CN1953445A - A method and installation to resolve the safety problem for certificate cancellation in WAPI - Google Patents
A method and installation to resolve the safety problem for certificate cancellation in WAPI Download PDFInfo
- Publication number
- CN1953445A CN1953445A CNA2005101142142A CN200510114214A CN1953445A CN 1953445 A CN1953445 A CN 1953445A CN A2005101142142 A CNA2005101142142 A CN A2005101142142A CN 200510114214 A CN200510114214 A CN 200510114214A CN 1953445 A CN1953445 A CN 1953445A
- Authority
- CN
- China
- Prior art keywords
- sta
- certificate
- pdu
- asu
- wapi
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Small-Scale Networks (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention relates to a method for solving the certificate cancellation safety of WAPI, and relative device. Wherein, said method defines a new process that (1) when ASU cancels one STA certificate, sends certificate cancellation inform to the AP; (2), the AP receives inform and deletes the conversation record of STA, to mark it as non-check state; (3), sends chain-check release inform to STA. The invention also defines the correlative data structure and processing structure, to avoid safety loophole of former rule.
Description
Technical field
The present invention relates to network communication field, relate in particular among a kind of WLAN of solution the method and apparatus of certificate revocation safety problem in the WAPI process.
Background technology
WLAN (wireless local area network) is the computer local network that adopts wireless medium to communicate, and is similar to 802.3 local area network (LAN)s on mechanism, and information adopts broadcast mechanism to communicate exchange.But relative cable LAN, WLAN (wireless local area network) does not have clear and definite network boundary, and this just causes any STA can both unconfinedly enter into network, and steals all communications in the network, Here it is wlan security issue.
In order to solve wlan security issue, China is in standard GB 15629.11-2003, and regulation uses WAPI mechanism to realize the safety of WLAN.WAPI mechanism comprises WAI and two parts of WPI.WAI is responsible for certificate management, and certificate differentiates and key agreement that WPI is responsible for data encryption and deciphering.See also Fig. 1, this Figure illustrates an example of the WLAN (wireless local area network) of using WAPI mechanism.
In the wlan network that uses the WAPI safeguard construction, comprise following part:
(1) ASU: asu (authentication service unit) is a most important component among the WAPI.ASE resides among the ASU, concrete realization the generation of user certificate, distribution is kept, and revokes, and upgrades services such as discriminating.ASU provides above-mentioned service to AP and the STA in its institute's range of management, and an ASU can manage one or more BSS.
(2) AP:WLAN access point is responsible for setting up a BSS, and manages all communication terminals among this BSS.AE resides among the AP, and specific implementation AP identity is differentiated, STA certificate discrimination process relaying, key agreement function, and encrypting and decrypting function.
(3) STA:WLAN terminal is the terminal of WLAN communication.ASUE resides among the STA, identity discriminating, key agreement function and the encrypting and decrypting function of specific implementation STA.
Wherein, by ASU (ASE), AE, ASUE form safeguard construction and the mechanism of WAPI jointly.
WAPI mechanism provides complete identity to differentiate and the data confidentiality function, sees also Fig. 2, this Figure illustrates the performing step of WAPI.
(1) AP sends the request of activation of differentiating to STA.
(2) after STA receives request, send to insert and differentiate request PDU, this PDU has comprised its certificate information.
(3) after AP receives and differentiates that inserting discriminating asks, increase the certificate signature of oneself in this request back, send request of certificate authentication then and arrive ASU.
(4) after ASU receives request of certificate authentication, to comprising STA certificate and AP certificate differentiate, return certificate and differentiate response pdus.
(5) after AP receives that certificate is differentiated response pdus, generate to insert and differentiate response pdus, return to STA.
(6) after discrimination process finishes, enter the unicast key agreement stage.AP sends key negotiation request PDU to STA.
(7) STA " return " key" negotiate response PDU.
(8) after unicast key agreement is finished, enter the multicast key negotiations process.AP sends multicast key notification PDU to STA.
(9) STA returns the multicast key response pdus.
(10) after above step was all finished, STA and AP just can use the key of negotiation to carry out bidirectional data communication.
(11) in the process of communicating by letter, AP can carry out new key agreement with STA with certain strategy, just repeating step (6)-(10) in communication process.
According to Fig. 2 and foregoing description, we can know that STA only just carries out identity and differentiates when adding network, in case after adding the network success, no longer carrying out identity in communication process differentiates, so just there are such security breaches: if in communication process, ASU assert that certain STA certificate lost efficacy, or administrative staff certain STA is set is the disabled user, because WAI does not have the relevant processing rules of definition, though ASU has revoked the letter of identity of this STA like this, but AP is not notified, and this STA still is present among the BSS with the validated user identity, and unconfinedly participates in communication.Even if AP carries out key agreement again in the communication process, also can't identify this illegal STA.
The present invention is exactly an improvement that proposes at this leak.
Summary of the invention
The invention provides a kind of method and apparatus of the WAPI of solution certificate revocation safety problem, can effectively remedy this security breaches, compatible simultaneously and WAPI related specifications well solves because the safety problem that the WAPI certificate revocation causes.The parts that the present invention relates to comprise: an asu (authentication service unit) ASU; Differentiate service entities ASE for one; A WLAN Service Access Point AP; A discriminator entity A E; Site STA among several WLAN.
The present invention has defined two related data structures, comprising: (1) revokes advertizing protocol data cell Revoke PDU; (2) revoke announce response protocol Data Unit RevokeRsp PDU.
The present invention has also defined the relevant treatment structure of data structure, comprising: (1) MMPDU receives buffer area; (2) protocol-decoding and processor.
The present invention also discloses the method for certificate revocation safety problem among a kind of WAPI of solution simultaneously, is used for setting up between above-mentioned each building block contact.May further comprise the steps:
When (1) STA adds a BSS, carry out the identity of WAPI normalized definition and differentiate and cipher key agreement process.
(2) after the WAPI process completes successfully, enter two-way data communication process.
(3) after asu (authentication service unit) ASU revokes the certificate of a STA, send certificate revocation protocol Data Unit Revoke PDU to AP.This unit comprises the MAC Address of being revoked STA.
(4) after AP receives Revoke PDU, leave MMPDU in and receive in the memory block.The protocol-decoding of AP and processor extract this administrative unit, according to MAC Address, delete the conversation recording of this STA, and the state that indicates it is link verification state not.Send de-links indentification protocol data cell Disauthentication PDU to this STA then.This PDU is a notice message, does not need to confirm and reply.
(5) AP beams back to asu (authentication service unit) ASU then and revokes response protocol data cell RevokeRsp PDU.
Description of drawings
Fig. 1 is the WLAN schematic diagram that has used WAPI mechanism;
Fig. 2 is a WAPI process schematic diagram;
Fig. 3 is the structural representation of the device of realization the method for the invention;
The solution WAPI that Fig. 4 is based on Fig. 3 device revokes the schematic flow sheet of problem.
Embodiment
See also Fig. 1, this figure the use that the present invention relates to is described the wlan network structure of WAPI comprise: an asu (authentication service unit) ASU; Differentiate service entities ASE for one; A WLAN Service Access Point AP; A discriminator entity A E; Site STA among several WLAN.
Described asu (authentication service unit) ASU is to be responsible for certificate management, the part that certificate is differentiated among the WAPI.ASU comprises and differentiates service entities ASE, the ASE specific implementation generation of user certificate, distribution is kept, and revokes, and upgrades services such as discriminating.
Site STA among the described WLAN is the terminal of WLAN communication.
Described WLAN Service Access Point AP is responsible for setting up a BSS, and manages all communication terminals among this BSS.Discriminator entity A E resides among the AP, and specific implementation AP identity is differentiated, STA certificate discrimination process relaying and key agreement function.
See also Fig. 3, this Figure illustrates and realize related data structures of the present invention and processing unit.
In access point AP, defined and between ASU and AP, exchanged the protocol data structure of revoking certificate information: revoked advertizing protocol data cell Revoke PDU for one, revoke announce response protocol Data Unit RevokeRsp PDU for one.RevokePDU, packets headers is followed a WAPI protocol packet formal definition, but sub-type field is set in the packets headers " certificate revocation type "; Data volume partly includes only the MAC Address of being revoked STA.RevokeRspPDU, packets headers is followed a WAPI protocol packet formal definition, but sub-type field is set in the packets headers " certificate revocation respond style "; Data volume partly includes only the MAC Address of being revoked STA.
In access point AP, comprised handling and revoked the parts of problem: comprised that a MMPDU receives buffer area, protocol-decoding and processor.MMPDU receives buffer area, is used to deposit the Medium Access Control (MAC) Management Protocol Data Unit of receiving, comprises revoking protocol Data Unit RevokePDU.Protocol-decoding and processor are used for receiving buffer area and decoding and carry out respective handling according to type being stored in MMPDU.
See also Fig. 4, this Figure illustrates concrete handling process:
When (1) STA adds a BSS, carry out the identity of WAPI normalized definition and differentiate and cipher key agreement process.
(2) after the WAPI process completes successfully, enter two-way data communication process.
(3) after asu (authentication service unit) ASU revokes the certificate of a STA, send certificate revocation protocol Data Unit Revoke PDU to AP.This unit comprises the MAC Address of being revoked STA.
(4) after AP receives Revoke PDU, leave MMPDU in and receive in the memory block.The protocol-decoding of AP and processor extract this administrative unit, according to MAC Address, delete the conversation recording of this STA, and the state that indicates it is link verification state not.Send de-links indentification protocol data cell Disauthentication PDU to this STA then.This PDU is a notice message, does not need to confirm and reply.
(5) AP beams back to asu (authentication service unit) ASU then and revokes response protocol data cell RevokeRsp PDU.
More than disclosed only be several specific embodiment of the present invention, but protection scope of the present invention is not limited thereto, any those skilled in the art can think variation all should drop in protection scope of the present invention.
Claims (5)
1, a kind of device that solves certificate revocation safety problem among the WAPI is characterized in that, the parts that the present invention relates to comprise: an asu (authentication service unit) ASU; Differentiate service entities ASE for one; A WLAN Service Access Point AP; A discriminator entity A E:; Website SAT among several WLAN.
2, device according to claim 1 is characterized in that, exchanges the protocol data structure of revoking certificate information between ASU and the AP and comprises: revoke advertizing protocol data cell Revoke PDU, and revoke announce response protocol Data Unit RevokeRsp PDU.
3, device according to claim 1 is characterized in that, WLAN Service Access Point AP, and it is composed as follows that the parts of problem are revoked in responsible processing: a MMPDU receives buffer area, protocol-decoding and processor.
4,, be used between above-mentioned each building block, setting up contact according to right 1 described device.It is characterized in that, may further comprise the steps:
When (1) STA adds a BSS, carry out the identity of WAPI normalized definition and differentiate and cipher key agreement process.
(2) after the WAPI process completes successfully, enter two-way data communication process.
(3) after asu (authentication service unit) ASU revokes the certificate of a STA, send certificate revocation protocol Data Unit Revoke PDU to AP.This unit comprises the MAC Address of being revoked STA.
(4) after AP receives Revoke PDU, leave MMPDU in and receive in the memory block.The protocol-decoding of AP and processor extract this administrative unit, according to MAC Address, delete the conversation recording of this STA, and the state that indicates it is link verification state not.Send de-links indentification protocol data cell Disauthentication PDU to this STA then.This PDU is a notice message, does not need to confirm and reply.
(5) AP beams back to asu (authentication service unit) ASU then and revokes response protocol data cell RevokeRsp PDU.
5, a kind of method that solves certificate revocation safety problem among the WAPI according to claim 4 is characterized in that, the identity of described WAPI normalized definition is differentiated and cipher key agreement process, comprised following steps:
(1) AP sends the request of activation of differentiating to STA.
(2) after STA receives request, send to insert and differentiate request PDU, this PDU has comprised its certificate information.
(3) after AP receives and differentiates that inserting discriminating asks, increase the certificate signature of oneself in this request back, send request of certificate authentication then and arrive ASU.
(4) after ASU receives request of certificate authentication, to comprising STA certificate and AP certificate differentiate, return certificate and differentiate response pdus.
(5) after AP receives that certificate is differentiated response pdus, generate to insert and differentiate response pdus, return to STA.
(6) after discrimination process finishes, enter the unicast key agreement stage.AP sends key negotiation request PDU to STA.
(7) STA " return " key" negotiate response PDU.
(8) after unicast key agreement is finished, enter the multicast key negotiations process.AP sends multicast key notification PDU to STA.
(9) STA returns the multicast key response pdus.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2005101142142A CN1953445A (en) | 2005-10-21 | 2005-10-21 | A method and installation to resolve the safety problem for certificate cancellation in WAPI |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2005101142142A CN1953445A (en) | 2005-10-21 | 2005-10-21 | A method and installation to resolve the safety problem for certificate cancellation in WAPI |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN1953445A true CN1953445A (en) | 2007-04-25 |
Family
ID=38059563
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2005101142142A Pending CN1953445A (en) | 2005-10-21 | 2005-10-21 | A method and installation to resolve the safety problem for certificate cancellation in WAPI |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1953445A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101895884A (en) * | 2010-06-29 | 2010-11-24 | 北京星网锐捷网络技术有限公司 | Method, system and device for updating WAPI certificate |
| CN101568116B (en) * | 2009-05-19 | 2011-03-02 | 中兴通讯股份有限公司 | Method for obtaining certificate state information and certificate state management system |
-
2005
- 2005-10-21 CN CNA2005101142142A patent/CN1953445A/en active Pending
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101568116B (en) * | 2009-05-19 | 2011-03-02 | 中兴通讯股份有限公司 | Method for obtaining certificate state information and certificate state management system |
| CN101895884A (en) * | 2010-06-29 | 2010-11-24 | 北京星网锐捷网络技术有限公司 | Method, system and device for updating WAPI certificate |
| CN101895884B (en) * | 2010-06-29 | 2012-12-12 | 北京星网锐捷网络技术有限公司 | Method, system and device for updating WAPI certificate |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Chen et al. | Lightweight and provably secure user authentication with anonymity for the global mobility network | |
| CN101212297B (en) | WEB-based WLAN access authentication method and system | |
| CN100399840C (en) | Seamless public wireless local area network user authentication | |
| EP2518931B1 (en) | Method and system for establishing secure connection between user terminals | |
| US20020196764A1 (en) | Method and system for authentication in wireless LAN system | |
| CN103427992B (en) | The method and system of secure communication is set up between node in a network | |
| KR101038096B1 (en) | Secure key authentication method for binary cdma network | |
| CN100373843C (en) | Key consaltation method in radio LAN | |
| CN101600203B (en) | Control method for security service and terminal of wireless local area network | |
| CN102111766B (en) | Network accessing method, device and system | |
| CN101635710B (en) | Pre-shared-key-based method for controlling secure access to networks and system thereof | |
| CN101527911A (en) | Communication device and communication method | |
| CN105323754B (en) | A kind of distributed method for authenticating based on wildcard | |
| CN101917272A (en) | Secret communication method and system among neighboring user terminals | |
| CN101895882A (en) | Data transmission method, system and device in WiMAX system | |
| CN101848463A (en) | Method for protecting access of legal user based on wireless access point | |
| KR100523058B1 (en) | Apparatus and Method of Dynamic Group Key Management in Wireless Local Area Network System | |
| CN101552985B (en) | Pre-authentication method for mobile communication system switching | |
| CN100544253C (en) | The safe re-authentication method of mobile terminal of wireless local area network | |
| CN108964896A (en) | A kind of Kerberos identity authorization system and method based on group key pond | |
| JP2004207965A (en) | High speed authentication system and method for wireless lan | |
| CN101540985B (en) | Method for implementing terminal zero intervention charging of WAPI system | |
| WO2020140929A1 (en) | Key generation method, ue, and network device | |
| CN1953445A (en) | A method and installation to resolve the safety problem for certificate cancellation in WAPI | |
| CN101102191B (en) | Method for identifying the style of secret key request service in general authentication framework |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Open date: 20070425 |