200806055 九、發明說明: 【發明所屬之技術領域】 本發明係關於一種建立無線網路之方法,特別是關於一種建 立無線網路的安全策略之方法。 【先前技術】200806055 IX. INSTRUCTIONS: TECHNICAL FIELD OF THE INVENTION The present invention relates to a method of establishing a wireless network, and more particularly to a method of establishing a security policy for a wireless network. [Prior Art]
區域網路環境之應用是在現代個人電腦的科技術中,區域網 路環境的應用是非常最重要的一環,其係連接所有相鄰之電腦使 得它們彼此之間可以互相連結並資源共享,而使用電腦之經驗及 過程也因此變成前所未有的有趣。雖然區域網路環境具有許多的 優點,但由於在家中建立一個人區域網路環境需花費許:多時間和 —. 金錢,其建立的門檻目前仍然很高,因此區域網路環境的普及化 依舊成長緩慢。雖然網路設備之價錢已比以往便宜,但建立區域 網路環境的知識仍未被視為常識。 此外,傳統的區域網路環境是以有線方式建立,其需將許多 線路整齊排列,但纏繞的線路總是造成那些想要自行建立個-人區_ 域網路環境使用者的困擾,且須耗費大量心力注意這些線路。自 從採用無線網路技術之後,使用者的夢靨似乎結束了,不再有纏 繞的線路要清理也不用再跪著接線路。但是沒有了實質的線路, 保護也變得較弱,駭客可試著攔截並分析藉由射頻:傳輪之:信號:,_ ;:: 以獲得使用者的個人資訊。為了網路安全之目的,在無線網路協 200806055 定中有許多安全程序,藉由執行在網路設備中所選擇之安全程序 可確保此無線區域網路不發生資料洩漏的情形。The application of the regional network environment is in the technology of modern personal computers. The application of the regional network environment is the most important part. It connects all the adjacent computers so that they can connect and share resources with each other. The experience and process of using computers has therefore become more interesting than ever. Although the regional network environment has many advantages, it takes a lot of time and money to establish a local area network environment at home. The threshold for its establishment is still high, so the popularity of the regional network environment is still growing. slow. Although the price of network equipment is cheaper than ever, the knowledge of establishing a regional network environment is still not considered common sense. In addition, the traditional regional network environment is built in a wired manner, and many lines need to be neatly arranged, but the entangled lines always cause troubles for users who want to establish a personal area. It takes a lot of effort to pay attention to these lines. Since the adoption of wireless networking technology, the user's nightmare seems to be over, and there are no more tangled lines to clean up and no need to pick up the line. But without the physical line, the protection becomes weaker, and the hacker can try to intercept and analyze the personal information of the user by means of radio frequency: transmission: signal:, _;::. For the purpose of network security, there are a number of security procedures in the Wireless Networking Protocol 200806055 that ensure that there is no data leakage in this wireless LAN by performing security procedures selected on the network device.
較高的安全設定似乎解決了所有問題,但卻也降低了無線網 路環境之兼容性,當一位受信任的使用者嘗試以無線網路設定其 用戶設備,即使他是一位“受信任的使用者”,他也許仍需先與網 路管理員進行協商,這非常沒效率且太過複雜,更需要大量人力 資源來維護安全程序及協助使用者手動操作其用戶設定。 另一方面,如果使用者想進入無線區域網路,他必須更改其 無線用戶端裝置之設定以通過無線網路之所有安全程序。在現行 的架構上,使用者需與無線區域網路之管理員磋商才能確切知道 其安全設定。否則,使用者就必須一而再地嘗試修改設定以進入 網路,並在不斷失敗中失去耐性。 因此,需要有一個全新的方法能讓使用者順利完成設定,且能 幫助使用者簡單快速的安裝其用戶端是刻不容緩的。A higher security setting seems to solve all the problems, but it also reduces the compatibility of the wireless network environment when a trusted user tries to set up their user device over the wireless network, even if he is a "trusted" Users, he may still need to negotiate with the network administrator first, which is very inefficient and too complicated, and requires a lot of human resources to maintain security procedures and assist users to manually operate their user settings. On the other hand, if a user wants to enter a wireless local area network, he must change the settings of his wireless client device to pass all security procedures over the wireless network. In the current architecture, users need to consult with the administrator of the wireless LAN to know exactly what their security settings are. Otherwise, the user must try to modify the settings again and again to enter the network and lose patience in the event of failure. Therefore, there is a need for a completely new way for users to successfully complete the settings, and it is imperative that users can quickly and easily install their clients.
【發明内容】 : 'V 有鑑於上述所有缺點,本發明揭露一種用於無線用戶端之方 法。當一使用者帶著其無線用戶端裝置來到一個新的無線區域網 路環境,他可能發現其無線用戶端裝置之設定無法被該.無線區域 網路允許,如果他想進入此無線區域網路,他必須更改其無線用- 200806055 戶端裝置之設定以通過其安全程序。在這之前,須先諮詢無線區 域網路之管理者以確實知道其安全設定,然後以手動更改其無線 用戶端之設定。 本發明提供一種全新供使用者自行完成設定之方法,依據本 發明之較佳實施方式,係一供無線用戶端使用之“交握的方法”, 其包含無線用戶端嘗試藉由一無線區域網路的無線伺服器建立一 無線連接,但由於該無線用戶端之安全設定與無線伺服器之安全 設定不符,使得該無線連接無法建立時,無線伺服器則與該無線 用戶端建立一暫時連接以互相聯繫,其透過一動態主機設定協定 (DHCP; Dynamic Host Configuration Protocol)封包戶斤建立之暫時連 接傳送安全設定至該無線用戶端,當用戶端收到後,即可依照所 收到之安全設定更改以符合無線伺服器之設°定,如此無線用戶端 便能安全又順暢的進入該無線區域網路。SUMMARY OF THE INVENTION: 'V In view of all the above disadvantages, the present invention discloses a method for a wireless client. When a user comes to a new wireless local area network with his wireless client device, he may find that the wireless client device settings cannot be allowed by the wireless local area network if he wants to enter the wireless local area network. Road, he must change its wireless use - 200806055 client device settings to pass its security program. Prior to this, you must consult the administrator of the wireless LAN network to know the security settings and then manually change the settings of their wireless clients. The present invention provides a new method for the user to complete the setting. According to a preferred embodiment of the present invention, a method for the wireless user to use the wireless user terminal includes a wireless user terminal attempting to use a wireless area network. The wireless server of the road establishes a wireless connection, but since the security setting of the wireless client does not match the security setting of the wireless server, so that the wireless connection cannot be established, the wireless server establishes a temporary connection with the wireless client. Connected to each other, through a dynamic host configuration protocol (DHCP; Dynamic Host Configuration Protocol), the temporary connection is established to transmit security settings to the wireless client. When the client receives it, it can follow the security settings received. The changes are made to match the wireless server settings so that the wireless client can enter the wireless local area network safely and smoothly.
依據本發明的觀點,供無線用戶端使用之“交握的方法”包 含,依無線用戶端之要求,與一基地台建立一無旅連接^ —該基地 台建立一暫時連接並啟動一雙向的動態主機設定協定,該基地台 過濾來自該無線用戶端除了超文件傳輸協定封包外之其他封包, 藉由無線網路傳送超文件傳輸協定封包至基地台,傳送安全策略 網頁至無線用戶端,以及藉由基地台所提供之安全策略網頁建立 一個連接。 200806055 基地台之通訊形式係包含基礎架構模式與無線點對點傳輸模 式,當無線用戶端沒有一網路通訊協定位址時,態主機設定協定 乃建立一暫時連接。 建立暫.時連接之過程更包含,在無線用戶端與基地台之間, 啟動一雙向的動態主機設定協定;以及基地台提供一個個人網路 通訊協定位址給該無線用戶端。According to the aspect of the present invention, a "handshake method" for use by a wireless client includes: establishing a no-breach connection with a base station according to the requirements of the wireless client terminal - the base station establishes a temporary connection and initiates a two-way connection The dynamic host setting protocol, the base station filters other packets from the wireless client except the super file transfer protocol packet, transmits the super file transfer protocol packet to the base station through the wireless network, and transmits the security policy webpage to the wireless client, and Establish a connection through the security policy web page provided by the base station. 200806055 The communication format of the base station includes the infrastructure mode and the wireless point-to-point transmission mode. When the wireless client does not have a network protocol address, the state host setting agreement establishes a temporary connection. The process of establishing a temporary connection further includes, between the wireless client and the base station, initiating a two-way dynamic host setting protocol; and the base station provides a personal network protocol address to the wireless client.
依據本發明之另一觀點,供無線用戶端使用之“交握的方 法”,其“交握的方法”包含以下步驟:依無線用戶端之需求與一基 地台建立一無線連接^當無線連接因無線用戶端之安全設定不符 而無法建立時,無線伺服器建立一暫時連接至無線用戶端;並籍 由暫時連接傳送一第二安全設定至該無線用戶端;以及無線用戶 端更改第一安全設定以符合該第二安全設定。此外,第一安全設 定及第二安全設定包含數個無線網路安全策略爹數。例如,第一 安全設定及第二安全設定可以是安全密鑰、加密方法及802.11認 證0 二- 【實施方式】 以下將參照相關圖示描述本發明之較佳具體實施例,所有具 體實施例僅用於說明本發明,因此雖以一較佳實施例來描述,但 本發明不受此實施例所限,要了解,在實施:本發明時:不一定會使 用到在此提及之部分或全部特定細節,例如,已被熟知應用的技 200806055 術不需再詳加描述以免多餘的贅敘模糊了本實驗的焦點。 請參照圖1所示,本發明之較佳實施例流程圖說明了用於無 線用戶端之“交握的方法100”之過程,係包含數傭步驟,第一個步 驟102係一個無線用戶端建立一無線連接,其中,無線用戶端嘗 試以一無線區域網路的無線伺服器建立一無線連接,無線用戶端 可以是一個人電腦、個人數位設備、行動電話或膝上型電腦。而 其欲建立之無線連接係IEEE 802.11a、IEEE 802.11b、IEEE 802.11g、IEEE 802.lli或其他類似之標準。 接著在步驟104中,由於無線用戶端與無線伺服器之安全設 定不符,因此無線伺服器拒絕來自無線用戶端之要求,也許實際 上他是一位受信任的使用者或是一位不熟悉無線區域網路設定的 正常使用者。在步驟106中,基地台與無線用戶端建立一暫時連 接以進一走溝通。將無線用戶端之媒體存取控制(MAC ; Media Access Control)位址與存於無線伺服器之可信任列表相核對,即可 分辨該無線用戶端是否為受信任的使用者。而無線用戶端與無線^ :了 伺服器間的暫時連接可以是有線或無線的,端視哪種方式較'為安_ 全。此外,無線區域網路的無線伺服器不但是基地台,也是無線 點對點傳輸伺服器,換言之,無線伺服器之通訊模式係包含一基 礎架構模式與一無線網路點對點傳輸模式。當無線用戶端之網路. 通訊協定位址不被接受時,係由動態主機設定協定的協商來建立 200806055 該暫時連接。更詳細步驟將在後段中描述。According to another aspect of the present invention, a "handshake method" for a wireless user terminal, the "grip method" includes the following steps: establishing a wireless connection with a base station according to the requirements of the wireless user terminal; The wireless server establishes a temporary connection to the wireless client when the security setting of the wireless client does not match, and transmits a second security setting to the wireless client by the temporary connection; and the wireless client changes the first security Set to match the second security setting. In addition, the first security setting and the second security setting include several wireless network security policy parameters. For example, the first security setting and the second security setting may be a security key, an encryption method, and an 802.11 authentication. [II] [Embodiment] Hereinafter, preferred embodiments of the present invention will be described with reference to the related drawings, all of which are only The present invention has been described with reference to a preferred embodiment, but the present invention is not limited to the embodiment, and it is understood that, in the practice of the present invention, the parts mentioned herein are not necessarily used or All of the specific details, for example, the technique 200806055, which has been well known, need not be described in detail so as not to obscure the focus of the experiment. Referring to FIG. 1, a flowchart of a preferred embodiment of the present invention illustrates a process for a "method 100 of a wireless client", which includes a number of commission steps, and a first step 102 is a wireless client. A wireless connection is established in which the wireless client attempts to establish a wireless connection with a wireless local area network wireless server, which can be a personal computer, a personal digital device, a mobile phone or a laptop. The wireless connection to be established is IEEE 802.11a, IEEE 802.11b, IEEE 802.11g, IEEE 802.11i or the like. Then in step 104, because the wireless client does not match the security settings of the wireless server, the wireless server rejects the request from the wireless client, perhaps in fact he is a trusted user or an unfamiliar wireless The normal user of the local area network setting. In step 106, the base station establishes a temporary connection with the wireless client to communicate further. By checking the media access control (MAC; Media Access Control) address of the wireless client with the trusted list stored in the wireless server, it is possible to distinguish whether the wireless client is a trusted user. The temporary connection between the wireless client and the wireless server can be wired or wireless, and it depends on which method is better. In addition, the wireless local area network wireless server is not only a base station but also a wireless point-to-point transmission server. In other words, the wireless server communication mode includes an infrastructure mode and a wireless network point-to-point transmission mode. When the network address of the wireless client is not accepted, the temporary connection is established by the negotiation of the dynamic host setting protocol. More detailed steps will be described in the following paragraphs.
在步驟108中,當暫時連接被建立後,無線伺服器透過該暫 時連接傳送無線區域網路之安全設定至無線用戶端,其中,基地 台透過暫時連接傳送安全策略至無線用戶端。因為暫時連接也是 以安全的方式建立,如此可確保安全設定不被洩漏。無線區域網 路與無線用戶端之安全設定為數個不同之安全策略參數,其包含 女全岔錄、加岔方法、8 0 2 · 11 §忍證及其他類似者。此外,加密方 法亦包括有線等效協定(WEP; Wired Equivalent Privacy)、先進加 密標準(AES; Advanced Encryption Standard)、資料加密標準(DES; Data Encryption Standard)及其他類似者。再者,802·ll·認證還包 括 Wi-Fi 網路安全存取(WPA ; Wi-Fi Protected Access)、WPA2 及 其他類似者。最後,在步驟110中,無線用戶端依據接收到之安 全設定修改其安全設定,然後無線伺服器即切斷其暫時連接。 請參照圖2所示,本發明較佳實施例之流程圖說明用於無線 用戶端之“交握的方法200”之詳細步驟,:在本例中,,有^無線用戶 端201A和一基地台201B,但此兩裝置僅供舉例而非侷很於此& 方法200是由步驟202開始,無線用戶端201Α作了無線連接 之存取要求,接著在步驟204中,基地台201Β發現此存取要求舆 安全策略不符,便在步驟2〇6建立一暫時連接.時改變對此無豫 用戶端之安全策略,接著在步驟208中,基地台2〇ΐΒ接受建立一 11 200806055 暫時連接之要求。若無線用戶端201A沒有一合法之個人網路通訊 協定位址,就和基地台201B執行一雙向的動態主機設定協定,則 基地台201B提供一個個人網路通訊協定位址給該無線用戶端。 接著在步驟212中,基地台201B過濾無線用戶端201A除超 文件傳輸協定封包外之所有封包。在步驟214中,無線用戶端201A 傳送超文件傳輸協定封包至基地台201B,然後在步驟216中,基 地台201B收到來自無線用戶端201A的超文件傳輸協定封包。接 著’基地台201B執行超文件傳輸協定轉向傳送並傳送安备策略網 頁至無線用戶端201A,而另一方面,無線用戶端201A能夠收到 一列著基地台201B所有安全設定的網頁,無線用戶端2Ό1Α便可. 利用固定的網路瀏覽器來看其所有内容。換言之,在步驟220中, 無線用戶端201A將會收到安全策略的指示。在一段時間222後, 基地台201B將會切斯步驟220中的暫時連接,然後“交握的方法 200”即結束。 本發明提供一個能讓使用者簡單便利又無障礙地設—定無:線網::t: 路之全新方法,因此能不仰賴他人幫忙而自行連接網路。、—.,— 了解本技術的人將容易的從對本發明之說明項目和實施方法 了解本發明之其他實施例,在說明書及專利保護範圍中所使用之 子眼包έ不表示排除與在本發明中不_ 或增加的項目义此外n : 文中使用了某些專業術言吾是為求清楚描述,而非侷限本發明。上 12 200806055 述較佳實施例可視為範例,以附加項定義之本發明亦同。 ) 13 200806055 【圖式簡單說明】 圖一說明本發明之步驟流程圖; 圖二說明本發明之詳細步驟流程圖。 【主要元件符號說明】 14In step 108, after the temporary connection is established, the wireless server transmits the security setting of the wireless local area network to the wireless user terminal through the temporary connection, wherein the base station transmits the security policy to the wireless user terminal through the temporary connection. Because temporary connections are also established in a secure manner, this ensures that security settings are not compromised. The security of the wireless area network and the wireless client is set to several different security policy parameters, including the full female record, the twisting method, the 8 0 2 · 11 § forbearance and the like. In addition, the encryption method includes Wired Equivalent Privacy (WEP), Advanced Encryption Standard (AES), Data Encryption Standard (DES), and the like. In addition, 802·ll· authentication includes Wi-Fi Protected Access (WPA), WPA2 and others. Finally, in step 110, the wireless client modifies its security settings based on the received security settings, and the wireless server then disconnects its temporary connection. Referring to FIG. 2, a flowchart of a preferred embodiment of the present invention illustrates detailed steps of a "method 200 for wireless handshake", in this example, a wireless subscriber 201A and a base. Station 201B, but the two devices are for example only, and the method 200 is started by step 202, the wireless client 201 makes an access request for the wireless connection, and then in step 204, the base station 201 detects this. If the access policy does not match the security policy, then a temporary connection is established in step 2. 6 and the security policy for the user is changed. Then, in step 208, the base station 2 accepts the establishment of a temporary connection of 200806055. Claim. If the wireless subscriber 201A does not have a legitimate personal network protocol address, and performs a two-way dynamic host setup agreement with the base station 201B, the base station 201B provides a personal network protocol address to the wireless subscriber. Next, in step 212, base station 201B filters all packets of wireless client 201A except the hyper file transfer protocol packet. In step 214, the wireless client 201A transmits the hyper-file transfer protocol packet to the base station 201B, and then in step 216, the base station 201B receives the hyper-file transfer protocol packet from the wireless client 201A. Then, the base station 201B performs the hyper file transfer protocol to transfer and transmit the security policy web page to the wireless client 201A. On the other hand, the wireless client 201A can receive a web page listing all the security settings of the base station 201B, and the wireless client. 2Ό1Α. Use a fixed web browser to see all of its content. In other words, in step 220, the wireless client 201A will receive an indication of the security policy. After a period of time 222, base station 201B will terminate the temporary connection in step 220 and then "the method 200 of the handshake" ends. The invention provides a new method which can make the user simple, convenient and unobstructed - no: wire network::t: road, so that it can connect to the network without relying on others' help. The present invention will be readily understood by those skilled in the art from the description of the invention and the embodiments of the invention. The sub-eyes used in the specification and patent protection are not intended to be excluded from the present invention. In the absence of _ or increased project meanings in addition to n: Some of the professional language used in the text is for clarity of description, and is not intended to limit the invention. The preferred embodiment described above can be considered as an example, and the invention defined by the additional items is also the same. 13 200806055 BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a flow chart showing the steps of the present invention; FIG. 2 is a flow chart showing the detailed steps of the present invention. [Main component symbol description] 14