/access " and delivers to MT1.Behind the MT1 checking AS1 signature, obtain the identification result of AP1 certificate, whether insert this AP1 according to this identification result decision.
4, based on " four road authentication protocols " of nodes sharing key
Fig. 2 has showed and has a kind ofly had the node A2 and the B2 that share key SK 2 (Shared Key) to any two and differentiate and produce the session encryption key agreement mutually.Here, node A2 can be an access point and Node B 2 is portable terminals, or A2 can be a portable terminal and Node B 2 is access points.The key of nodes sharing can be produced by manual input or other modes, and can be two two cipher key shared or access point and a plurality of portable terminal institute cipher key shared of access point and each portable terminal.(the used key of WEP agreement is exactly a kind of access point and all portable terminals institute cipher key shared, but the WEP agreement is directly with sharing key as session encryption key.) concrete steps of Fig. 2 agreement are as follows:
(2.1) " the four tunnel start ": A2 produces a random number ANonce2, and this " four tunnel start " information is sent;
(2.2) " four tunnel requests ": B2 is receiving that " four tunnel start " back that A2 sends produces another random number BNonce2, and produces a session key K2 from ANonce2, BNonce2 and shared key SK 2; In addition, B2 also calculate one based on ANonce2, BNonce2 and SK2 and message authentication code MAC21 (Message AuthenticationCode), at last BNonce2 and MAC21 are sent to A2 with " four tunnel requests " information;
(2.3) " four tunnel reply ": A2 also calculates a message authentication code MAC22 based on ANonce2, BNonce2 and SK2 after receiving " four tunnel requests " that B2 sends; If MAC21 is identical with MAC22, then A2 also produces same session key K2 from ANonce2, BNonce2 and SK2; If (MAC21 is different with MAC22, and discrimination process will be failed; But Fig. 2 does not express this situation; ) A2 also will calculate the message authentication code MAC23 based on SK2 and MAC21, and MAC23 is sent to B2 with " four tunnel reply " information;
(2.4) " four tunnel successes ": B2 also calculates a message authentication code MAC24 based on SK2 and MAC21 after receiving " four tunnel reply " that A2 sends, if MAC23 is identical with MAC24, B2 then sends " four tunnel successes " information to A2.If (MAC23 is different with MAC24, and B2 then sends four tunnel failures to A2; But Fig. 2 does not express this situation; )
5, EAP agreement
EAP (Extensible Authentication Protocol) protocol definition a kind of supporting frame of discrimination method of link layer.Say that EAP is a framework, rather than concrete discrimination method, be because it has only been realized the needed authentication data request of basic, discrimination process and has replied and the data format and the transmission mechanism of identification result, and do not define concrete discriminating step; But EAP can be used to pass the discriminating step of carrier body.It is can more easily be replaced by EAP because of EAP framework in such identification system to pass the concrete discrimination method that carries that the identification system of support EAP can have stronger extensibility.
Particularly, as shown in Figure 3, after request authentication equipment PR3 (Peer) and an execution authentication equipment AU3 (Authenticator) set up link and are connected, EAP will carry out the series that an EAP that EAP asks and PR3 returns that is sent by AU3 replys, and send EAP success or EAP failure up to AU3.These steps are specific as follows:
(3.1) AU3 asks (EAP-Request) to the EAP that PR3 sends authentication data; Request can have dissimilar;
(3.2) PR3 then returns the EAP that has authentication data according to the type of request and replys (EAP-Response).
(3.3) receive have the replying of authentication data after, AU3 will differentiate computing and carry out following several operation according to operation result:
If a) differentiate successfully, AU3 then sends EAP success (EAP-Success) to PR2;
B) if differentiate failure, AU3 then sends EAP failure (EAP-Failure) to PR2;
C) if AU3 also needs further authentication data, this process is carried out and is turned to step (3.1).
EAP request and response message have following five territories:
(code, identifier, length, type, data)
Wherein
◆ " code " shows when value is 1 message is the EAP request, shows it is that EAP replys when being 2;
◆ " identifier " value is used for mating the EAP request and replys; The EAP request that repeats to send must be used same identifier;
◆ " length " value is the length of whole message;
◆ " type " value decision EAP request and the type of replying.Original EAP protocol definition a collection of starting type; Other protocol and requirement of using EAP is introduced newtype.Two starting typies are as follows:
■ " EAP request/identity " is (EAP-Request/Identity): carry out authentication equipment and inquire with " EAP request/identity " and ask the authentication equipment identity data;
■ " EAP replys/identity " is (EAP-Response/Identity): the request authentication equipment loads identity data as replying " EAP request/identity " with " EAP replys/identity ";
■ " EAP reply/negate " is (EAP-Response/Nak): when not supporting certain EAP request, the request authentication equipment returns " EAP reply/negate " conduct and replys;
◆ " data " field value changes with the type of asking or reply.
EAP success and failure message have following three territories:
(code, identifier, length)
Wherein
◆ " code " shows when value is 3 that message is the EAP success, shows it is the EAP failure when being 4;
◆ " identifier " value is used for this EAP success or failure message and last EAP response matches of front;
◆ " length " value still is the length of whole message;
The details of the discriminating step of sample whatsoever, EAP system only need check that EAP success and failure message just can judge identification result.
6, EAP-SIM authentication protocol
The EAP-SIM agreement is an authentication protocol based on EAP framework and SIM card.
Fig. 4 has showed request authentication equipment PR4 and has carried out authentication equipment AU4 and carry out one of the EAP-SIM authentication protocol (simplification) flow process.Request authentication equipment PR4 has SIM card, and the password of SIM card band is designated as Ki4.Carry out authentication equipment AU4 is familiar with maybe can obtaining PR4 from other continuous network equipment SIM card password Ki4.
It is beginning that the flow process of Fig. 4 is at first sent identity request " EAP request/identity " to PR4 with AU4; PR4 beams back its identity character string after receiving identity request with " EAP replys/identity ".
After receiving " EAP replys/identity ", AU4 sends " EAP request/SIM/ begins " to PR4; This request has the SIM version number that all AU4 support; After receiving " EAP request/SIM/ begins ", PR4 selects the SIM version number of a support, according to requiring (once more) that its identity character string is provided, and produces a new random number N ONCE and beams back with " EAP reply/SIM/ begin ".
Receiving after " EAP reply/SIM/ begin ", AU4 (from respective server) obtains new random number RA ND, and share information according to NONCE and other AU4 and PR4 and calculate a message authentication code MAC41 (Message Authentication Code), and RAND and MAC41 are mail to PR4 with " EAP request/SIM/ challenge "; After receiving " EAP request/SIM/ challenge ", PR4 also calculates a message authentication code MAC42 according to NONCE and other AU4 and PR4 Sharing Information; If MAC41 and MAC42 equate, PR4 then shares information calculations according to RAND, SIM card password Ki4 and other AU4 and PR4 and goes out another message authentication code MAC43, and MAC43 is delivered to AU4 with " EAP replys/the SIM/ challenge ".
At last, receiving after " EAP reply/SIM/ challenge " that AU4 is also according to RAND and the SIM card password Ki4 about PR4 that he knows, and other AU4 and PR4 Sharing Information calculate a message authentication code MAC44; If MAC43 and MAC44 equate that AU4 then sends " EAP success ".
7, the deficiency of current WAPI design
One of deficiency of WAPI shows that as above the discrimination method of its definition is made up of fixing step, and must adopt digital certificate.This fixing differential mode makes WAPI become pretty troublesome in the practical application in some fields.For example the personal user may wish to adopt the method for manual input key to differentiate, and mobile communication carrier has been accustomed to and use SIM (Subseriber Identification Module) card to differentiate the cellphone subscriber for a long time; If the use digital certificate, the personal user then needs to buy and safeguard an authentication server, and mobile communication carrier must set up and safeguard a cover authentication scheme in addition, causes increasing greatly cost and influences economic benefit.
Summary of the invention
The invention describes a kind of method of extended wireless lan authentication protocol, it is a kind of other authentication protocol that adds in the IEEE802.11 wireless LAN secure standard WAPI, particularly adds based on access point and portable terminal to share the authentication protocol of key and add method based on the authentication protocol of EAP.This method has realized a kind of to original WAPI and the new choice mechanism that adds agreement, allow to have and do not have the mutual discriminating of the access point and the portable terminal of new adding agreement, thereby guarantee with original WAPI protocol-compliant and provide depositing the support that WAPI access point and portable terminal are progressively upgraded.
This mechanism has been introduced a state variable NAP (Newly Added Protocol), and its probable value is C (losed), F (orced) and S (elected):
◆ it is to close that the meaning directly perceived of " C " newly adds agreement, so must use original WAPI;
◆ the meaning directly perceived of " F " is to force to use the new agreement that adds;
◆ the meaning directly perceived of " S " is that following selection is used original WAPI or newly added agreement:
When ■ does not support or closes new adding agreement the opposing party, use original WAPI;
When ■ forces to use new adding agreement the opposing party, use the new agreement that adds;
■ also is under the situation about selecting the opposing party, according to the value decision of another state variable PRF (Preferable)
Select agreement: if value be " N " (New), then select the new agreement that adds; Otherwise, select original WAPI.
For being implemented in the protocol negotiation between portable terminal and the access point, and the transfer of data that newly adds agreement, this method is also introduced one or more new Ether frames, or uses some existing Ether frame (as the WAPI frame), and distinguishes several and differentiate packet type in these frames.For keeping general, below unify to represent these new introducings or existing frame with " X frame ".This method is used to realize that the discriminating packet type of protocol negotiation is like this:
◆ " closing " differentiates packet type, and corresponding Ether frame is called " X frame/close ",
◆ " pressure " differentiates packet type, and corresponding Ether frame is called " X frame/pressure ",
◆ " selection " differentiates packet type, and corresponding Ether frame is called " X frame/selection ".
This method selects for use different being used to realize the discriminating packet type of transfer of data according to the new difference that adds agreement.Concerning " four road authentication protocols ", this method is selected for use and is differentiated that packet type is as follows:
◆ " the four tunnel start " differentiates packet type, and corresponding Ether frame is called " X frame/four tunnel start ",
◆ " four tunnel requests " differentiates packet type, and corresponding Ether frame is called " X frame/four tunnel requests ",
◆ " the four tunnel reply " differentiates packet type, and corresponding Ether frame is called " X frame/four tunnel reply ",
◆ " four tunnel successes " differentiates that packet type, corresponding Ether frame are called " X frame/four tunnel successes ".
Concerning " EAP agreement ", this method is selected for use and is differentiated that packet type is as follows:
◆ " EAP request " differentiates packet type, and corresponding Ether frame is called " X frame/EAP request ",
◆ " EAP replys " differentiates packet type, and corresponding Ether frame is called " X frame/EAP replys ",
◆ " EAP success " differentiates that packet type, corresponding Ether frame are called " X frame/EAP success ",
◆ " EAP failure " differentiates packet type, and corresponding Ether frame is called " X frame/EAP failure ".
This method also can require to add new discriminating type of message at the WAPI message that is used between access point and the authentication server; These concrete conditions of differentiating type of message are determined by concrete Extended Protocol.
Be the generality described after keeping, when this method represents that with " X frame/FST " newly adding agreement begins, the Ether frame from the access point to the portable terminal.For example, concerning four road authentication protocols, " X frame/FST " representative " X frame/four tunnel start "; Concerning the EAP agreement, " X frame/FST " representative " X frame/EAP request ".
This method has defined as shown in Figure 5, when carrying out protocol negotiation with access point AP5, and the state machine of portable terminal MT5.Only support original WAPI and not support expansion described in the invention unless the dominant ideas of this state machine are MT5, otherwise MT5 always proposes the side that agreement is selected earlier; This shows that MT5 initiatively sends protocol negotiation information according to its NAP table variate-value under the condition of the information of not receiving AP5.
Though MT5 sends agreement and selects information, can not look to AP5 to answer to some extent its information fully.At first, send and the information answered all might be lost; Moreover AP5 may only support original WAPI and not support the inventive method; But in this case, AP5 may be own initiatively sending " WAPI frame/discriminating excites " starts discrimination process.So after receiving the information that AP5 sends, MT5 must make judgement again according to its NAP variate-value, makes response.
The step of Fig. 5 do not comprise portable terminal according to IEEE802.11 to IEEE802.11 control frame and management frames, and according to the processing of the standard GB15629.11-2003 of the People's Republic of China (PRC) to corresponding control frame and management frames.
Particularly, the step of Fig. 5 is as follows in order:
(5.1) MT5 carries out related with AP5 (Association), after finishing association (so entering association status), turns to (5.2);
(5.2) MT5 enters wait state, as takes place overtimely then to turn to (5.3), as receives that " WAPI frame " or " X frame " that AP5 sends then turns to (5.4);
(5.3) MT5 carries out one of following steps according to the currency of variable NAP:
If (5.3.1) the NAP value is " F ", MT5 sends " X frame/pressure " to AP5;
If (5.3.2) the NAP value is " S ", MT5 sends " X frame/optimization " to AP5;
If (5.3.3) NAP is not as above-mentioned two kinds of situations, MT5 then sends any Ether frame of non-" X frame/pressure " and non-" X frame/optimization " to AP5;
After executing one of above-mentioned steps, MT5 turns to execution (5.2);
(5.4) information of receiving as MT4 is not " WAPI frame/discriminating activate " neither " X frame/FST " time, then turns to execution (5.3); Otherwise carry out one of following steps:
If when (5.4.1) receiving and be " WAPI frame/discriminating activates " and NAP value for " C " or " S ", execution WAPI when MT5 then opens;
If (5.4.2) receive be the value of " X frame/FST " and NAP when " S " or " F ", carry out the new agreement that adds when MT5 then opens;
If the information of (5.4.3) receiving is not as above-mentioned two kinds of situations, MT5 then report the failure and with the AP5 disassociation.
This method has also defined as shown in Figure 6, when carrying out protocol negotiation with portable terminal MT5, and the state machine of access point AP5.The dominant ideas here are that AP5 expectation MT5 proposes the agreement selection earlier, and then select to begin to carry out original WAPI agreement or initiate agreement according to agreement.Here considered also that MT5 only supports original WAPI and not supports the inventive method, so can't propose the situation that agreement is selected.In this case, AP5 can take place overtime; At this moment, be " C " or " S " as the NAP value, AP5 then begins to carry out the WAPI agreement.
The step of Fig. 6 do not comprise portable terminal according to IEEE802.11 to IEEE802.11 control frame and management frames, and according to the processing of the standard GB15629.11-2003 of the People's Republic of China (PRC) to corresponding control frame and management frames.
Particularly, the step of Fig. 6 is as follows in order, and it is to send " X frame/FST " that the new first step that adds agreement is carried out in attention, and the first step of execution WAPI is to send " WAPI frame/discriminating activates ":
(6.1) AP5 carries out related (Association) with MT5, after finishing association (so entering association status), turns to (6.2);
(6.2) AP5 enters wait state, as takes place overtimely then to turn to (6.3), as receives that " X frame " that MT5 sends then turns to (6.4);
(6.3) if the NAP value is " F ", AP5 then report the failure and with the MT5 disassociation; Otherwise AP5 then begins to carry out WAPI;
(6.4) if receive it is " X frame/pressure ", AP5 then carries out following steps, otherwise turns to (6.5):
If (6.4.1) the NAP value is " S " or " F ", AP5 then begins to carry out new adding agreement;
(6.4.2) otherwise, if promptly the NAP value is " C ", AP5 then report the failure and with the MT5 disassociation;
(6.5) if receive it is " X frame/optimization ", AP5 then carries out following steps, otherwise turns to (6.6):
If (6.5.1) the NAP value is " S " or " F ", AP5 carries out the following step; Otherwise turn to (6.5.2);
If (6.5.1.1) the NAP value is " S ", AP5 carries out the following step; Otherwise change (6.5.1.2);
Be " N " as the PRF value (6.5.1.1.1), AP5 begins to carry out new adding agreement;
(6.5.1.1.2) otherwise, AP5 begins to carry out WAPI;
(6.5.1.2) at this moment the NAP value is " F ", and AP5 begins to carry out new adding agreement;
(6.5.2) at this moment the NAP value is " C ", and AP5 begins to carry out WAPI;
(6.6) if what receive is that " X frame/close " and NAP value are " C " or " S ", AP5 begins to carry out WAPI; Otherwise the NAP value is " F ", at this moment AP5 then report the failure and with the MT5 disassociation.
" overtime " of access point handles and do not support the situation of method of the present invention to be provided with for handle mobile terminal only supports WAPI among Fig. 6.So access point overtime must be provided with than the overtime length of portable terminal, thereby make the portable terminal of supporting the inventive method can be overtime earlier and send " X frame " with the startup protocol negotiation.
Description of drawings
Fig. 1 is the schematic diagram of an implementation of WAPI authentication protocol;
Fig. 2 is based on the schematic diagram of an implementation sharing the key authentication protocol;
Fig. 3 is the schematic diagram of an implementation of EAP agreement;
Fig. 4 is the schematic diagram of an implementation of EAP-SIM agreement;
Fig. 5 is the schematic diagram that portable terminal carries out the state machine of protocol negotiation.
Fig. 6 is the schematic diagram that access point carries out the state machine of protocol negotiation.
Fig. 7 is the schematic diagram that portable terminal MT7 and access point AP7 carry out a process of protocol negotiation.
Fig. 8 is the schematic diagram that portable terminal MT8 and access point AP8 carry out a process of protocol negotiation.
Fig. 9 is the schematic diagram that portable terminal MT9 and access point AP9 carry out a process of protocol negotiation.
Figure 10 is the schematic diagram that portable terminal MT10 and access point AP10 carry out a process of protocol negotiation.
Embodiment
Below in conjunction with the diagram several embodiments of the present invention of having a talk.
This method has defined as shown in Figure 5, when carrying out protocol negotiation with access point AP5, and the state machine of portable terminal MT5.Only support original WAPI and not support expansion described in the invention unless the dominant ideas of this state machine are MT5, otherwise MT5 always proposes the side that agreement is selected earlier; This shows that MT5 initiatively sends protocol negotiation information according to its NAP table variate-value under the condition of the information of not receiving AP5.
Though MT5 sends agreement and selects information, can not look to AP5 to answer to some extent its information fully.At first, send and the information answered all might be lost; Moreover AP5 may only support original WAPI and not support the inventive method; But in this case, AP5 may be own initiatively sending " WAPI frame/discriminating excites " starts discrimination process.So after receiving the information that AP5 sends, MT5 must make judgement again according to its NAP variate-value, makes response.
The step of Fig. 5 do not comprise portable terminal according to IEEE802.11 to IEEE802.11 control frame and management frames, and according to the processing of the standard GB15629.11-2003 of the People's Republic of China (PRC) to corresponding control frame and management frames.
Particularly, the step of Fig. 5 is as follows in order:
(5.5) MT5 carries out related with AP5 (Association), after finishing association (so entering association status), turns to (5.2);
(5.6) MT5 enters wait state, as takes place overtimely then to turn to (5.3), as receives that " WAPI frame " or " X frame " that AP5 sends then turns to (5.4);
(5.7) MT5 carries out one of following steps according to the currency of variable NAP:
If (5.3.4) the NAP value is " F ", MT5 sends " X frame/pressure " to AP5;
If (5.3.5) the NAP value is " S ", MT5 sends " X frame/optimization " to AP5;
If (5.3.6) NAP is not as above-mentioned two kinds of situations, MT5 then sends any Ether frame of non-" X frame/pressure " and non-" X frame/optimization " to AP5;
After executing one of above-mentioned steps, MT5 turns to execution (5.2);
(5.8) information of receiving as MT4 is not " WAPI frame/discriminating activate " neither " X frame/FST " time, then turns to execution (5.3); Otherwise carry out one of following steps:
If when (5.4.4) receiving and be " WAPI frame/discriminating activates " and NAP value for " C " or " S ", execution WAPI when MT5 then opens;
If (5.4.5) receive be the value of " X frame/FST " and NAP when " S " or " F ", carry out the new agreement that adds when MT5 then opens;
If the information of (5.4.6) receiving is not as above-mentioned two kinds of situations, MT5 then report the failure and with the AP5 disassociation.
This method has also defined as shown in Figure 6, when carrying out protocol negotiation with portable terminal MT5, and the state machine of access point AP5.The dominant ideas here are that AP5 expectation MT5 proposes the agreement selection earlier, and then select to begin to carry out original WAPI agreement or initiate agreement according to agreement.Here considered also that MT5 only supports original WAPI and not supports the inventive method, so can't propose the situation that agreement is selected.In this case, AP5 can take place overtime; At this moment, be " C " or " S " as the NAP value, AP5 then begins to carry out the WAPI agreement.
The step of Fig. 6 do not comprise portable terminal according to IEEE802.11 to IEEE802.11 control frame and management frames, and according to the processing of the standard GB15629.11-2003 of the People's Republic of China (PRC) to corresponding control frame and management frames.
Particularly, the step of Fig. 6 is as follows in order, and it is to send " X frame/FST " that the new first step that adds agreement is carried out in attention, and the first step of execution WAPI is to send " WAPI frame/discriminating activates ":
(6.7) AP5 carries out related (Association) with MT5, after finishing association (so entering association status), turns to (6.2);
(6.8) AP5 enters wait state, as takes place overtimely then to turn to (6.3), as receives that " X frame " that MT5 sends then turns to (6.4);
(6.9) if the NAP value is " F ", AP5 then report the failure and with the MT5 disassociation; Otherwise AP5 then begins to carry out WAPI.
(6.10) if receive it is " X frame/pressure ", AP5 then carries out following steps, otherwise turns to (6.5):
If (6.4.3) the NAP value is " S " or " F ", AP5 then begins to carry out new adding agreement;
(6.4.4) otherwise, if promptly the NAP value is " C ", AP5 then report the failure and with the MT5 disassociation;
(6.11) if receive it is " X frame/optimization ", AP5 then carries out following steps, otherwise turns to (6.6):
If (6.5.3) the NAP value is " S " or " F ", AP5 carries out the following step; Otherwise turn to (6.5.2);
If (6.5.1.3) the NAP value is " S ", AP5 carries out the following step; Otherwise change (6.5.1.2);
Be " N " as the PRF value (6.5.1.1.1), AP5 begins to carry out new adding agreement;
(6.5.1.1.2) otherwise, AP5 begins to carry out WAPI;
(6.5.1.4) at this moment the NAP value is " F ", and AP5 begins to carry out new adding agreement;
(6.5.4) at this moment the NAP value is " C ", and AP5 begins to carry out WAPI;
(6.12) if what receive is that " X frame/close " and NAP value are " C " or " S ", AP5 begins to carry out WAPI; Otherwise the NAP value is " F ", at this moment AP5 then report the failure and with the MT5 disassociation.
" overtime " of access point handles and do not support the situation of method of the present invention to be provided with for handle mobile terminal only supports WAPI among Fig. 6.So access point overtime must be provided with than the overtime length of portable terminal, thereby make the portable terminal of supporting the inventive method can be overtime earlier and send " X frame " with the startup protocol negotiation.
Fig. 7 has shown that portable terminal MT7 and access point AP7 carry out a process of protocol negotiation.Here, MT7 only supports original WAPI and does not support the inventive method, and AP7 supports the inventive method, and the NAP variate-value of AP7 is that the PRF variate-value of " S " and AP7 is " N ".Here, the WAPI of MT7 has selected wait AP7 to start WAPI.So, carrying out the description of the state machine of protocol negotiation according to Fig. 6 access point, the super later WAPI that begins to carry out is taking place in AP7.MT7 only supports original WAPI, so just in time carry out by original WAPI.
Fig. 8 has shown that other portable terminal MT8 and access point AP8 carry out a process of protocol negotiation.Here, MT8 supports the inventive method, and its NAP variate-value is " S ", and AP8 only supports original WAPI and do not support the inventive method.So, carrying out the description of the state machine of protocol negotiation according to Fig. 5 portable terminal, MT8 sends " X frame/optimization " to AP8 after generation is overtime.According to WAPI, AP8 will abandon " X frame/optimization ", and will take place overtime.Will take place overtime after, AP8 begins to carry out WAPI, promptly sends " WAPI frame/discriminating activate ".According to Fig. 5, MT8 begins to carry out WAPI when receiving " WAPI frame/discriminating activates " and its NAP variate-value for " S ".
Fig. 9 has shown that other again portable terminal MT9 and access point AP9 carry out a process of protocol negotiation.Here, MT9 and AP9 support the inventive method, but the NAP variate-value of MT9 is " S ", and the NAP variate-value of AP9 is " F ".Carry out the description of the state machine of protocol negotiation according to Fig. 5 and Fig. 6 portable terminal and access point, take place overtimely as MT9 earlier, then after it is overtime, send " X frame/optimization " to AP9.AP8 receives judgement after receiving information is not " X frame/pressure " but " X frame/optimization ", and judges that the NAP value is " F ", so begin to carry out new adding agreement, promptly sends " X frame/FST ".MT9 also begins to carry out new adding agreement when receiving " X frame/FST " and its NAP value for " S ".
Figure 10 has shown that other portable terminal MT10 and access point AP10 carry out a process of protocol negotiation.Here, MT10 and AP10 support the inventive method, and their NAP variate-value is " S ", and the PRF variate-value of AP10 is " N ".Carry out the description of the state machine of protocol negotiation according to Fig. 5 and Fig. 6 portable terminal and access point, take place overtimely as AP10 earlier, then AP10 can select WAPI.But method of the present invention requires the overtime overtime length than portable terminal of access point.Like this, MT10 will send " X frame/optimization ".AP10 receives judgement after receiving information is not " X frame/pressure " but " X frame/optimization ", and judges that its oneself NAP value is " S ", and the PRF value is " N ".So begin to carry out new adding agreement.
At last, the performance of the inventive method is summarized as follows:
◆ support the inventive method and the opposing party when not supporting portable terminal and access point one side, both sides then only select WAPI agreement or report to differentiate failure; Fig. 7, shown in 8 is two examples.
◆ all support the inventive method at portable terminal and access point both sides, and all be provided with when selecting use agreement (being that both sides NAP variate-value is " S ") that both sides' consult to decide is to use the still new agreement that adds of WAPI; Fig. 9, shown in 10 is two examples.
◆ portable terminal and access point all both sides all support the inventive method, and
A ■ side therein forces to use under the situation of WAPI (being that the NAP variate-value is " C "), and both sides then only select WAPI or report to differentiate failure;
A ■ side therein forces to use under the situation of new adding agreement (being that the NAP variate-value is " F "), and both sides then only select new adding agreement or report to differentiate failure.
Claims (18)
1, a kind of method of extended wireless lan authentication protocol, it is a kind of other authentication protocol that adds in the IEEE802.11 wireless LAN secure standard WAPI, share the authentication protocol of key and add method based on the authentication protocol of EAP particularly a kind of the adding based on access point and portable terminal, and at original WAPI with newly add choice mechanism between the agreement.
2, according to claim 1 described method, wherein this method access point and portable terminal all may have expanded function described in the invention respectively or only have original WAPI function and do not have expanded function described in the invention, access point and portable terminal all may force to use original WAPI or initiate agreement respectively, or hold consultation, when all having new adding agreement, select WAPI or newly add agreement, when not having new adding agreement, the either party uses original WAPI, outside the authentication data type of original WAPI regulation, add new data type or in this authentication data type, add new packet type, be used for stem negotiation information and the new data that add agreement.
3, according to claim 1 described method, when carrying out protocol negotiation with access point AP5, the state machine of portable terminal MT5 is characterized in that:
At first introduce a state variable NAP (Newly Added Protocol), its probable value is C (losed), F (orced) and S (elected):
◆ it is to close that the meaning directly perceived of " C " newly adds agreement, so must use original WAPI;
◆ the meaning directly perceived of " F " is to force to use the new agreement that adds;
◆ the meaning directly perceived of " S " is that following selection is used original WAPI or newly added agreement:
When ■ does not support or closes new adding agreement the opposing party, use original WAPI;
When ■ forces to use new adding agreement the opposing party, use the new agreement that adds;
■ also is under the situation about selecting the opposing party, selects agreement according to the value decision of another state variable PRF (Preferable): if value be " N " (New), then select the new agreement that adds; Otherwise, select original WAPI;
Secondly, for being implemented in the protocol negotiation between portable terminal and the access point, and the transfer of data that newly adds agreement, this method is also introduced one or more new Ether frames, or use some existing Ether frame (as the WAPI frame), and in these frames, distinguish several and differentiate packet type; For keeping general, below unify to represent these new introducings or existing frame with " X frame "; This method is used to realize that the discriminating packet type of protocol negotiation is like this:
◆ " closing " differentiates packet type, and corresponding Ether frame is called " X frame/close ",
◆ " pressure " differentiates packet type, and corresponding Ether frame is called " X frame/pressure ",
◆ " selection " differentiates packet type, and corresponding Ether frame is called " X frame/selection ";
The step of this method following (referring to the flow process of accompanying drawing 5), wherein new agreement when beginning, the Ether frame from the access point to the portable terminal of adding of " X frame/FST " expression is (concerning four road authentication protocols, " X frame/FST " representative " X frame/four tunnel start ", concerning the EAP agreement, " X frame/FST " representative " X frame/EAP request "):
(5.1) MT5 carries out related with AP5 (Association), after finishing association (so entering association status), then turns to (5.2);
(5.2) MT5 enters wait state, as takes place overtimely then to turn to (5.3), as receives that " WAPI frame " or " X frame " that AP5 sends then turns to (5.4);
(5.3) MT5 carries out one of following three steps according to the currency of variable NAP, after finishing, turns to execution (5.2):
If (5.3.1) the NAP value is " F ", MT5 sends " X frame/pressure " to AP5;
If (5.3.2) the NAP value is " S ", MT5 sends " X frame/optimization " to AP5;
If (5.3.3) NAP is not as above-mentioned two kinds of situations, MT5 then sends any Ether frame of non-" X frame/pressure " and non-" X frame/optimization " to AP5;
(5.4) information of receiving as MT4 is not " WAPI frame/discriminating activate " neither " X frame/FST " time, turns to execution (5.3), otherwise carries out one of following three steps:
If when (5.4.1) receiving and be " WAPI frame/discriminating activates " and NAP value for " C " or " S ", execution WAPI when MT5 then opens;
If (5.4.2) receive be the value of " X frame/FST " and NAP when " S " or " F ", carry out the new agreement that adds when MT5 then opens;
If the information of (5.4.3) receiving is not as above-mentioned two kinds of situations, MT5 then report the failure and with the AP5 disassociation.
4, according to the method for claim 3, wherein select for use different being used to realize the discriminating packet type of transfer of data according to the new difference that adds agreement, concerning " four road authentication protocols ", this method is selected for use and is differentiated that packet type is as follows:
◆ " the four tunnel start " differentiates packet type, and corresponding Ether frame is called " X frame/four tunnel start ",
◆ " four tunnel requests " differentiates packet type, and corresponding Ether frame is called " X frame/four tunnel requests ",
◆ " the four tunnel reply " differentiates packet type, and corresponding Ether frame is called " X frame/four tunnel reply ",
◆ " four tunnel successes " differentiates that packet type, corresponding Ether frame are called " X frame/four tunnel successes ".
5, according to the method for claim 3, wherein select for use different being used to realize the discriminating packet type of transfer of data according to the new difference that adds agreement, concerning " EAP agreement ", this method is selected for use and is differentiated that packet type is as follows:
◆ " EAP request " differentiates packet type, and corresponding Ether frame is called " X frame/EAP request ",
◆ " EAP replys " differentiates packet type, and corresponding Ether frame is called " X frame/EAP replys ",
◆ " EAP success " differentiates that packet type, corresponding Ether frame are called " X frame/EAP success ",
◆ " EAP failure " differentiates packet type, and corresponding Ether frame is called " X frame/EAP failure ".
6, according to the method for claim 3, wherein this method also can require to add new discriminating type of message at the WAPI message that is used between access point and the authentication server; These concrete conditions of differentiating type of message are determined by concrete Extended Protocol.
7, according to the method for claim 3, unless wherein MT5 only has original WAPI function and do not have the function of expansion described in the invention, MT5 always proposes the side that agreement is selected earlier; This shows that MT5 initiatively sends protocol negotiation information according to its NAP table variate-value under the condition of the information of not receiving AP5.
8, according to the method for claim 3, though wherein MT5 sends agreement and selects information, can not look to AP5 to answer to some extent fully to its information, at first, send and the information answered all might be lost; Moreover AP5 may only support original WAPI and not support the inventive method; But in this case, AP5 may be own initiatively sending " WAPI frame/discriminating excites " starts discrimination process, so after receiving the information that AP5 sends, MT5 must make judgement again according to its NAP variate-value, makes response.
9, according to the method for claim 2, wherein do not comprise portable terminal according to IEEE802.11 to IEEE802.11 control frame and management frames, and according to the processing of the standard GB15629.11-2003 of the People's Republic of China (PRC) to corresponding control frame and management frames.
10, according to the method for claim 2, wherein the description of state machine has comprised all, only get forever under the situation of certain fixed value at known state variable NAP, the judgement of these state variables and useless branch are produced simpler state machine by saving.
11, according to claim 1 described method, the state machine of access point AP5 when carrying out protocol negotiation with portable terminal MT5, feature is as follows:
At first introduce a state variable NAP (Newly Added Protocol), its probable value is C (losed), F (orced) and S (elected):
◆ it is to close that the meaning directly perceived of " C " newly adds agreement, so must use original WAPI;
◆ the meaning directly perceived of " F " is to force to use the new agreement that adds;
◆ the meaning directly perceived of " S " is that following selection is used original WAPI or newly added agreement:
When ■ does not support or closes new adding agreement the opposing party, use original WAPI;
When ■ forces to use new adding agreement the opposing party, use the new agreement that adds;
■ also is under the situation about selecting the opposing party, selects agreement according to the value decision of another state variable PRF (Preferable): if value be " N " (New), then select the new agreement that adds; Otherwise, select original WAPI;
Secondly, for being implemented in the protocol negotiation between portable terminal and the access point, and the transfer of data that newly adds agreement, this method is also introduced one or more new Ether frames, or use some existing Ether frame (as the WAPI frame), and in these frames, distinguish several and differentiate packet type.For keeping general, below unify to represent these new introducings or existing frame with " X frame ", this method is used to realize that the discriminating packet type of protocol negotiation is like this:
◆ " closing " differentiates packet type, and corresponding Ether frame is called " X frame/close ",
◆ " pressure " differentiates packet type, and corresponding Ether frame is called " X frame/pressure ",
◆ " selection " differentiates packet type, and corresponding Ether frame is called " X frame/selection ";
The step of this method following (referring to the flow process of accompanying drawing 6), new agreement when beginning, the Ether frame from the access point to the portable terminal of adding of " X frame/FST " expression wherein, concerning four road authentication protocols, " X frame/FST " representative " X frame/four tunnel start ", concerning the EAP agreement, " X frame/FST " representative " X frame/EAP request ":
(6.1) AP5 carries out related (Association) with MT5, after finishing association (so entering association status), turns to (6.2);
(6.2) AP5 enters wait state, as takes place overtimely then to turn to (6.3), as receives that " X frame " that MT5 sends then turns to (6.4);
(6.3) if the NAP value is " F ", AP5 then report the failure and with the MT5 disassociation; Otherwise AP5 then begins to carry out WAPI;
(6.4) if receive it is " X frame/pressure ", AP5 then carries out following two steps, otherwise turns to (6.5):
If (6.4.1) the NAP value is " S " or " F ", AP5 then begins to carry out new adding agreement;
(6.4.2) otherwise, if promptly the NAP value is " C ", AP5 then report the failure and with the MT5 disassociation;
(6.5) if receive it is " X frame/optimization ", AP5 is execution in step (6.5.1) then, otherwise turns to (6.6):
If (6.5.1) the NAP value is " S " or " F ", AP5 execution in step (6.5.1.1); Otherwise turn to (6.5.2);
If (6.5.1.1) the NAP value is " S ", AP5 carries out one of following two steps; Otherwise change (6.5.1.2);
Be " N " as the PRF value (6.5.1.1.1), AP5 begins to carry out new adding agreement;
(6.5.1.1.2) otherwise, AP5 begins to carry out WAPI;
(6.5.1.2) at this moment the NAP value is " F ", and AP5 begins to carry out new adding agreement;
(6.5.2) at this moment the NAP value is " C ", and AP5 begins to carry out WAPI;
(6.6) if what receive is that " X frame/close " and NAP value are " C " or " S ", AP5 begins to carry out WAPI; Otherwise the NAP value is " F ", at this moment AP5 then report the failure and with the MT5 disassociation.
12, according to the method for claim 11, wherein select for use different being used to realize the discriminating packet type of transfer of data according to the new difference that adds agreement, concerning " four road authentication protocols ", this method is selected for use and is differentiated that packet type is as follows:
◆ " the four tunnel start " differentiates packet type, and corresponding Ether frame is called " X frame/four tunnel start ",
◆ " four tunnel requests " differentiates packet type, and corresponding Ether frame is called " X frame/four tunnel requests ",
◆ " the four tunnel reply " differentiates packet type, and corresponding Ether frame is called " X frame/four tunnel reply ",
◆ " four tunnel successes " differentiates that packet type, corresponding Ether frame are called " X frame/four tunnel successes ".
13, according to the method for claim 11, wherein select for use different being used to realize the discriminating packet type of transfer of data according to the new difference that adds agreement, concerning " EAP agreement ", this method is selected for use and is differentiated that packet type is as follows:
◆ " EAP request " differentiates packet type, and corresponding Ether frame is called " X frame/EAP request ",
◆ " EAP replys " differentiates packet type, and corresponding Ether frame is called " X frame/EAP replys ",
◆ " EAP success " differentiates that packet type, corresponding Ether frame are called " X frame/EAP success ",
◆ " EAP failure " differentiates packet type, and corresponding Ether frame is called " X frame/EAP failure ".
14, according to the method for claim 11, wherein this method also can require to add new discriminating type of message at the WAPI message that is used between access point and the authentication server; These concrete conditions of differentiating type of message are determined by concrete Extended Protocol.
15, according to claim 11 described methods, wherein AP5 expectation MT5 proposes the agreement selection earlier, and then select to begin to carry out original WAPI agreement or initiate agreement according to agreement, consider as MT5 and do not have under the situation that expanded function described in the invention can't propose agreement selection because of only having original WAPI function, AP5 can take place overtime, at this moment, as the NAP value is " C " or " S ", AP5 then begins to carry out the WAPI agreement, and the first step of wherein carrying out WAPI is to send " WAPI frame/discriminating activates ".
16, according to claim 11 described methods, wherein " overtime " of access point handles and not have expanded function described in the invention for handle mobile terminal only has the WAPI function and can't propose the situation that agreement selects and be provided with, so access point overtime must be provided with than the overtime length of portable terminal, thereby make the portable terminal of supporting the inventive method can be overtime earlier and send " X frame " with the startup protocol negotiation.
17, according to claim 11 described methods, wherein do not comprise portable terminal according to IEEE802.11 to IEEE802.11 control frame and management frames, and according to the processing of the standard GB15629.11-2003 of the People's Republic of China (PRC) to corresponding control frame and management frames.
18, according to the method for claim 11, wherein the description of state machine has comprised all, only get forever under the situation of certain fixed value at known state variable NAP or PRF, the judgement of these state variables and useless branch are produced simpler state machine by saving.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200410003451 CN1671136A (en) | 2004-03-16 | 2004-03-16 | A method for expanding WLAN authentication protocol |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200410003451 CN1671136A (en) | 2004-03-16 | 2004-03-16 | A method for expanding WLAN authentication protocol |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN1671136A true CN1671136A (en) | 2005-09-21 |
Family
ID=35042197
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200410003451 Pending CN1671136A (en) | 2004-03-16 | 2004-03-16 | A method for expanding WLAN authentication protocol |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1671136A (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2007098694A1 (en) * | 2006-02-28 | 2007-09-07 | China Iwncomm Co., Ltd. | Method for testing safety access protocol conformity to identification service entity and system thereof |
| CN100369446C (en) * | 2006-02-28 | 2008-02-13 | 西安西电捷通无线网络通信有限公司 | Method for testing safety switch-in protocol conformity of turn-on point and system thereof |
| CN100388664C (en) * | 2005-12-16 | 2008-05-14 | 西安电子科技大学 | Access method for realizing WLAN multi mode safety identification |
| CN101478753B (en) * | 2009-01-16 | 2010-12-08 | 中兴通讯股份有限公司 | Security management method and system for IMS network access by WAPI terminal |
| WO2010149118A1 (en) * | 2009-11-04 | 2010-12-29 | 中兴通讯股份有限公司 | System, method and terminal for authenticating terminals and servers in a wireless local area network |
| CN102238652A (en) * | 2010-04-26 | 2011-11-09 | 英特尔公司 | Method, apparatus and system for fast session transfer for multiple frequency band wireless communication |
| CN101783753B (en) * | 2010-02-09 | 2012-04-25 | 工业和信息化部电信传输研究所 | Method and system for analyzing wireless local area network authentication and privacy infrastructure protocol |
| CN101795463B (en) * | 2010-02-09 | 2012-10-31 | 工业和信息化部电信传输研究所 | Method and system for analyzing WLAN authentication and privacy infrastructure protocol |
| US8417951B2 (en) | 2008-05-09 | 2013-04-09 | China Iwncomm Co., Ltd. | Roaming authentication method based on WAPI |
-
2004
- 2004-03-16 CN CN 200410003451 patent/CN1671136A/en active Pending
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100388664C (en) * | 2005-12-16 | 2008-05-14 | 西安电子科技大学 | Access method for realizing WLAN multi mode safety identification |
| CN100369446C (en) * | 2006-02-28 | 2008-02-13 | 西安西电捷通无线网络通信有限公司 | Method for testing safety switch-in protocol conformity of turn-on point and system thereof |
| WO2007098694A1 (en) * | 2006-02-28 | 2007-09-07 | China Iwncomm Co., Ltd. | Method for testing safety access protocol conformity to identification service entity and system thereof |
| US8417951B2 (en) | 2008-05-09 | 2013-04-09 | China Iwncomm Co., Ltd. | Roaming authentication method based on WAPI |
| CN101478753B (en) * | 2009-01-16 | 2010-12-08 | 中兴通讯股份有限公司 | Security management method and system for IMS network access by WAPI terminal |
| CN101715190B (en) * | 2009-11-04 | 2013-08-21 | 中兴通讯股份有限公司 | System and method for realizing authentication of terminal and server in WLAN (Wireless Local Area Network) |
| WO2010149118A1 (en) * | 2009-11-04 | 2010-12-29 | 中兴通讯股份有限公司 | System, method and terminal for authenticating terminals and servers in a wireless local area network |
| CN101783753B (en) * | 2010-02-09 | 2012-04-25 | 工业和信息化部电信传输研究所 | Method and system for analyzing wireless local area network authentication and privacy infrastructure protocol |
| CN101795463B (en) * | 2010-02-09 | 2012-10-31 | 工业和信息化部电信传输研究所 | Method and system for analyzing WLAN authentication and privacy infrastructure protocol |
| CN102238652A (en) * | 2010-04-26 | 2011-11-09 | 英特尔公司 | Method, apparatus and system for fast session transfer for multiple frequency band wireless communication |
| US8599813B2 (en) | 2010-04-26 | 2013-12-03 | Intel Corporation | Method, apparatus and system for fast session transfer for multiple frequency band wireless communication |
| US8654746B2 (en) | 2010-04-26 | 2014-02-18 | Intel Corporation | Method, apparatus and system for fast session transfer for multiple frequency band wireless communication |
| US8737368B2 (en) | 2010-04-26 | 2014-05-27 | Intel Corporation | Method, apparatus and system for switching traffic streams among multiple frequency bands |
| US8885621B2 (en) | 2010-04-26 | 2014-11-11 | Intel Corporation | Method, apparatus and system for switching traffic streams among multiple bands |
| CN102238652B (en) * | 2010-04-26 | 2014-11-26 | 英特尔公司 | Method, apparatus and system for fast session transfer for multiple frequency band wireless communication |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1719795A (en) | Device and process for wireless local area network association and related products | |
| CN1701561A (en) | Authentication system based on address, device thereof, and program | |
| CN1104118C (en) | Process for computer-controlled exchange of cryptographic keys between first and second computer unit | |
| US8000478B2 (en) | Key handshaking method and system for wireless local area networks | |
| CN1859729A (en) | Authentifying method and relative information transfer method | |
| CN1906883A (en) | Enabling stateless server-based pre-shared secrets | |
| CN101047587A (en) | System and method for access external network of non-radio local network terminal | |
| CN1875598A (en) | Apparatuses and method for authentication in heterogeneuous IP networks | |
| CN1636356A (en) | Internet protocol based wireless communication arrangements | |
| CN101076976A (en) | Authentication system, authentication method, and authentication information generation program | |
| CN1805333A (en) | Data security in wireless network system | |
| CN1689367A (en) | Security and privacy enhancements for security devices | |
| CN1714542A (en) | Identification information protection method in WLAN interconnection | |
| CN1961557A (en) | Method and system for a secure connection in communication networks | |
| CN1751533A (en) | Method for creating and distributing cryptographic keys in a mobile radio system, and corresponding mobile radio system | |
| CN1668005A (en) | An access authentication method suitable for wired and wireless network | |
| CN1681238A (en) | Key allocating method and key allocation system for encrypted communication | |
| CN1929398A (en) | Security setting method in wireless communication network, storage medium, network system and client device | |
| CN1781294A (en) | Security in a communications network | |
| CN101064606A (en) | System, apparatus and method for authentication | |
| CN1564626A (en) | Radio LAN security access method based on roaming key exchange authentication protocal | |
| CN1578533A (en) | Communication system, communication method, base station apparatus, controller, device, and recording medium storing control program | |
| CN101051898A (en) | Certifying method and its device for radio network end-to-end communication | |
| CN1929371A (en) | Method for negotiating key share between user and peripheral apparatus | |
| CN1708018A (en) | Method for switching in radio local-area network mobile terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |