JP2006191452A - Encryption key distribution method in radio network, and master unit and subunit - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To enable distribution of an encryption key which is different subunit by subunit without any restriction in the number of connectable subunits, and to make it unnecessary to connect to an authentication server each time authentication processing is performed. <P>SOLUTION: When a subunit receives a beacon frame, in case that a master unit address, a master session key, a validity period and an encrypted master session key data block are existent in a master unit database, and further the validity period is valid, then an authentication request frame including the encrypted master session key data block is transmitted to the master unit, so as to start the authentication processing. In other cases than the above, the master unit address is either registered or updated, and further, from the authentication server when accessible to the authentication server, the subunit obtains the master session key corresponding to the master unit address registered in the master unit database, the validity period of the master session key concerned, and the encrypted master session key data block, so as to register to the master unit database. <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

  The present invention relates to a method for distributing an encryption key used for authentication or encryption between a parent device and a child device in a wireless network such as a wireless LAN, the parent device, and the child device.

  In recent years, a hot spot service has been provided in which a user downloads electronic data such as news using a wireless LAN in a station premises or the like. However, since wireless LAN is easy to impersonate and wiretap due to the nature of the medium, partner authentication and encryption of communication data are performed, and various key sharing means for that purpose have been proposed.

  For example, in the WEP (Wired Equivalent Privacy) specification of the wireless LAN standard IEEE 802.11a / b / g, the base unit (AP: Access Point) and handset (STA: Station) manually set a fixed-length common encryption key in advance. Key sharing is performed by setting (Non-Patent Document 1). Since the parent device shares the same common encryption key among a plurality of child devices, communication data encrypted by a certain child device can also be decrypted by other child devices.

A conventional example of sharing a different encryption key for each slave unit is the IEEE 802.1X standard. In this method, each time authentication is performed, a connection is made to an authentication server (AS), and key sharing is performed by the authentication server issuing a different key for each slave (Non-Patent Document 1).
Supervision: Hideaki Matsue, Masahiro Morikura, IDG Information and Communication Series 802.11 High-Speed Wireless LAN Textbook, IDG Japan, issued March 28, 2003

  By the way, in the WEP specification, authentication processing can be performed at high speed. However, since the parent device uses the same common encryption key among a plurality of child devices and authentication / encryption cannot be performed for each child device, There is an inconvenience that “spoofing” can occur. Further, in the obvious solution in which the parent device manually sets a different common encryption key for each child device, the number of child devices that can be connected is limited due to memory limitations of the parent device.

  Further, in the authentication using the IEEE 802.1X standard, it is necessary to connect to the authentication server every time the authentication process is performed. Therefore, the authentication process is delayed due to the processing delay of the authentication server and the transmission delay in the transit network. In that case, it is not possible to sufficiently meet the demand for a user who has no time to spare such as during commuting to download electronic data promptly. Further, in hot spot services provided in stations, there are many cases where the same parent device as that previously connected is connected during commuting or the like, but the authentication procedure does not change even in such a use environment.

  In consideration of such circumstances, the present invention does not limit the number of slave units that can be connected, enables delivery of different encryption keys for each slave unit, and eliminates the need to connect to an authentication server each time authentication processing is performed. It is an object of the present invention to provide an encryption key distribution method, a parent device, and a child device in a wireless network.

  The present invention provides an encryption key distribution method in a wireless network in which at least one slave unit is connected to an external network via a master unit, and the master unit periodically transmits a beacon frame including a master unit address. When the beacon frame is received, the master unit address, the master session key corresponding to the master unit address, the expiration date of the master session key, and the master session key and the expiration date are encrypted with the secret key of the master unit. If the encrypted master session key data block encrypted with the encryption algorithm exists in the base unit database and the expiration date is valid, send an authentication request frame including the encrypted master session key data block to the base unit. Starts the authentication process and encrypts master session key data block corresponding to the base unit address or base unit address If it does not exist in the base unit database or if the expiration date is not valid, the base unit address is registered or updated, and the slave unit is registered in the base unit database from the authentication server when it can access the authentication server. The master session key corresponding to the master device address, the expiration date of the master session key, and the encrypted master session key data block are acquired and registered in the master device database.

  The slave unit of the wireless network in the present invention includes a means for receiving a beacon frame, a master unit address, a master session key corresponding to the master unit address, an expiration date of the master session key, and the master session key and valid The master unit database that can register the master master key data block encrypted with the base unit secret key and the encryption algorithm, and the base unit address are extracted from the beacon frame, and the base unit address is registered in the base unit database. If not, the registration process is performed, the master unit address is registered in the master unit database, and the encrypted master session key data block corresponding to the master unit address is not registered, or the expiration date of the master session key is not valid If this is the case, update the base unit address to the base unit database. Means for transmitting an authentication request frame including the encrypted master session key data block to the master unit when the encrypted master session key data block corresponding to the machine address is registered and the expiration date of the master session key is valid With.

  The base unit of the wireless network in the present invention, a means for transmitting a beacon frame, a means for receiving an authentication request frame transmitted from the slave unit, and an encrypted master session key data block included in the authentication request frame, Means for decrypting, and means for verifying the validity of the decrypted master session key data block and continuing the authentication process if it is valid.

  The present invention receives a beacon frame transmitted from a parent device when the child device performs an authentication request operation, acquires a parent device address included in the beacon frame, and the parent device address and a corresponding master session key are stored in the parent device. If it is in the database and the expiration date of the master session key is valid, the authentication request operation is started, and if not, only registration or update of the parent device address is performed.

  On the other hand, when the master unit performs the authentication request operation, it receives the authentication request frame sent by the slave unit, acquires the encrypted master session key data block included in the authentication request frame, and decrypts it to verify the validity. If this is valid, the authentication process is continued. If it is not valid, the authentication process is stopped.

  As a result, in an environment where there are many opportunities to connect to a previously connected master unit or slave unit, it is difficult to impersonate other slave units while reducing the memory capacity of the master unit, and to realize high-speed authentication processing. Can do.

  FIG. 1 shows a configuration example of a wireless network to which the present invention is applied. Here, a wireless LAN including a parent device (AP) 10, a child device (STA) 20, and an authentication server 30 is assumed. Master device 10 includes a wireless communication interface that performs wireless communication with slave device 20, and further includes a wired communication interface that connects to Internet 40, and controls access of slave device 20 to authentication server 30 via Internet 40. It is a configuration.

  FIG. 2 shows a configuration example of the base unit 10. In the figure, the base unit 10 includes a wired communication unit 11 including a wired communication interface and a wireless communication unit 12 including a wireless communication interface, and further performs control processing including authentication processing via the wired communication unit 11 and the wireless communication unit 12. A control unit 13 is provided, and a non-volatile memory 14 that holds a parent device secret key used for authentication is provided. The parent device private key is distributed from the authentication server and is different for each parent device. For this reason, it is difficult for another parent device or child device to decrypt the data encrypted by the parent device secret key. The wireless communication unit 12 performs wireless communication with the slave unit based on, for example, the IEEE802.1b modulation method (CCK method), but other modulation methods may be used.

  FIG. 3 shows a configuration example of the handset 20. In the figure, the slave unit 20 includes a wired communication unit 21 including a wired communication interface and a wireless communication unit 22 including a wireless communication interface, and further performs control processing including authentication processing via the wired communication unit 21 and the wireless communication unit 22. A control unit 23 is provided, a non-volatile memory 24 that holds a base unit database (APDB) used for authentication, and a magnetic disk 25 that stores received data. The wireless communication unit 22 performs wireless communication with each parent device, and the parent device ID included in the received beacon frame is processed by the control unit 23 and registered in the parent device database. The wired communication unit 21 is used for connection to an authentication server or connection to a wired LAN.

<Authentication sequence>
Refer to the authentication flowchart of the slave unit shown in FIG. 4, the authentication flowchart of the master unit shown in FIG. 5, and the authentication sequence of FIG. 6 for the authentication sequence in the master unit (AP) 10, the slave unit (STA) 20, and the authentication server 30. I will explain. FIG. 7 shows the format of the MAC frame related to the authentication process. This MAC frame format is almost the same as the MAC frame format used in IEEE802.11. FIG. 8 shows the format of the encrypted master session key data block (MSK block).

  The parent device (AP) periodically transmits a beacon frame (a beacon signal) and waits for reception of an authentication request frame transmitted from the child device (STA) (FIG. 5: S51). The header of the beacon frame includes the MAC address of the parent device as shown in FIG.

  When receiving the beacon frame from the beacon frame reception waiting state (FIG. 4: S41, S42), the slave unit (STA) refers to the source address field included in the beacon frame and acquires the MAC address of the master unit ( Figure 4: S43). Next, it is determined whether or not the MAC address and the MSK block corresponding to the MAC address exist in the parent device database (FIG. 4: S44). Here, when there is no MAC address or MSK block corresponding to the MAC address in the base unit database, a process for registering and updating the MAC address in the base unit database is performed, and the authentication processing procedure is stopped (FIG. 4). : S45). The same applies when the expiration date of the master session key corresponding to the MAC address is not valid.

  On the other hand, if both the MAC address, the master session key corresponding to the MAC address, the expiration date of the master session key, and the MSK block exist in the base unit database and the expiration date is valid, the authentication process is performed. And sends an authentication request frame to the parent device (FIG. 4: S46). The validity of the expiration date means that the timer value provided in the slave unit is not less than a value indicating the start of the expiration date and not more than a value indicating the end of the expiration date.

As shown in FIG. 7, this authentication request frame includes an MSK block in addition to a header, an authentication algorithm number, an authentication processing sequence number (atsn: Authentication Transaction Sequence Number = 1), and a status code. In this MSK block, as shown in FIG. 8, the master session key, the expiration date, and the MAC address of the slave unit are the common key encryption algorithm Fe and the master unit secret key K Encrypted with ap.

When the master unit (AP) receives the authentication request frame transmitted from the slave unit (STA) (FIG. 5: S52), the master unit (AP) acquires the MSK block included in the authentication request frame, and uses the MSK block as the common key decryption algorithm Fd and Base unit secret key K Decode by ap (FIG. 5: S53). Examples of common key encryption / decryption algorithms include AES and Triple-DES. Next, the validity of the obtained MSK block is verified (FIG. 5: S54). If it is valid, the authentication process is continued (FIG. 5: S55), and if it is not valid, the authentication process is stopped. .

  Here, the validity of the MSK block is determined according to the following conditions. (1) The slave unit MAC address of the MSK block matches the slave unit MAC address in the source address field included in the header of the authentication request frame, and (2) the timer value provided in the master unit indicates the start of the expiration date. Greater than or equal to the value and less than or equal to the value indicating the end of the expiration date.

  When the base unit (AP) determines that the MSK block included in the authentication request frame satisfies the above conditions and is valid, the base unit (AP) stores the content of the MSK block in the authentication handset database together with the MAC address of the handset, and performs an authentication response. A frame (atsn = 2) is generated. As shown in FIG. 7, the authentication response frame (atsn = 2) includes an initialization vector (IV), an authentication algorithm number, an authentication processing sequence number, a status code, and a challenge text 1 generated by the master unit. (Pseudorandom number) is included. This range from the initialization vector to challenge text 1 is encrypted, and is encrypted with the common key encryption algorithm and the master session key, and transmitted to the slave unit. In FIG. 7, this encryption range is indicated by hatching.

  Upon receiving the authentication response frame (atsn = 2), the slave unit (STA) decrypts the encrypted part of the authentication response frame (atsn = 2) using the common key encryption algorithm and the master session key, and the challenge text 1 ′ After acquisition, an authentication response frame (atsn = 3) is generated. The authentication response frame (atsn = 3) includes challenge text 1 ′ and challenge text 2 (pseudorandom number) generated by the slave unit, and is transmitted to the master unit. The range from the initialization vector to the challenge text 2 is encrypted, and is encrypted by the common key encryption algorithm and the master session key extracted from the parent device database.

  When the master unit (AP) receives the authentication response frame (atsn = 3), the encrypted part of the authentication response frame (atsn = 3) is transmitted by the common key encryption algorithm and the master session key (MSK) corresponding to the slave unit. Decrypt, take out the challenge text 1 ′ and compare it with the challenge text 1 generated by itself. If they do not match, the authentication process is canceled because the slave unit is invalid. If they match, the challenge text 2 ′ included in the authentication response frame (atsn = 3) is included in the authentication response frame (atsn = 4), encrypted with the common key encryption algorithm and the master session key (MSK), and sent to the slave unit. Send.

  Upon receiving the authentication response frame (atsn = 4), the slave unit (STA) decrypts the encrypted part of the authentication response frame (atsn = 4) using the common key encryption algorithm and the master session key, and the challenge text 2 ' Take it out and compare it with your own challenge text 2 If they do not match, the authentication process is canceled because the parent device is invalid. If they match, an authentication response frame (atsn = 5) including a Seed value that is a pseudorandom number is generated, encrypted with the common key encryption algorithm and the master session key, and transmitted to the parent device.

When receiving the authentication response frame (atsn = 5), the base unit (AP) decrypts the encrypted part of the authentication response frame (atsn = 5) using the common key encryption algorithm and the master session key corresponding to the slave unit. As a result, it is assumed that mutual authentication is completed between the parent device and the child device, and an authentication completion child device registration request signal and an authentication completion child device registration response signal are transmitted and received between the parent device and the authentication server, and data communication is performed. To start. In this data communication, the Seed value obtained from the authentication response frame (atsn = 5) and the result obtained by performing an operation on the Seed value are encrypted key K. Used as tmp.

<Connection between slave unit and authentication server>
A connection method between the slave 20 and the authentication server 30 will be described with reference to FIG.
The subunit | mobile_unit 20 performs HTTP connection to the authentication server 30 on the internet 40 via wired LAN (Ethernet (trademark)) 41 and the router 42 from a wired connection part. The authentication server 30 displays an authentication screen on the web browser and requests the user name and password from the slave unit 20. If the authentication server 30 determines that the user name and password are valid, the authentication server 30 requests the slave device 20 for the slave device MAC address and the master device MAC address existing in the master device database. When receiving the request, the slave unit 20 transmits the master unit MAC address to the authentication server 30.

  The authentication server 30 generates a master session key corresponding to each parent device MAC address existing in the parent device database. Further, the authentication server 30 generates an MSK block (encrypted master session key data block) encrypted with each parent device private key, and sets a master session key and an MSK block corresponding to each parent device MAC address to each child device 20. Send to. The slave unit 20 registers the received MSK block in the master unit database, and updates the master session key column and the expiration date column. Note that the connection method between the authentication server 30 and the child device 20 is not limited to this example, and any means for the authentication server 30 to authenticate the child device 20 may be used.

<Base unit database>
Details of the parent device database held by the child device 20 will be described with reference to FIG.
The parent device database includes a parent device MAC address, a master session key, an expiration date (start and end), an encrypted master session key data block (MSK block), an access count, a total communication time, and a beacon reception time. It has a field to hold for each machine. The maximum number of master units that can be registered (Nreg max) is, for example, 16. Note that the number of master units that can be registered depends on the nonvolatile memory capacity of the slave unit, and may be another finite value. When a large-capacity magnetic disk is used as the nonvolatile memory, the number of master units that can be registered can be greatly increased.

Here, the meaning of each column of the parent device database will be described.
The base unit MAC address column holds a base unit address (source address) included in the beacon frame.

  The master session key column and the expiration date column hold the master session key and the expiration date (start, end) included in the encrypted master session key data block (MSK block) acquired from the authentication server by the slave unit.

  Similarly, the encrypted master session key data block (MSK block) column holds the MSK block acquired from the authentication server.

  The access count column records the number of times the slave unit has completed mutual authentication with the master unit. That is, when an authentication response frame (atsn = 5) is transmitted, the value in the access count column corresponding to the corresponding master unit is incremented by one.

  The total communication time column holds the total number of beacon frames received by the slave unit from the master unit. Each time a beacon frame is received from the corresponding base unit, it increases by one.

  The beacon reception time column records the time at which the beacon frame of the corresponding parent device is received. This time is the timer value of the timer provided in the slave unit. It is updated every time a beacon frame is received.

Next, conditions when the slave unit performs the master unit MAC address registration / update determination process will be described.
(1) If the parent machine MAC address (MAC now) is already registered in the parent machine database, update processing is performed.
(2) The base unit MAC address (MAC now) has not been registered in the base unit database, and the total number of base units registered in the base unit database (Nreg) is smaller than the maximum number of base units that can be registered (Nreg max). At this time, the parent device MAC address (MAC now) is newly registered in the parent device database.
(3) If the base unit MAC address (MAC now) is not already registered in the base unit database and Nreg = Nreg max, select one base unit arbitrarily and delete that base unit from the base unit database. , The master unit MAC address (MAC now) is newly registered in the master unit database.

  In the case of new registration, invalid values are entered in the master session key field, the expiration date field, and the MSK block field, and the address number field and the total communication time field are set to 0.

  In addition, the conditions when the slave unit performs the master unit MAC address registration / update determination process are not limited to those described above. For example, by using the following conditions (3) to (5) for (3) above, It is possible to increase the holding efficiency of the machine MAC address.

(3) If the base unit MAC address (MAC now) is not registered in the base unit database and Nreg = Nreg max, the base unit group (TtcMinAP Group) with the smallest total communication time column is extracted, and the TtcMinAP Group If the number of components is 1, after deleting the parent device from the parent device database, the parent device MAC address (MAC now) is newly registered in the parent device database.
(4) When the number of components of TtcMinAP Group is 2 or more, the base unit group (TtcMinAndNaMinAP Group) with the smallest number of accesses is extracted. After deleting from the database, the parent device MAC address (MAC now) is newly registered in the parent device database.
(5) If the number of components of TtcMinAndNaMinAP Group is 2 or more, select one master unit from the list, delete the master unit from the base unit database, and then enter the base unit MAC address (MAC now). Newly register in the base unit database.

The figure which shows the structural example of a wireless network. The figure which shows the structural example of the main | base station. The figure which shows the structural example of the subunit | mobile_unit 20. FIG. The flowchart which shows the authentication processing procedure of a subunit | mobile_unit. The flowchart which shows the authentication processing procedure of a main | base station. The figure which shows an authentication sequence. The figure which shows the format of an authentication frame. The figure which shows the format of a master session key data block. The figure which shows the example of a connection of a subunit | mobile_unit and an authentication server. The figure which shows the example of the content of a main | base station database.

Explanation of symbols

10 Master unit (AP)
DESCRIPTION OF SYMBOLS 11 Wired connection part 12 Wireless connection part 13 Control part 14 Non-volatile memory 20 Slave unit (STA)
21 Wired connection unit 22 Wireless connection unit 23 Control unit 24 Non-volatile memory (APDB)
25 Magnetic disk 30 Authentication server 41 Wired LAN
42 router 40 internet

Claims (4)

In an encryption key distribution method in a wireless network in which at least one slave unit is connected to an external network via a master unit, and the master unit periodically transmits a beacon frame including a master unit address,
When the slave unit receives the beacon frame, the slave unit sets the master unit address, the master session key corresponding to the master unit address, the expiration date of the master session key, and the master session key and the expiration date as the parent unit. An authentication request frame including the encrypted master session key data block when the encrypted master session key data block encrypted with the machine secret key and the encryption algorithm exists in the base unit database and the expiration date is valid To the base unit to start the authentication process, if the base unit address or the encrypted master session key data block corresponding to the base unit address does not exist in the base unit database or if the expiration date is not valid, Register or update the base unit address,
Further, when the slave device is accessible to the authentication server, the slave server sends a master session key corresponding to a master device address registered in the master device database, an expiration date of the master session key, and the encryption An encryption key delivery method in a wireless network, comprising: acquiring an encrypted master session key data block and registering the block in the base unit database. The method for distributing an encryption key in a wireless network according to claim 1,
The master unit receives the authentication request frame transmitted from the slave unit, decrypts the encrypted master session key data block included in the authentication request frame, and if it is valid, the address of the slave unit And the contents thereof are transmitted, and a first authentication response frame encrypted including a predetermined pseudorandom value a is transmitted,
The slave unit receives the first authentication response frame, decrypts the encrypted part with a common key encryption algorithm and a master session key, and acquires a pseudo-random value a ′. A second authentication response frame encrypted including the pseudorandom value b of
The master unit receives the second authentication response frame, decrypts the encrypted part with a common key encryption algorithm and a master session key corresponding to the slave unit, and extracts pseudo-random values a ′ and b ′. If the pseudo-random value a ′ matches with the pseudo-random value a generated by itself, a third authentication response frame encrypted including the pseudo-random value b ′ is transmitted,
The slave unit receives the third authentication response frame, decrypts the encrypted part with the common key encryption algorithm and the master session key, extracts the pseudo random number value b ′, and generates the pseudo random number value b ′ and self If it is compared with the pseudo-random value b, the encrypted fourth authentication response frame including the pseudo-random value is transmitted,
The master unit receives the fourth authentication response frame, decrypts the encrypted part with a common key encryption algorithm and a master session key corresponding to the slave unit, and performs mutual authentication between the master unit and the slave unit A method for distributing an encryption key in a wireless network, characterized in that At least one slave unit is connected to an external network via a master unit, and the master unit periodically transmits a beacon frame including a master unit address.
Means for receiving the beacon frame;
The master unit address, the master session key corresponding to the master unit address, the expiration date of the master session key, and the encryption master obtained by encrypting the master session key and the expiration date with the master unit secret key and the encryption algorithm A master database that can register session key data blocks;
The base unit address is extracted from the beacon frame, and if the base unit address is not registered in the base unit database, the base unit address is registered, the base unit address is registered in the base unit database, and the base unit When the encrypted master session key data block corresponding to the address is not registered or when the expiration date of the master session key is not valid, the master unit address is updated, and the master unit database stores the master unit address. Means for transmitting an authentication request frame including the encrypted master session key data block to the master unit when the corresponding encrypted master session key data block is registered and the expiration date of the master session key is valid. A slave unit of a wireless network characterized by comprising. In a master unit of a wireless network in which at least one slave unit connects to an external network via a master unit, and the master unit periodically transmits a beacon frame including a master unit address,
Means for transmitting the beacon frame;
Means for receiving an authentication request frame transmitted from the slave unit;
Means for extracting and decrypting an encrypted master session key data block included in the authentication request frame;
A master unit of a wireless network, comprising: means for verifying the validity of the decrypted master session key data block and continuing the authentication process if it is valid.

Images