KR20050060633A - Data security and apply device in wireless local area network system and method thereof - Google Patents

Abstract

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an access point constituting a wireless local area network (LAN) defined by IEEE 802.11 and a medium access control supported by a wireless terminal. In particular, the Institute of Electrical and Electronics Engineers) Complies with the MAC specification of the wireless LAN system defined by 802.11, supports functions to ensure the security of the wireless LAN system defined by IEEE 802.11 Task Group (TG) i, and requires additional security structures. The present invention relates to a data security and operation apparatus of a wireless LAN (LAN) system that is flexible to accommodate the present invention.

In the present invention, while supporting the existing security algorithm of the wireless LAN (LAN) system, by separating the key management method, authentication function, and encryption function for each security, RSNA (Robuest) defined to support a higher security weight Security Network Association) security structure. Through this, it supports a flexible structure and a stronger security function for wireless data to apply various security algorithms through the AP equipment and the wireless terminal of the wireless LAN device to which the present invention is applied.

Description

Data Security and Operation Device and Method in Wireless LAN System {DATA SECURITY AND APPLY DEVICE IN WIRELESS LOCAL AREA NETWORK SYSTEM AND METHOD THEREOF}

The present invention relates to an apparatus and method for data security and operation in a wireless LAN (LAN) system, and more particularly, to a structure and a method of operating the media access control of an access point and a wireless terminal.

1 and 2 are diagrams illustrating a wireless LAN (LAN) system of an access point or a wireless terminal conforming to a wireless LAN (LAN) standard defined by IEEE 802.11.

First, as shown in FIG. 1, an existing wireless LAN system 10 includes an access point connected to a wired link 4 (hereinafter, referred to as an 'AP', 1) and a wireless terminal wirelessly connected to the AP 1. It consists of (2, 3).

In addition, the wireless LAN system 10 having such a configuration is a basic service set (BSS) system, which is a basic service unit of a wireless LAN (LAN) system to which the IEEE (Institute of Electrical and Electronics Engineers, IEEE 802.11) standard is applied. to be.

Next, the wireless LAN (LAN) system 20 shown in FIG. 2 is composed of only wireless terminals 5, 6, and 7 wirelessly connected without an AP, and is a wireless LAN system using the IEEE 802.11 standard. Independent Basic Service Set (IBSS) system, which is a basic service unit of.

As such, the AP and the wireless terminal constituting the wireless LAN (LAN) system transmit a packet by sharing a single wireless channel by applying a media access control method defined in the IEEE 802.11 standard.

Specifically, the AP 1 and the wireless terminals 2 and 3 illustrated in FIG. 1 are basically distributed coordination functions (hereinafter, referred to as 'DCF') or point coordination functions (hereinafter, referred to as 'DCF'). 'PCF').

In addition, the wireless terminals 5, 6, and 7 shown in FIG. 2 perform only DCF to transmit packets through the wireless medium.

DCF, as defined by IEEE 802.11 MAC (Media Access Control) specification, is called carrier sensing multiple access / collision avoidance (CSMA / CA). Known as the method.

That is, the wireless terminal which wants to transmit a packet in the DCF detects whether the wireless medium is being used by another wireless terminal, and starts the packet transmission if the wireless medium is not used. That is, all wireless terminals constituting the wireless LAN (LAN) perform access control to the wireless medium through the DCF, and use the wireless medium by competition.

In addition, in the PCF defined in the IEEE 802.11 MAC standard, the AP uses a polling message for selecting a wireless terminal to allow transmission and a virtual carrier detection technique using the access priority mechanisms of the PCF. According to the -sensing mechanisms, by stopping the packet transmission process of the other wireless terminals constituting the wireless LAN (LAN) by transmitting a beacon message setting the network allocation vector (network allocation vector), the selected wireless terminal Perform packet exchange with

However, the IEEE 802.11 MAC standard applied to such a WLAN system selects the WEP (Wired Equivalent Protocol) to support the security of data packets transmitted and received using a wireless medium. It is defined as

WEP-related security provides security for data and management frames by using a shared key known to each other during authentication with a wireless terminal based on an AP.

However, the AP does not have a specific key management scheme for the wireless terminal, and uses an RC4 algorithm using a short 40-bit key, so that the AP is exposed to an attack on eavesdropping and data forgery, and thus cannot provide an appropriate security function.

The technical problem to be achieved by the present invention is to solve this problem, it is possible to support a flexible structure and a strong security function for wireless data to apply a variety of security algorithms through the base station equipment and wireless terminal to which the RSNA security structure is applied An object of the present invention is to provide an apparatus and a method for data security and operation in a wireless LAN (LAN) system.

Data security and management device in a wireless LAN (LAN) system according to a feature of the present invention for achieving this object, the data in a wireless LAN (LAN) system including a base station for transmitting or receiving a data frame to a wireless terminal A security and operation apparatus, comprising: an application software manager for negotiating data security information with the wireless terminal; A logical link controller which transmits at least one of data including the negotiated data security information and a data frame generated by the application software manager to the wireless terminal when the authentication result of the wireless terminal is normal; A media access control software management unit for securely supporting a MAC Service Data Unit (MSDU) frame received through the logical link controller; A media access control hardware management unit for securely supporting a MAC Protocol Data Unit (MPDU) frame obtained by fragmenting an MSDU frame generated by the media access control software manager; And a modem / RF unit for modulating or demodulating the generated MSDU and MPDU frames to be transmitted or received to the wireless terminal.

In this case, the application software management unit, the wireless terminal according to the security standard of the Institute of Electrical and Electronics Engineers (IEEE) 802.11 TG (Task Group) i is characterized in that the data negotiated with the wireless terminal.

In addition, the media access control software management unit, after confirming that the data frame received from the wireless terminal applies security support, and determines whether the security algorithm is supported by applying the security support Mitchell for the MSDU frame to which the TKIP algorithm is applied (Michael) MIC processing unit for performing a function processing; A management frame processor for generating a management frame including at least one of an association frame and a probe frame, and controlling an access process to a wireless medium through a result of analyzing the generated management frame. ; A frame processor configured to fragment the MSDU frame processed by the Michael function in units of MPDU frames or to reassemble fragmented MPDU frames received from the wireless terminal into MSDU frames; An RSNA management information processing unit for maintaining, modifying, and updating MIB (Management Information Base) information which is a default value defined by the IEEE 802.11 TG i or a value input from a user; A key management unit for converting a length and a key form that can be used for encryption or decryption, which is security support for media access control derived from the session key generated in the wireless terminal authentication process; A management information processor configured to manage management information for access control and data security on a wireless medium; And a transmission / reception control unit which transmits the fragmented MPDU frame to the wireless terminal or receives the fragmented MPDU frame from the wireless terminal.

In addition, the data security and operation apparatus in a wireless LAN (LAN) system according to another aspect of the present invention, the data security and operation in a wireless LAN (LAN) system including a wireless terminal for receiving or transmitting a data frame from a base station An apparatus, comprising: an application software manager for negotiating data security information with the base station according to the security standard of IEEE 802.TG (Task Group) i; A logical link controller for transmitting and receiving at least one of data including the negotiated data security information and a data frame generated by the application software manager when the authentication result of the wireless terminal is normal; A media access control software management unit for securely supporting a MAC Service Data Unit (MSDU) frame received through the logical link controller; A media access control hardware management unit for securely supporting a MAC Protocol Data Unit (MPDU) frame obtained by fragmenting an MSDU frame generated by the media access control software manager; And a modem / RF unit for modulating or demodulating the generated MSDU and MPDU frames to be transmitted or received to the base station.

In addition, data security and operation method in a wireless LAN (LAN) system according to another aspect of the present invention, data security and operation in a wireless LAN (LAN) system including a base station for transmitting or receiving data frames to a wireless terminal A method comprising: a) negotiating data security information with the wireless terminal; b) if the authentication result of the wireless terminal is normal, transmitting at least one of the data and the data frame including the negotiated data security information to the wireless terminal; c) securely supporting an MSDU frame generated by the application software of the base station or an MSDU frame received from the mobile terminal; d) securely supporting a MAC Protocol Data Unit (MPDU) frame fragmenting the MSDU frame or an MPDU frame received from the mobile terminal; And e) modulating or demodulating the generated MSDU and MPDU frames to be transmitted or received to the wireless terminal.

In addition, data security and operation method in a wireless LAN (LAN) system according to another aspect of the present invention, data security and operation in a wireless LAN (LAN) system including a wireless terminal for receiving or transmitting data frames from a base station A method comprising: a) negotiating data security information with the base station in accordance with the security standard of IEEE 802.TG (Task Group) i; b) if the authentication result of the wireless terminal is normal, transmitting and receiving at least one of data and the data frame including the negotiated data security information with the base station; c) securely supporting an MSDU frame generated by application software of the wireless terminal or an MSDU frame received from the mobile terminal; d) securely supporting a MAC Protocol Data Unit (MPDU) frame fragmenting the MSDU frame or an MPDU frame received from the mobile terminal; And e) modulating or demodulating the generated MSDU and MPDU frames to be transmitted or received to the base station.

Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings so that those skilled in the art may easily implement the present invention. As those skilled in the art would realize, the described embodiments may be modified in various different ways, all without departing from the spirit or scope of the present invention. In the drawings, parts irrelevant to the description are omitted in order to clearly describe the present invention. Like parts are designated by like reference numerals throughout the specification.

3 is a diagram illustrating a configuration of a data security and operation apparatus in a wireless LAN system according to an exemplary embodiment of the present invention, which is located in a wireless terminal and an access point, respectively.

As shown in FIG. 3, the data security and management apparatus 100 of a wireless LAN system according to an exemplary embodiment of the present invention may include an application software manager 110, a logical link controller 120, and a media access controller 130. ), The modem / RF unit 140 and the user interface 150. In this case, the kernel system A includes a logical link control unit 120 and a media access control unit 130, and the media access control unit 130 controls the media access control software management unit 130a and the media access control hardware management unit 130b. Include.

In detail, first, the user interface 150 receives information for data security from a wireless terminal (not shown) user or a network manager.

The application software management unit 110 performs data security information (for example, WEP, TKIP and CCMP) with the other party according to the authentication scheme defined in the security standard of IEEE 802.TG (Task Group, hereinafter referred to as 'TG') i. Information about security algorithms, such as, for example). That is, the application software management unit 110 applies the authentication method and the key exchange method defined in the standard when negotiating data security information.

When the authentication result for the wireless terminal is normal, the logical link control unit 120 generates a frame including data security information negotiated between the base station and the wireless terminal generated by the application software management unit 110 (eg, for security information). The defined EAPOL-KEY frame) or the like, or transmits the data frame generated by the application software management unit 110 to the media access control software management unit 130a.

The media access control unit 130 follows a media access method defined in the IEEE 802.11 MAC standard and controls a data security function proposed by the IEEE 802.11 TG i.

That is, the media access control software management unit 130a may be referred to as an MSDU (MAC Service Data Unit) generated by application software of a base station or a wireless terminal and transmitted by the logical link control unit 120. It is determined whether WEP, TKIP or CCMP security algorithm should be applied to the frame.

In addition, if the determination result is to be applied, the media access control software management unit 130a calculates in advance security information (eg, IV, MIC value, etc.) required to apply the specified WEP, TKIP, or CCMP security algorithm. Support. In addition, the MSDU is fragmented in units of a MAC Protocol Data Unit (MPDU), which is a frame form required for applying a security algorithm.

The medium access control hardware management unit 130b is generated by application software of a base station or a wireless terminal, and fragmented by the medium access control software management unit 131a, a MAC Protocol Data Unit (MPDU). In accordance with the result determined by the media access control software management unit 130a for the frame, a security function for encrypting or decrypting the data value of the frame is supported through a WEP, TKIP, or CCMP security algorithm.

The modem / RF unit 140 modulates or demodulates the data frame transmitted and received through the medium access control unit 130. It is responsible for radio signal processing of data frames to be transmitted and received.

FIG. 4 is a diagram showing the configuration of the media access control software manager shown in FIG.

As shown in FIG. 4, the media access control software management unit 130a includes the upper interface 301, the MIC processing unit 302, the management frame processing unit 303, the first and second frame processing units 304 and 305, and the RSNA management. An information processing unit 306, a key management unit 307, a management information processing unit 308, a transmission control unit 309, a reception control unit 310, and a lower interface 311 are included.

In detail, the upper interface 301 receives a data frame from the logical link controller 120 through an interface with the logical link controller 120 and the user interface 150. Then, information related to data security is received from the user interface 150.

As a result of determining the received data frame, the MIC processor 302 performs a Michael process on the MSDU to which the TKIP algorithm is applied and calculates a value.

The management frame processor 303 generates a management frame including an association frame, a probe frame, and the like according to a medium access operation according to the IEEE 802.11 MAC standard, and generates a management frame and a management frame received from the other party. Media access control such as terminating a connection or requesting a reconnection is performed according to the included value.

The first and second frame processing units 304 and 305 fragment the MSDU in MPDU units, or store the received MPDU and reassemble the MSDU frame. And calculating an initialization vector (IV) value for the MPDU fragmented by the MSDU to which the WEP, TKIP, or CCMP security algorithm is applied.

The RSNA management information processing unit 306 complies with the access control scheme for the wireless medium, and maintains, modifies, and updates MIB (Management Information Base) information defined in the IEEE 802.11 TG i. In this case, each piece of information uses a default value defined in the standard or has a value input from the user through the user interface 150.

Each RSNA management information value refers to an upper interface block and a management frame processor. The RSNA management information processor 306 is modified through a management frame (eg, an association frame, a probe frame, etc.) while a wireless connection is maintained. RSNA management information is updated to reflect MIB information related to the security function of the wireless terminal or the base station.

The key manager 307 receives the session key generated during the authentication process of the user interface or the upper protocol from the upper interface, and then sets the session key to an appropriate length (for example, 40 bits, 104 bits, or 128 bits) that can be used in the MAC. Recreate In addition, the key manager 307 manages both unicast and multicast (unicast / multicast) keys for the peer that each of the base station or the wireless terminal maintains the wireless connection.

The management information processor 308 manages management information for access control and data security on a medium. The management information means a record value defined for wireless connection together with MIB information defined in the IEEE 802.11 MAC standard.

The management information uses a default value defined in the standard or a value input from a user through a user interface. The management information processing unit 308 modifies, maintains, and updates the management information while the wireless connection with the other party is continued.

The transmission control unit 309 is generated by the application software of the entire system including all the upper protocol and network functions of the base station or the wireless terminal, and the MSDU delivered to the media access control software management unit 130a through the logical link control unit 120 is stored. The MPDU fragmented by the first frame processing unit 304 of the media access control software management unit 130a is transmitted to the media access control hardware management unit 130b.

The reception control unit 310 receives the MPDU generated and transmitted from the other party (base station or terminal) through the media access control hardware management unit 130b.

The lower interface 311 interfaces with the media access control hardware manager 130b.

FIG. 5 is a diagram illustrating a configuration of the media access control hardware management unit shown in FIG. 3.

As shown in FIG. 5, the media access control hardware manager 130b includes a media access control interface 501, a security function controller 502, a TKIP support processor 503, a CCMP support processor 504, and a security algorithm processor 505. ), A dynamic key management unit 506, a management information processing unit 507, and a modem / RF interface 508.

In detail, first, the media access control interface 501 receives a data frame and security information through an interface with the sub-interface 311.

The security function controller 502 performs a security function on the received MPDU or the MPDU to be transmitted.

The TKIP support processing unit 503 is a variable for supporting a Temporary Key Integrity Protocol (TKIP) for an MPDU to which TKIP security support is to be applied, for example, a TKIP Sequence Counter (TSC) or TTAK ( Calculate the TKIP mixed Transmit Address and Key, hereinafter referred to as 'TTAK').

The CCMP support processing unit 504 is a variable for supporting Counter mode with Cipher-Block Chaining (CBC) -Message Authentication Code (MAC) Protocol (hereinafter referred to as 'CCMP') for MPDUs to which CCMP security support is to be applied. For example, CCMP Header, CCM Nonce, Additional Authentication Data (AAD) is calculated.

The security algorithm processing unit 505 applies a WEP, TKIP, or CCMP security algorithm to the MPDU according to the result determined by the media access control software management unit 130a for the MPDU or the result of analyzing the header information of the received MPDU. Performs a security function that encrypts or decrypts the data.

The dynamic key management unit 506 manages to apply the security key that is already set according to the sender address of the MPDU received from the other party or the address of the receiver to be transmitted to the MPDU.

The management information processor 507 manages management information for access control and data security on a medium. The management information means a record value defined for wireless connection together with MIB information defined in the IEEE 802.11 MAC standard.

The management information uses a default value defined in the standard or a value input from a user through a user interface. The management information processing unit 308 modifies, maintains, and updates the management information while the wireless connection with the other party is continued.

The modem / RF interface 508 transfers access control information for the MPDU and the medium to the modem / RF unit 140.

Then, the operation of the data security and operating device in a wireless LAN (LAN) system having such a configuration.

FIG. 6 is a flowchart sequentially illustrating an encryption process of a data security and an operating device in a WLAN system according to an exemplary embodiment of the present invention.

As shown in FIG. 6, an AP or a wireless terminal of a wireless LAN (LAN) system compliant with the MAC standard defined by IEEE 802.11 sets security function information through a user interface 150 and a logical link control unit 120. The application software manager 110 of the WLAN system 100 receives data generated through the logical link controller 120 (S601).

Meanwhile, in order to perform the MAC operation, the management frame processor 303 generates a management frame including information managed by the management information processor 308 (S602).

Thereafter, the upper interface 301 checks whether the MAC supports a security function through the information received from the user interface 150 to process the received data and the management frame (S603).

 As a result of the check, if the MAC does not support the security function, the first frame processing unit 304 configures the MPDU which is the MAC frame from the MSDU or the management frame (S607), and then transmits the MPDU to the transmission control unit 309 and the lower interface 311. Through the media access control hardware management unit 130b (S608).

In addition, the first frame processor 304 transmits the MAC frame through the media access control interface 501 and the modem / RF interface 508 by performing only the MAC frame processing without processing the security function (S613).

On the other hand, if it is confirmed that the MAC supports a security function, the upper interface 301 checks whether the RSNA (Robuest Security Network Association, hereinafter 'RSNA') security function is applied (S604).

If the RSNA security function is applied, the upper interface 301 again checks whether the TKIP security algorithm is used (S605), and if the TKIP security algorithm is used, the MIC processing unit 302 may check the MSDU or the management frame. Michael function processing is performed (S606).

The first frame processor 304 configures an MPDU, which is a MAC frame, with respect to the frame (S607), and then calculates an initialization vector (IV) value for each MPDU. If the CCMP security algorithm is used without using the TKIP security algorithm, the MPDU of the corresponding MDSU is generated and the initialization vector (IV) value for each MPDU is calculated.

On the other hand, if the RSNA security function is not applied as a result of the check, since the WEP security algorithm defined in the IEEE 802.11 MAC standard is applied, the first frame processing unit 304 performs only MAC processing, and then for the corresponding frame The MPDU is configured (S607). The initialization vector value for each MPDU is calculated.

Thereafter, the transmission control unit 309 and the lower interface 311 transfer the configured MPDU to the media access control hardware management unit 130b (S608).

Thereafter, the media access control hardware management unit 130b transmits the received MPDU to the security function control unit 502 through the media access control interface 501, and the security function control unit 502 applies the received MPDU to the RSNA security function. It is determined whether or not (S609).

As a result of the check, if the RSNA security function is not applied, the security algorithm processing unit 505 applies the WEP algorithm to the corresponding MPDU (S614). On the other hand, if the RSNA security function is applied as a result of the check, the security function control unit 502 checks whether the TKIP security algorithm is applied to the MPDU (S610).

As a result of the check, if the TKIP security algorithm is not used, the CCMP support processing unit 504 calculates a variable value required for the CCMP algorithm (S615), and the security algorithm processing unit 505 performs CCMP on the corresponding MPDU through the calculated variable value. Apply the algorithm (S616).

On the other hand, if the TKIP security algorithm is used, the TKIP support processing unit 503 calculates a variable value requested for using the TKIP algorithm (S611), and the security algorithm processing unit 505 uses the calculated variable value to the corresponding MPDU. The WEP algorithm is applied (S612).

Thereafter, the security algorithm processing unit 505 applies the security algorithm through the steps S612, S614, and S616, and processes the encrypted MPDUs in compliance with the MAC scheme defined in IEEE 802.11. Thereafter, the modem / RF interface 508 transmits the processed MPDU to the modem / RF unit 140 (S613).

Next, FIG. 7 is a flowchart sequentially illustrating a data security and a decryption process of an operation apparatus of a WLAN system according to an exemplary embodiment of the present invention.

As shown in FIG. 7, the AP or wireless terminal of the WLAN system 100 conforming to the MAC standard of IEEE 802.11 is connected to the modem / RF interface of the media access control hardware management unit 130b from the modem / RF unit 140. The MPDU is received through step 508 (S701).

Thereafter, the modem / RF interface 508 checks whether the received frame (MPDU) is encrypted, first using the security function (S702), and if the verification result does not use the security function, the modem / RF The interface 508 performs only the processing of the MAC without processing the security function, and then transfers the MPDU to the media access control software manager 130a through the media access control interface 501 (S721).

On the other hand, if it is confirmed that the MPDU encrypted using the security function, the modem / RF interface 508 is transferred to the security function control unit 502 through the media access control interface 501.

Then, the dynamic key management unit 506 retrieves the key corresponding to the sender of the MPDU (S703), and the security function control unit 502 checks whether the RSNA security function is used (S704).

As a result of the check, if the MPDU does not use the RSNA security function, the security algorithm processing unit 505 applies the WEP algorithm to the MPDU (S718).

If the MPDU uses the RSNA security function, the security function controller 502 checks whether the MPDU uses the TKIP security algorithm again (S705).

As a result of the check, if the MPDU does not use the TKIP algorithm, the CCMP support processing unit 504 calculates the required CCMP variable value (S719), and the security algorithm processing unit 505 uses the calculated CCMP variable value to secure the CCMP to the MPDU. Apply the algorithm (S720).

On the other hand, if it is confirmed that the corresponding MPDU uses the TKIP algorithm, the TKIP support processing unit 503 calculates the requested TKIP variable value (S706), and the security algorithm processing unit 505 uses the calculated TKIP variable value to the MPDU. The WEP algorithm is applied (S707).

Thereafter, the security algorithm processing unit 505 transfers the decrypted MAC frame MPDU to the media access control software management unit 130a through the media access control interface 501 (S708).

Thereafter, the reception control unit 310 of the media access control software management unit 130a stores the MDPU received through the lower interface 311 (S710), and the second frame processing unit 305 recombines the stored MDPU (S711). Configure the MSDU.

Thereafter, the second frame processor 305 checks whether the security function is used for the configured MSDU (S712). If the security function is not used, the management frame processor 303 determines whether the data frame is a data frame (S715). .

As a result of determination, if the MSDU is a data frame, the management frame processing unit 303 transfers the MSDU to the logical link control unit 120 through the MIC processing unit 302 and the upper interface 301 (S716).

On the other hand, if the determination result MSDU is a management frame, the management frame processing unit 303 processes the received management frame (S717).

Thereafter, the second frame processor 305 checks whether the security function is used for the MSUD (S712), and then determines whether the TKIP algorithm is used again (S713).

As a result of the determination, if the TKIP algorithm is not used, the management frame processing unit 303 determines whether the MSDU is a data frame again (S715), and if the result of the check is a data frame, the management frame processing unit 303 determines that the MSDU is the MIC processing unit 302 and the MSDU. The logical link controller 120 transmits the data through the upper interface 301 (S716). On the other hand, if the MSDU is a management frame, the management frame processing unit 303 processes the management frame (S717).

Thereafter, if the MSDU uses the TKIP algorithm, the MIC processing unit 302 performs integrity processing on the MSDU received from the second frame processing unit 305 (S714), and then determines whether the MSDU is a data frame (S715).

As a result of determination, if the integrity-processed MSDU is a data frame, the MIC processing unit 302 transmits the MSDU to the logical link control unit 120 through the upper interface 301 (S716). If the determination result is a management frame, the MIC processing unit 302 ) Transmits the MSDU to the management frame processing unit 303, and the management frame processing unit 303 receiving the MSDU analyzes the value of each field of the frame to determine a connection request, connection release, power management, or the like. Process the access process (S717).

As such, the data security and operation apparatus and method in a WLAN system according to an embodiment of the present invention apply a WEP security algorithm that can be selectively applied according to the IEEE 802.11 MAC standard, and in IEEE 802.11 TG i In addition, all security functions operated according to the defined standard are applied. Through this, it is possible to support a more robust security function for the wireless data and a flexible structure to apply a variety of security algorithms through the base station equipment and wireless terminal to which the RSNA security structure is applied.

The drawings and detailed description of the invention are exemplary only, and are used for the purpose of illustrating the invention only, and are not intended to be limiting or to limit the scope of the invention described in the claims. Therefore, those skilled in the art will understand that various modifications and equivalent other embodiments are possible. Therefore, the true technical protection scope of the present invention will be defined by the technical spirit of the appended claims.

Apparatus and method for data security and operation in a wireless LAN (LAN) system according to the present invention apply a security algorithm that can be selectively applied according to the IEEE 802.11 MAC standard, operating in accordance with the standard additionally defined in IEEE 802.11 TG i Apply all security functions. Through this, it is possible to support a more robust security function for the wireless data and a flexible structure to apply a variety of security algorithms through the base station equipment and wireless terminal to which the RSNA security structure is applied.

1 and 2 are schematic diagrams illustrating a configuration of a wireless LAN system according to the prior art.

3 is a diagram illustrating a configuration of a data security and operation apparatus in a wireless LAN system according to an exemplary embodiment of the present invention.

FIG. 4 is a diagram showing the configuration of the media access control software manager shown in FIG.

FIG. 5 is a diagram illustrating a configuration of the media access control hardware management unit shown in FIG. 3.

FIG. 6 is a flowchart sequentially illustrating an encryption process of a data security and an operating device in a WLAN system according to an exemplary embodiment of the present invention.

7 is a flowchart sequentially illustrating a data security and a decryption process of an operating apparatus in a WLAN system according to an exemplary embodiment of the present invention.

Claims (19)

A data security and operation apparatus in a wireless local area network (LAN) system comprising a base station for transmitting or receiving a data frame to a wireless terminal, An application software manager for negotiating data security information with the wireless terminal; A logical link controller which transmits at least one of data including the negotiated data security information and a data frame generated by the application software manager to the wireless terminal when the authentication result of the wireless terminal is normal; A media access control software management unit for securely supporting a MAC Service Data Unit (MSDU) frame received through the logical link controller; A media access control hardware management unit for securely supporting a MAC Protocol Data Unit (MPDU) frame obtained by fragmenting an MSDU frame generated by the media access control software manager; And Modem / RF unit for modulating or demodulating the generated MSDU and MPDU frames to be transmitted or received to the wireless terminal Data security and operation device in a wireless LAN (LAN) system comprising a. According to claim 1, The application software management unit, Device for data security and operation in a wireless LAN (LAN) system, characterized in that for negotiating data security information with the wireless terminal according to the IEEE (Institute of Electrical and Electronics Engineers) 802.11 TG (Task Group) i security standard. According to claim 1, The media access control software management unit, After confirming that the data frame received from the wireless terminal applies the security support, if the security support is applied to determine which security algorithm to support the MIC processing unit for processing the (Michael) function for the MSDU frame to which the TKIP algorithm is applied ; A management frame processor for generating a management frame including at least one of an association frame and a probe frame, and controlling an access process to a wireless medium through a result of analyzing the generated management frame. ; A frame processor configured to fragment the MSDU frame processed by the Michael function in units of MPDU frames or to reassemble fragmented MPDU frames received from the wireless terminal into MSDU frames; An RSNA management information processing unit for maintaining, modifying, and updating MIB (Management Information Base) information which is a default value defined by the IEEE 802.11 TG i or a value input from a user; A key management unit for converting a length and a key form that can be used for encryption or decryption, which is security support for media access control derived from the session key generated in the wireless terminal authentication process; A management information processor configured to manage management information for access control and data security on a wireless medium; And A transmission / reception control unit which transmits the fragmented MPDU frame to the wireless terminal or receives the fragmented MPDU frame from the wireless terminal Data security and operation device in a wireless LAN (LAN) system comprising a. The method of claim 3, wherein The media access control hardware management unit, A security function controller which securely supports the reassembled MPDU frame; A TKIP support processing unit for calculating a variable value for supporting the Temporary Key Integrity Protocol (TKIP); A CCMP support processor for calculating a variable value for supporting Counter mode with Cipher-Block Chaining (CBC) -Message Authentication Code (MAC) Protocol; A security algorithm processing unit configured to analyze header information of the fragmented MPDU frame or the MPDU frame received from the wireless terminal, and then control a security algorithm according to the analysis result; A dynamic key manager for managing a security key for a sender address of an MPDU frame received from the wireless terminal or a receiver address of an MPDU to be transmitted; A management information processor configured to manage management information for access control and data security on a wireless medium; And Modem / RF interface for transmitting the fragmented MPDU frame and the access control information for the wireless medium to or from the wireless terminal Data security and operation device in a wireless LAN (LAN) system comprising a. The method of claim 3, wherein The frame processing unit, Fragmenting the MSDU frame processed by the Michael function into the MPDU frame, and then calculating an initialization vector value for the fragmented MPDU frame, the data security in a WLAN system And operating device. The method of claim 3, wherein The dynamic key management unit Apparatus for data security and management in a wireless local area network (LAN) system characterized in that the base station manages both unicast and multicast (unicast / multicast) key for the other side maintaining a wireless connection. The method of claim 3, wherein The media access control software management unit, After determining whether a WEP, TKIP, or CCMP security algorithm should be applied to the generated MAC Service Data Unit (MSDU) frame, and applying the security algorithm, calculating security information including an initialization vector value to support security. Data security and operation device in a wireless LAN system. The method of claim 7, wherein The media access control software management unit, In order to apply the security algorithm, the MSDU frame is fragmented in units of MPDU frames, or the fragmented MPDU frames received from the wireless terminal is characterized in that the data security and operation in a wireless LAN (LAN) system characterized in that the MSDU frame Device. The method of claim 4, wherein The TKIP support processing unit, Apparatus for securing and operating data in a wireless local area network (LAN), characterized in that at least one of calculating a TKIP Sequence Counter (TSC) or a TKIP mixed Transmit Address and Key (TTAK). The method of claim 4, wherein The CCMP support processing unit, Apparatus for securing and operating data in a wireless local area network (LAN), comprising calculating at least one of a CCMP header, a CCM random number, and additional authentication data (AAD). According to claim 1, The data security information, Information about a security algorithm including at least one of the Wired Equivalent Protocol (WEP), the Temporary Key Integrity Protocol (TKIP), and the Counter mode with Cipher-Block Chaining (CBC) -Message Authentication Code (MAC) Protocol. Data security and operation device in a wireless LAN system. A data security and operation apparatus in a wireless local area network (LAN) system including a wireless terminal for receiving or transmitting a data frame from a base station, An application software management unit for negotiating data security information with the base station in accordance with the IEEE 802.11 Security Task Group (TG) i security standard; A logical link controller for transmitting and receiving at least one of data including the negotiated data security information and a data frame generated by the application software manager when the authentication result of the wireless terminal is normal; A media access control software management unit for securely supporting a MAC Service Data Unit (MSDU) frame received through the logical link controller; A media access control hardware management unit for securely supporting a MAC Protocol Data Unit (MPDU) frame obtained by fragmenting an MSDU frame generated by the media access control software manager; And Modem / RF unit for modulating or demodulating the generated MSDU and MPDU frames to be transmitted or received to the base station Data security and operation device in a wireless LAN (LAN) system comprising a. A data security and operation method in a wireless LAN (LAN) system including a base station for transmitting or receiving a data frame to a wireless terminal, a) negotiating data security information with the wireless terminal; b) if the authentication result of the wireless terminal is normal, transmitting at least one of the data and the data frame including the negotiated data security information to the wireless terminal; c) securely supporting an MSDU frame generated by the application software of the base station or an MSDU frame received from the mobile terminal; d) securely supporting a MAC Protocol Data Unit (MPDU) frame fragmenting the MSDU frame or an MPDU frame received from the mobile terminal; And e) modulating or demodulating the generated MSDU and MPDU frames to be transmitted or received to the wireless terminal; Data security and operation method in a wireless LAN (LAN) system comprising a. The method of claim 13, Step a) is A method of data security and operation in a wireless LAN (LAN) system, characterized by the security standards of the Institute of Electrical and Electronics Engineers (IEEE) 802.11 Task Group (TG) i. The method of claim 13, Step c) is Determining whether RSNA (Robuest Security Network Association) security is applied to the generated MSDU frame; If applying the RSNA security, determining whether a Temporary Key Integrity Protocol (TKIP) security algorithm is applied to the MSDU frame; Applying the TKIP security algorithm, after performing a Mitchell function processing on the MSDU frame, calculating an initialization vector value for the MPDU frame; And If the TKIP security algorithm is not applied, calculating an appropriate initialization vector value for the MPDU frame Data security and operation method in a wireless LAN (LAN) system comprising a. The method of claim 13, In step d), i) determining whether RSNA (Robuest Security Network Association) security is applied to the generated MPDU frame; ii) if the RSNA security is applied, determining whether a Temporary Key Integrity Protocol (TKIP) security algorithm is applied to the MPDU frame; And iii) if the RSNA security is not applied, determining whether to apply a WEP (Wired Equivalent Protocol) security algorithm to the MPDU frame Data security and operation method in a wireless LAN (LAN) system comprising a. The method of claim 16, Step ii), Applying the TKIP security algorithm, after calculating a variable value for supporting the TKIP, applying the WEP security algorithm to the MPDU frame Data security and operation method in a wireless LAN (LAN) system comprising a. The method of claim 17, Step ii), If the TKIP security algorithm is not applied, a variable value for supporting Counter mode with Cipher-Block Chaining (CBC) -Message Authentication Code (MAC) protocol is calculated, and then the CCMP security algorithm is applied to the MPDU frame. Step to apply Data security and operation method in a wireless LAN (LAN) system comprising a. A data security and operation method in a wireless LAN system including a wireless terminal for receiving or transmitting a data frame from a base station, a) negotiating data security information with the base station according to the security standard of IEEE 802.TG (Task Group) i; b) if the authentication result of the wireless terminal is normal, transmitting and receiving at least one of data and the data frame including the negotiated data security information with the base station; c) securely supporting an MSDU frame generated by application software of the wireless terminal or an MSDU frame received from the mobile terminal; d) securely supporting a MAC Protocol Data Unit (MPDU) frame fragmenting the MSDU frame or an MPDU frame received from the mobile terminal; And e) modulating or demodulating the generated MSDU and MPDU frames to be transmitted or received to the base station; Data security and operation method in a wireless LAN (LAN) system comprising a.