200845650 九、發明說明: 【發明所屬之技術領域】 士:明係關於—種無線網路系統認證方法,尤指一種 月1一疋時間内確保至少一無線網路存取點與複數無線網 路衣置完成身份認證之認證方法。 【先前技術】 了般無線網路裝置會設置不同SSID ( Service Set lile「)碼,以供進入不同網路,又只有設定相同 碼的電腦才能互相通信,而同一廠商所推出的無線路由哭 或無線網路存取點(Access P伽;Ap)都會先於其^ 建相同的SSID ’ i未有加密功能,因此_旦企圖非法連 ,的攻擊者利用通用的初始化字符串來連接無線網路,即 建之餘非法的連接,讓網路安全受到威脅。 又,由於無線網路存取點(Access p〇jnt ; Ap )會將 = 碼廣播出來,因此欲防止非法連接的攻擊者盜取 ϋ馬,使用者可以關閉AP的廣播功能,或者手動設定 具有不同的S SID碼。 目前架設無線網路最受到重視不外是無線網路的安全 性,而由上述說明可知 a 目刖建立無線網路連線若要達到基 本的安全性設定,必須丰化a 關條件,因此有相關廠200845650 IX. Invention: [Technical field of invention] Shi: The system of wireless network system authentication, especially one that ensures at least one wireless network access point and multiple wireless network clothing in a month. Set up the authentication method for identity authentication. [Prior Art] A wireless network device will set different SSID (Service Set lile ") codes for entering different networks, and only computers with the same code can communicate with each other, and the wireless routers launched by the same manufacturer cry or The wireless network access point (Access P gamma; Ap) will have the same SSID before it will not have the encryption function. Therefore, the attacker who attempts to connect illegally uses the common initialization string to connect to the wireless network. The illegal connection is built, which threatens the security of the network. Also, since the wireless network access point (Access p〇jnt; Ap) broadcasts the = code, it is necessary to prevent the attacker from illegally connecting. Hummer, the user can turn off the AP's broadcast function, or manually set a different S SID code. Currently, the wireless network is most valued because of the security of the wireless network, and the above description shows that a wireless network is established. In order to achieve basic security settings, network connections must be ablated, so there are related factories.
商係推出不僅方便使用者碎I 卜此 使用者間早建立連線,更提供較安全的 無線網路。以Buffalo i隹山λα λα 推出的A0SS技術來說’係於盔線 網路存取點(AP)上哼w古 门 …、深 〇又置有一同步按鍵,使用者的無線網 200845650 路裝置欲與該無線網路存取點構成連線前,必須先進入使 用,=(1丨_「以e;u丨)且經—道認證,、其中在進 2…且序^,使用者只要按下Ap㈣同步按鍵,即可令 =線網路裝£ (如無I網卡)與該無線㈣存取點完成 苒成加在的热線網路連線。惟,此一 A〇SS技 :仍有其使用上的缺點,由於A〇SS技術在執行認證程序 當使用者按下無線網路存取點的同步按鍵後,會將原 2建\ssrn碼更㈣Ess丨D_A〇ss,而此—程序會長 網刀$里之久,直到支援AOSS無線網路裝置與該無線 網路存取點構成遠會 .曰 狀$ 連、、友為止,疋以,已完成連線的無線網路 :因為無線網路存取點已將原SSID改變,而造成傳 知t斷因此,若該無線網路存取點配合多媒體的產品使 用日”將造成多媒體產品使用者使用上相當不便;因此, 雖然該AOSS技術提供方便且安全的無線網路 程序仍造成使用上的困擾。 一/、<也 【發明内容】 有鑑於上述現行設有點按連線功能之無線網路產$之 認證缺失’本發明主要目的係提供一種新的無線網路;置 去,能在—定時間内確保至少-無線網路存取點 與複數热線網路裝置完成身份認證。 右人達上边目的所使用的主要技術手段係令該認證方法 係於,網路系統中被實現之,其中該無線網路係包含 有至少—無線網路裝置及至少一無線網路存取點,其中該 200845650 認證方法係主要包含有: 由泫無I網路裝置發送一含有庭別識別碼之探詢請求 予各無線網路存取點; 各無線網路存取點接收到 別識別碼決定是否發送一含有 的探詢回覆,並經判斷後將此 路裝置; 此一探詢請求時,會根據廠 热線網路存取點之裝置名稱 一探詢回覆回傳至該無線網 當無線網路裝置接收到此一探詢回覆時,會發送一含 有無線網路裝置之裝置名稱的同步探詢請求至該無線網路 當無線網路存取點接收此一同步探詢請求時,會等待 其=步按鍵按下後,再將其錢、IFM立址、分配給無線網 路裝置白勺IP位址加以加密I,回應一同步探詢回覆; 無線網路裝置接收到此一同步探詢回覆時,對其解密 並擷取其中的密鑰、無線網路存取點的丨P位址、該無線網 路裝置的丨P位址,再轉換為另一無線網路加密模式(如 WPAPSK-AES加密模式);及 以完成整個連線認證程 進行制式化的認證交握程序 序0 本备明係當使用者購得本發明的無線網路系統以架構 一安全加密之無線區域網路時,因為上述無線網路裝置在 與複數無線網路存取點進行連線認證程序期間,雙方均會 同時取得彼此的IP位址,是以5 #完成連線認證程序後, 即能順利地進行資料交換連線,而不需要再浪費時間去取 6 200845650 得I p位址 【實施方式】 明苓閱第一圖所示,係為實現本發明認證方法 網路(1〇)的系統之一,其包含有一具有使用者介面(u:The launch of the business system not only facilitates the user's break, but also establishes a connection between the users and provides a safer wireless network. According to the A0SS technology introduced by Buffalo i隹山λα λα, it is attached to the helmet network access point (AP), and the squat is equipped with a synchronization button. The user's wireless network 200845650 Before connecting with the wireless network access point, you must first enter the use, = (1丨_"to e;u丨) and pass the channel authentication, where in the 2... and the order ^, the user only press Under the Ap (four) sync button, you can make the = line network installed (such as no I network card) and the wireless (four) access point to complete the hotline network connection. However, this A〇SS technology: still There is a disadvantage in its use. Because the A〇SS technology performs the authentication procedure, when the user presses the synchronization button of the wireless network access point, the original 2 built\ssrn code will be further (4) Ess丨D_A〇ss, and this— The program president has a long-range network knife for a long time, until the support AOSS wireless network device and the wireless network access point constitute a distant meeting. 曰 $ 、, 友, 疋, 已, has completed the connected wireless network: because The wireless network access point has changed the original SSID, causing the transmission to be broken. Therefore, if the wireless network access point cooperates with the multimedia product, By Day "will cause considerable inconvenience to the user to use multimedia products; therefore, though the AOSS technology to provide convenient and secure wireless Internet program still cause trouble in use. A/, <also [invention] In view of the above-mentioned lack of authentication of the wireless network production with the tap-and-wire function, the main purpose of the present invention is to provide a new wireless network; Ensure that at least the wireless network access point and the complex hotline network device complete the authentication during the time. The main technical means used by the right person for the purpose of the above is that the authentication method is implemented in a network system, wherein the wireless network includes at least a wireless network device and at least one wireless network access point. The 200845650 authentication method mainly includes: sending, by the non-I network device, a query request containing the identification code to each wireless network access point; each wireless network access point receiving the identification code determines whether Send a response to the inquiry and determine the device after the judgment; when the inquiry is requested, it will be sent back to the wireless network according to the device name of the hotline access point of the factory. At this inquiry, a synchronous inquiry request containing the name of the device of the wireless network device is sent to the wireless network. When the wireless network access point receives the synchronous inquiry request, it waits for the = step button to be pressed. After that, the money, the IFM address, and the IP address assigned to the wireless network device are encrypted I, in response to a synchronous inquiry reply; the wireless network device receives the synchronization probe. When replying, decrypt it and retrieve the key, the 丨P address of the wireless network access point, the 丨P address of the wireless network device, and then convert to another wireless network encryption mode (such as WPAPSK). -AES encryption mode); and the authentication handshake procedure for completing the entire connection authentication process. This is a wireless local area network when the user purchases the wireless network system of the present invention to construct a secure encryption. At the same time, because the wireless network device performs the connection authentication procedure with the plurality of wireless network access points, both parties obtain the IP addresses of each other at the same time, and the 5# completion connection authentication procedure can be smoothly performed. Data exchange connection, no need to waste time to take 6 200845650 I p address [Embodiment] As shown in the first figure, it is a system for implementing the authentication method network (1〇) of the present invention. First, it contains a user interface (u:
Interface,UI)的第-、第二無線網路裝置(STA1 )( π”) λ Ί台無線網路存取點,於本實施例中係揭示第一 至第Ν台無線網路存取點(Αρι〜Αρη),又第一或 叙 ^^^X(STA1) (STA2) , 用者介面碼及裝置名稱,其中該裝置名稱係可使用_巧 的組合碼、MAC碼或使用者輸人的字串等。又,第一 2線網路存取點(APl〜APn)則内建㈣別識別碼、穿 ’冉、IP位址及密鑰,並均設置有一同步按鍵。 门:用於上述系統架構的認證方法請進-步配合參閱第 一圖A、B所示,其包含有: 由第二無::路裝置(STA1)發出一搜尋無線網路上 ),其係包::第^^ 的广敞別識別碼及含使用者介面線網路裝置(S丁叫 當::f:N無線網路存取點(AP1〜APn)任一台接 了 Γ 0”會擷取其廠別識別碼並判斷是否為 發出含有其裝置名稱的Λ Γ線網路裝置(stai) (S12) · 復(Pr〇be response ) 200845650 〜第-無線網路裝置(STA1)即可取得目前所有回覆之 弟—至弟N無線網路存取點(Αρι〜Apn)的裝置名稱,並 透過其使用者介面顯示之(S13),供使用者點選其中— 台進行連線程序(S14) ; /、 ―當點選無線網路裝4 (STA”使用者介面的 一 線網路存取^,Λ h 、 2 ( AP 1 )而進行連線認證程序時,該 無線網路裝晉f Q Τ Λ 4、A。 _ ( TA1)會進—步確認是否曾與目前待連線 之弟-無線網路存取點(AP1)完成連線認證,亦即, 可確認是否儲存有該第一無線網路存取點(AP1)的密输 (_);若有則進行制式化的認證交握程 j 否’則進行以下步驟: 右 …第無線網路裝置(STA1)係提示使用者按下待連線 遇::一無線網路存取點(Αρι)的同步按鍵,即會顯示 文同步按鍵’,即可於使用者介面顯示「請按同步按 f」並同吟發送一含有該第一無線網路裝置(STA1 )之 衣置名%的同步探詢請求(Syncpr〇be「equest) (ye); >此4待使用者於第_無線網路存取點(納)按下同 步按鍵後’該第—無線網路存取點(Αρι)分配丨p位址給 第:無線網路裝置⑽”,並回傳—含有密鑰 路裝置的丨卩位址、無線網路存取點(Αρι^|ρ 位址的同步心s旬回覆(Sync pr〇be「的叫瞭),該同步探 Θ回二h經過AES加密後再對外發出(s,7 ),· 當第-無線網路裝置(STA1)接收此一同步探詢回覆, 即可將β同步探詢回覆加以解密’並取出wpApsK_AEs 200845650 密输、無線網路裝置(S T A1 )的IP位址、無線網路存取 點(A P1 )的| p位址; 第一然線網路裝置(S T A1 )將此一無線網路存取點的 MAC位址、SSID、WPAPSK-AES密鑰予以儲存後,再轉 換為WPAPSK-AES加密模式(S18); 進行制式化的認證交握程序(S19〜S24)。 上述制式化的遇證父握程序係先發出正常探詢請求 (Normal probe request)至該無線網路存取點(api) (519) ’ 若獲得探詢回覆(N〇rma 丨 pr〇be resp〇nse) (520) ,則再進行AES加密認證請求(N〇rma| aes request) ( S21 ),若獲得AES加密認證回覆(Norma| AES response ) ( S22 ),最後再發出一連線請求(N〇rma| association reqUest) (S23),若獲得無線網路存取點 的連線回覆(Normal association response) (S24), 即完成連線認程序。 又,上述第一無線網路裝置(STA1)與第一網路存取 點(AP1)進行連線過程中,若第二無線網路裝置(sta2) 發送一探詢請求(Probe reqUest)予第一無線網路存取點 (AP1 ) ( S161 ) ’則第一無線網路存取點(Αρι )會發 出一忙線訊息(Busy response )予第二無線網路裝置 (STA2) (S162),第二無線網路裝£ (STA2)收到此 一忙線回覆時,該第二無線網路裝置(STA2 )會停止與第 一無線網路存取點(Ap1)進行認證程序(S163)。” 由上述况明可知,當使用者購得本發明的無線網路系 200845650 統以架構一安全加密之無線網路(1 ο )日夺,因為上述無 線網路裝置(STA1 )在與複數無線網路存取點(Αρι〜Apn) ,仃連^認證程序時,雙方均會同時取得彼此的丨p位址, 疋乂田70成連線認證程序後,即能順利地進行資料傳輸, 口此本發明之連線認證程序係可快速完成之。 5月茶閱第三圖所示,係為本發明另一較佳實施例,係 主要採用一非含使用者介面之第二無線網路裝置(sta2), 其包:有一確認按鍵,該第二無線網路裝置(STA2)係與 ,數第—至第N無線網路存取點(AP1〜APn)構成一無線 路(1 〇 a ),請配合參閱第四圖A、B所示,係為應 用於此一無線網路系統架構的認證方法: …、、、a …無線網路裝置(STA2)發出一搜尋無線網路上 勺2揲線網路存取點的探詢請求(Probe request),其係 :含有該無線網路裝置(STA2)的廠別識別碼及非含使用 者介面碼(S31 ); △當複數第-至第N無線網路存取點(Ap卜Ah)任一 =接收到此-探詢請求時,會操取其廠別識別瑪以判 網:可回覆之薇別識別碼’若是,則複數第-至第N無線 路存取點(AP1〜APn )會發出人右豆狀署交 、 ^ ( Probe response) ( S32); 第二無線網路裝置(STA2)若僅獲得一台第 路存取點(AP 1 )回氆日士 eD …'、、又、、、罔 、隹一 设守,即與該無線網路存取點(AP1、 仃連線認證’若無任何無線網路存取點回覆 一步驟;又,若收到 y弟 禝數弟一至第N無線網路存取點 10 200845650 (AP1〜APn)的探詢回覆,則依照無線訊號強度排序並依 序對有回覆的複數第一至第N無線網路存取點 (AP1〜APn)進行連線認證(S33); 當第二無線網路裝置(STA2)對其中一台第一無線網 ^存取點(AP1)進行連線認證程序時,㈣二無線網路 衣置(STA2)會進-步確認是否曾與目前待連線認證之第 一無線網路存取點(AP1)完成連線認證,亦即,可確認 是否儲存有該第一無線網路存取點(AP1)的密鑰 右有則進行制式化的認證交握程序(S34 );若否,則進 行以下步驟: 該第二無線網路裝置f STA9、、笔山 ^ , 吩衣罝〈b丨A2 )迗出一同步探詢請求 (syncprobe「equest) (S35),此時若由第一無線網路 存取點(AP1)接收後,會自該同步探詢請求掏取出第二 無線網路裝置(STA2 )的裝置名猛尨 lL n士 ^ ^ J衣置名%後,此時,假設使用者 藉由判斷後決定按下第—益綠娘I q々士 π / 心饮卜弟揲線網路存取點(ΑΡ1 )的同步 按鍵,令該無線網路存取點(Αρ彳) 舜笛 > ν丨)回覆弟二無線網路裝 置(STA2) —個同步探詢回覆nrr^ vbync probe response) (S36); 而第二無線網路裝置(STA2)會待使用者於無線網路 裝置(STA2)按下確認按鍵後,發送_確認請求(Con· 「equest)予第一無線網路存取點(Αρι) (μ?) · 當第-無線網路存取點(AP1)接收到確認請求後, 該第-無線網路存取點(AP1)即分配lp位址給第二無線 網路裝置(STA2),並回傳-含有密餘、第二無線網路裝 11 200845650 置(STA2 )的|p位址、無線網路存取點(A”)的丨p位 址的確認回覆((:0心「|71「的?)〇|^〇(338),該確認回 覆係經過AES加密後再對外發出; 接收此一確認回覆,即 WPAPSK-AES 密鑰、 位址、第一無線網路存 當第二無線網路裝置(STA2 ) 可將該確認回覆加以解密,並取出 第二無線網路裝置(STA2)的IP 取點(AP1)的ιρ位址(S39); 第一揲線網路I置(STA2 )將此一無線網路存取點的 MAC位址、SSID、WpApSK_AES㈣予以儲存後,再轉 換為WPAPSK-AES加密模式;及 進行制式化的認證交握程序(S4〇) (S41)。 上述所舉兩實施例均是一台無線網路裝置與一台無線 一路存取點m線認證的程序流程,請參閱第五圖所 不’係舉一以第一無線網路(10) &基礎系統架構的無 線網路(1 0 b ),即新辦一且右蚀田土人 曰,、有使用者介面的第三無線 :路裝置(STA3),而第一無線網路裝置(stai)已與 第一無線網路存取點(AP1)完成連線認證(S51),請 參閱弟六圖A、B所示: 弗二無線網路裝置(STA3)同樣先發 請求(p♦州est)予複數第-至"無線 凋路存取點(AP1〜APn) (S52); △當複數第-至^無線網路存取點(Αρι〜Apn)任一 =收到此-探詢請求時,會擷取其薇別識別石馬以判斷是 為可回覆之廠別識別碼,若是則分別發出含有其裝置名 12 200845650 稱的探詢回覆(Probe resp〇nse) (S53); 第三無線網路裝置(STA3)會將所右批〜 n % μ… 」9將所有祆峋回覆對應的 弟至弟Ν然線網路存取點(ΑΡ1〜ΑΡη)沾壯 古人甘^土人 、卜丨ΑΡη )的襄置名稱顯示 方;其:用者介面上(S54),供使用者點選之; 當第-無線網路存取點(AP1)於使用者介面上被使 用者點選時(S 5 5 ) > ^ ^ )β亥弟二热線網路裝置(STA3)會先 自行確認是否已儲存該第_無線網路存取點(AP1)之密 鑰,若有則直接與該無線網路存取點執行制式化的認證二 握程序(S65);反之,若無則執行以下步驟; 第三無線網路裝置(STA3)係提示使用者按下待連線 認證無線網路存取點(AP1)的同步按鍵,即可於使用者 介面顯示「請按同步按鍵」,並同時發出一含有第三益線 網路裝置(STA3)之裝置名稱的同步探詢請求(syncp「'obe request) ( S57); 此%,若使用者透過第一無線網路裝置(STA1)之使 用者操作介面的確認模式’向第_無線網路存取點(Αρι) I 送同步 I 置請求(Syncjng device「叫⑽^) (S58), 以瞭解目前第—無線網路存取點(AP1) {否被其它益線 網路裝置要求進行連線; 狀由於第一無線網路存取點(AP1)已被第三無線網路 裝置(STA3 )要求連線,故會發送一含有第三無線網路裝 置(STA3 )之裝置名稱的同步裝置回覆(Syncing device reSP〇nse)予第一無線網路裝置(STA1) (S59); 當第一無線網路裝置(STA1 )接收到已認證第_無線 13 200845650 網路存取點(AP1)傳 寻k的同^衣置回覆(Syncjng device eSf〇nSe)日守,會將第三無線網路裝置(STA3)的裝置 ί稱Γί (S60),並顯示於使用者介面上,供使用者自 订判斷否允_或拒絕第三無線網路裝i ( STA3 )之連線 使用者選擇拒絕連線,則第一無線網路裝置 (STA1)發出一拒 < 置 十 巴衣置δ月求(Sk|p request)予已認證 弟-無線網路存取點(AP1) (S61),此時,該第一益 線網路存取點(AP1)會將第三無線網路裝置(sta3): :位址加以儲存(S62),永遠不回覆此-第三無線網 切j (STA3)的同步探詢請求;反之,若使用者允許已 5忍證弟—無線網路存取‘點(Ap1)接收此-同步探詢請求 (S63) ’則第—無線網路裝置(stai)會發出—允許請 ^ (至該已認證無線網路存取點(Ap1); 當弟一無線網路存取點(AP1)接收到允許請求時, 該t一無線網路存取點(AP1)分配ip位址給第三無線網 路衣置(STA3),並回傳一含有WpApsK_AEs密餘第 三無線網路裝置(STA3)的丨P位址、無線網路存取點(AP1) 的丨P位址的同步摈治Γ^ ° 回復(Sync probe response),該 同步=回覆係經過AES加密後再對外發出(s64); 田第一,,,、線、罔路裝置(STA3)接收此一同步探詢回覆, P可將同步^木„旬回覆加以解密,並取丨卿AP別_AES穷 錄、第三無線網路裝置(STA3)的丨^址、第—無制 路存取點(AP1)的丨p位址; 第三無線網路裝晋Γ 罝(STA3 )將此第一無線網路存取點 14 200845650 (AP1 )的MAC位址、SSID、WPAPSK-AES密鑰予以儲 存後,再轉換為WPAPSK_AES加密模式(s65); 之後再進行制式化的認證交握程序,待完成後,此— 第一無線網路存取點(AP1 )即與第三無線網路褒置 (STA3)完成連線認證(S66) (S67)。 ^由上述說明可知,本發明所採具有使用者介面之第一 恶線網路U ( STA1 )係、進-步内建有同步裝置請求的安 全機制,即其使用者介面增加有一確認模< (g_ mode ),當無線網路裝置一旦曾與第一無線網路存取點 (APD丨成連線認證程序後,使用者可透過使用者介面 之確認模式’向已認證的第一無線網路存取點(Αρι)發 出同v衣置明求’令已涊證之第一無線網路存取點(Ap 1 ) 接收後,且恰有新的第三無線網路裝置(sta3 )對該第一 無線網路存取點(AP1)發出連線認證之同步探詢請^時, :將新的第三無線網路裝置(STA3)之裝置名稱傳送至先 别已元成認證之第一益線網攸狀班,〇 τ Λ >、 …'、果、、,罔路叙置(STA1)的使用者介面, 讓使用者仍可在同一第-無線網路裝置(stai)自行決一 是否讓加密的m網路存取點(AP1),與該 無線網路裝置(STA3)進行連線認證;是以, : 域網路之無線網路裝置,可快速與無線網路存取茸卜 相對地:若有任何惡意連線的非合法之無:網路 衣置對已認證U線網路存取點發出同步探詢請娘 此-同步裝置請求料力H料料,存: 證方法一:曾經完成認證程序後,對於新增至此-無線: 成連 15 200845650 曰後即能自行判斷拒絕此一不合法無線網路裝置之同步探 詢請求,有效提高安全性。 上述的第二典線網路裝置係與第一無線網路裝置相 同,均设置有使用者介面,因此各無線網路裝置均能提供 使用者選擇欲連線認證的無線網路存取點’惟目前無線網 路裝置並非所有產品均設置有使用者介面,因此若上述第 三無線網路裝置係採用非内建有使用者介面之產品,則本 發明的此一無線網路裝置的連線認證流程係會加以改變, 以下2第四無線網路裝置(STA4)稱之,由於其不具有使 用者"面,故增設有_確認按鍵,並以搜尋無線訊號強度 辨識週遭是否有無線網路存取點。請參閱第七圖所示,ς 為^無線㈣(10c),即新增一不具有使用者介面 的弟四無線網路裝置(STA4),而第一無線網路裝置 (STA1)已與第—無線網路存取點(Αρι)完成連線認證 (S70),請參閱第八圖a、b所示: -第四無線網路裝置(STA4)發出含有廠別識別碼及非 3使=者”面碼的板詢請求(pr〇be闩) ( ST’). 田複數第至第N無線網路存取點(AP1〜APn)的任 一接收到此—探詢請求時,會擷取其廠別識別碼以判斷是 否為可回覆之廠別識別碼,若是則無線 (AP1〜APn)合菸山人 廿取點 曰x 3有其裝置名稱的探詢回覆(p「〇b response) (S72); 第四無線網路I 路存取點(AP1 )回 置(STA4 )純獲得_台第—無線網 覆時,即與該第一無線網路存取點 16 200845650 (AP1)進行連線認證’若無任何無線網路#取點回覆時, 則回到第-步驟(S71);又,若收到複數第一至第N | 線網路存取點(Ap卜APn),則依照無線訊號強度排序並 依序對各第-至第N無線網路存取點(Ap卜Apn)進行連 線認證(S73 ); 當第四無線網路裝置(STA4)與第—無線網路存取點 (AP1 )進行連線認證時(S74 ),會先確認是否曾儲存 此—無線_存取點(AP1)之密鍮,若有,則直接進行 制式2連線認證程序(S75);反之,則執行以下步驟; 第四热線網路裝置(STA4 )直接發出一含有第四無線 網路裝置(STA4)之裝置名稱的同步探詢請求(Syncpr〇be request) (S76); 此日τ ’若使用者透過第一無線網路裝置(STA1 )之使 用者作η面的確認模式,向第一無線網路存取點(Ap)) lx 送同步叙置凊求(Syncjng devjce request) (S77), 以瞭解目前第一無線網路存取點(AP1)是否被其它無線 網路裝置要求進行連線; 由於第無線網路存取點(AP1 )已被第四無線網路 裝置(STA4 )要求連線,故會發送一含有第四無線網路裝 置(STA4 )之裝置名稱的同步裝置回覆(syncjng devjce response)予第一無線網路裝置(STA1) (S78); §第一然線網路裝置(STA1 )接收到已認證第一無線 網路存取點(AP1)傳送的同步裝置回覆(Syncingdevice response )’則會將第四無線網路裝置(STA4 )的裝置 17 200845650 名稱顯示予第一無線網路裝置(stai )的使 (S79) ’供使用者自行判斷是否允許或拒絕連線二 用者選擇拒絕連線,則發出_拒絕裝置請求( request)予已認證無線網路存取點(Api) (S8〇)而 此-無線網路存取㉟(AP1)會將第四無線網路裝: (STA4)之MAC位址加以儲存(S81),永遠不回覆此 -第四無線網路裝置(STA4)的同步探詢請求;反之,若 使用者允許已認證無線網路存取點(Αρι)接收此一同步 探詢請求,則會發出一允碑古主φ p 千明求(G「ant「equest)至該認 證無線網路存取點(AP1 ) ( S82 ) · " 當無線網路存取點(AP1)接收到允許請求時,將傳 达同步h 5㈣覆(Sync pmbe「espQnse )至第四無線網路 裝置(STA4) ( S83); 當第四無線網路裝置(STA4)收到此一同步探詢回覆 時,等待使用者於第四無線網路裝置(STA4)按下確認按 鍵;當確認按鍵被按下時,該第四無線網路裝i (sta4) 會送出一確認請求(confirmrequest) (S84); —當第一無線網路存取點(AP1)接收到確認請求時, 該=-無線網路存取點(AP1)分配|p位址給第四無線網 九(STA4),並回傳一含有密鑰、第四無線網路裝置 (STA4)的丨P位址、無線網路存取點(AP1 )的IP位址The first and second wireless network device (STA1) (π") λ wireless network access points of the interface, UI), in this embodiment, the first to the second wireless network access points are disclosed. (Αρι~Αρη), first or ^^^X(STA1) (STA2), user interface code and device name, where the device name can use _qiao combination code, MAC code or user input In addition, the first 2-wire network access point (AP1~APn) has a built-in (four) identification code, a '冉, an IP address and a key, and each has a synchronization button. For the above-mentioned system architecture authentication method, please refer to the first figure A and B, which includes: The second non-::way device (STA1) sends a search wireless network), the system package: The ^^'s wide open identification code and the user interface network device (S:::f:N wireless network access point (AP1~APn)) The factory identification code and judge whether it is the stai network device (stai) (S12) including the device name (Pr〇be response) 200845650 ~ the first - wireless network device (STA 1) You can get the name of the device of all the current replying brothers - the N wireless network access point (Αρι~Apn), and display it through the user interface (S13), for the user to click on the station. Connection procedure (S14); /, ―When you select the wireless network installation 4 (STA) user interface for the first-line network access ^, Λ h , 2 ( AP 1 ) for the connection authentication procedure, the wireless Network installation Jin f Q Τ Λ 4, A. _ (TA1) will step forward to confirm whether it has completed connection authentication with the current wireless network access point (AP1), that is, can confirm Whether to store the secret transmission (_) of the first wireless network access point (AP1); if there is a standard authentication handshake j or not, then perform the following steps: Right...the wireless network device (STA1) ) prompting the user to press the connection to be connected:: a synchronization button of the wireless network access point (Αρι), the text synchronization button will be displayed, and the user interface can display "please press the synchronization button f" The peer sends a synchronous inquiry request (Syncpr〇be "equest" containing the % of the first wireless network device (STA1). >> This 4 after the user _ wireless network access point (nano) presses the sync button 'the first wireless network access point (Αρι) assign 丨p address to the: wireless network Device (10)", and backhaul - 丨卩 address containing the keyway device, wireless network access point (Αρι^| ρ address synchronization heart s replies (Sync pr〇be "called", the Synchronous detection back to the second hour after AES encryption and then sent out (s, 7), · When the first wireless network device (STA1) receives this synchronous inquiry reply, the β synchronization inquiry reply can be decrypted 'and the wpApsK_AEs are taken out 200845650 IP address of the secret transmission, wireless network device (ST A1), |p address of the wireless network access point (A P1 ); first wireless network device (ST A1 ) to this wireless network The MAC address of the access point, the SSID, and the WPAPSK-AES key are stored, and then converted into the WPAPSK-AES encryption mode (S18); the standardized authentication handshake procedure (S19 to S24) is performed. The above-mentioned standardized parental gripping program first sends a normal probe request to the wireless network access point (api) (519) 'If a query reply is obtained (N〇rma 丨pr〇be resp〇nse (520), then the AES encryption authentication request (N〇rma| aes request) (S21), if the AES encryption authentication reply (Norma| AES response) (S22) is obtained, and finally a connection request is issued (N〇) Rma| association reqUest) (S23), if the wireless association access point is received (S24), the connection confirmation process is completed. In addition, when the first wireless network device (STA1) is connected to the first network access point (AP1), if the second wireless network device (sta2) sends a probe request (Probe reqUest) to the first Wireless network access point (AP1) (S161) 'The first wireless network access point (Αρι) will send a Busy response to the second wireless network device (STA2) (S162), When the second wireless network device (STA2) receives the busy line reply, the second wireless network device (STA2) stops the authentication process with the first wireless network access point (Ap1) (S163). It can be seen from the above that when the user purchases the wireless network system 200845650 of the present invention, the wireless network (1 ο) is securely encrypted because the wireless network device (STA1) is in the wireless network. When the network access point (Αρι~Apn) and Qilian^ authentication program, both parties will obtain each other's 丨p address, and after the 70-year connection authentication procedure of Putian, the data transmission can be smoothly performed. The connection authentication procedure of the present invention can be quickly completed. The fifth embodiment of the present invention is shown in the third figure, which is a second preferred embodiment of the present invention, which mainly uses a second wireless network that does not include a user interface. Device (sta2), the package includes a confirmation button, and the second wireless network device (STA2) and the number of the first to the Nth wireless network access points (AP1~APn) form a wireless path (1 〇a) ), please refer to the fourth figure A, B, which is the authentication method applied to this wireless network system architecture: ...,,, a ... wireless network device (STA2) sends a search wireless network on the spoon 2 Probe request for a network access point, its system: The station identification code of the wireless network device (STA2) and the non-user interface code (S31); △ when the plural number of the first to the Nth wireless network access point (Ap Bu Ah) = received this - When inquiring about the request, it will operate the identification of the site to determine the network: the replyable identification code 'If yes, then the plural-to-Nth wireless access point (AP1~APn) will issue the right-handed department ( Probe response) (S32); The second wireless network device (STA2) obtains only one access point (AP 1) and returns to the Japanese eD ... ', , , , , , 罔, 隹One set, that is, with the wireless network access point (AP1, 仃 connection authentication), if there is no wireless network access point to reply a step; in addition, if you receive the y brother, the number one to the Nth wireless network The access reply of the access point 10 200845650 (AP1~APn) is sorted according to the wireless signal strength and sequentially authenticates the multiple first to Nth wireless network access points (AP1~APn) with reply (S33). When the second wireless network device (STA2) performs a connection authentication procedure for one of the first wireless network access points (AP1), (4) two wireless network clothing STA2) will further confirm whether the connection with the first wireless network access point (AP1) currently being authenticated is completed, that is, whether the first wireless network access point is stored ( The key of AP1) is right-handed and the authentication handshake procedure is performed (S34); if not, the following steps are performed: The second wireless network device f STA9, Penshan ^, 罝衣罝 <b丨A2 a synchronous probe request (syncprobe "equest" (S35), at which time, after being received by the first wireless network access point (AP1), the second wireless network device (STA2) is retrieved from the synchronous inquiry request ) The name of the device is mammoth lL n 士 ^ ^ J clothing is set to %, at this time, suppose the user decides to press the first-best green mother I q gentleman π / heart drink Budi line network The synchronization button of the access point (ΑΡ1) causes the wireless network access point (Αρ彳) 舜笛> ν丨) to reply to the second wireless network device (STA2) - a synchronous inquiry reply nrr^ vbync probe response) (S36); and the second wireless network device (STA2) waits for the user to press the confirmation button after the wireless network device (STA2) Send _ confirmation request (Con·equest) to the first wireless network access point (Αρι) (μ?) · When the first wireless network access point (AP1) receives the confirmation request, the first wireless network The access point (AP1) allocates the lp address to the second wireless network device (STA2), and transmits back the |p address containing the secret, the second wireless network installed, the 200845650 (STA2), and the wireless Confirmation reply of the 丨p address of the network access point (A) ((: 0 heart "|71"?) 〇|^〇(338), the confirmation reply is sent out after AES encryption; The confirmation reply, that is, the WPAPSK-AES key, the address, the first wireless network, and the second wireless network device (STA2) can decrypt the confirmation reply and take out the second wireless network device (STA2). The IP address of the AP (AP1) (S39); the first network I (STA2) stores the MAC address, SSID, WpApSK_AES (4) of the wireless access point, and then converts to WPAPSK-AES encryption mode; and a standardized authentication handshake program (S4〇) (S41). The above two embodiments are the flow of a wireless network device and a wireless one-way access point m-line authentication. Please refer to the fifth figure for the first wireless network (10) & The wireless network (1 0 b ) of the basic system architecture, that is, the new one and the right eclipse, the third wireless with the user interface: the road device (STA3), and the first wireless network device (stai) ) The connection with the first wireless network access point (AP1) has been completed (S51), please refer to the figure 6 and A of the sixth diagram: The second wireless network device (STA3) also sends a request (p♦ state) Est) to plural - to " wireless withering access point (AP1~APn) (S52); △ when plural - to ^ wireless network access point (Αρι~Apn) any = received this - inquiry When requesting, it will retrieve the identification of the stone horse to determine whether it is a replyable plant identification code, and if so, issue a probe reply (Probe resp〇nse) containing its device name 12 200845650 (S53); The wireless network device (STA3) will send the right batch ~ n % μ... ”9 to reply all the corresponding 至 至 至 Ν 线 网路 网路 网路 ΑΡ ΑΡ ΑΡ ΑΡ ) ) ) 古 古 古 古 古 古 ^ 土 土 土 土 ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; When the user interface is selected by the user (S 5 5 ) > ^ ^ ) β Haidi 2 hotline network device (STA3) will first confirm whether the first _ wireless network access point has been stored ( The key of AP1), if any, directly performs the standard authentication two-grip procedure with the wireless network access point (S65); otherwise, if not, the following steps are performed; the third wireless network device (STA3) prompts When the user presses the synchronization button of the wireless network access point (AP1) to be connected, the user can display the "please press the synchronization button" and simultaneously issue a third-line network device (STA3). The synchronous inquiry request of the device name (syncp "'obe request" (S57); this %, if the user passes the confirmation mode of the user operation interface of the first wireless network device (STA1) to the _ wireless network Take the point (Αρι) I send the synchronization I request (Syncjng device "called (10) ^) (S58), to understand the current Wireless network access point (AP1) {No connection required by other wireless network devices; because the first wireless network access point (AP1) has been requested by the third wireless network device (STA3) Therefore, a synchronization device replies (Syncing device reSP〇nse) containing the device name of the third wireless network device (STA3) are sent to the first wireless network device (STA1) (S59); when the first wireless network device (STA1) receives the authenticated _Wireless 13 200845650 network access point (AP1) to find k Syncjng device eSf〇nSe day keeper, will be the third wireless network device (STA3) The device is called Γί (S60) and is displayed on the user interface for the user to customize the decision to _ or refuse the third wireless network installed i (STA3) connection user chooses to refuse to connect, then A wireless network device (STA1) sends a refusal to set a stipulated (Sk|p request) to the authenticated buddy-wireless network access point (AP1) (S61), at this time, the A Payline Network Access Point (AP1) will store the third wireless network device (sta3): : address (S62), never reply - a third radio network cut j (STA3) synchronous interrogation request; conversely, if the user allows the 5 bearer - wireless network access 'point (Ap1) to receive this - synchronous interrogation request (S63)' then - The wireless network device (stai) will send out - allow please ^ (to the authenticated wireless network access point (Ap1); when the wireless network access point (AP1) receives the permission request, the t-wireless The network access point (AP1) allocates the ip address to the third wireless network device (STA3), and returns a 丨P address, wireless network containing the WpApsK_AEs secret third wireless network device (STA3) The synchronization point of the access point (AP1) is Sync probe response. The synchronization = reply is sent out by AES and then sent out (s64); Field first,,,, line, The circuit breaker (STA3) receives this synchronous inquiry reply, and P can decrypt the synchronization, and take the address of the third AP, the third wireless network device (STA3), The first wireless network access point 14 20084565 0 (AP1) MAC address, SSID, WPAPSK-AES key is stored, and then converted to WPAPSK_AES encryption mode (s65); then the standardized authentication handshake procedure, after completion, this - first wireless The network access point (AP1) completes the connection authentication with the third wireless network device (STA3) (S66) (S67). ^ It can be seen from the above description that the first gut line network U (STA1) with the user interface of the present invention has a security mechanism for the synchronization device request, that is, the user interface is added with a confirmation mode < (g_mode), when the wireless network device has been connected to the first wireless network access point (the APD is connected to the authentication program, the user can confirm the mode through the user interface) to the authenticated first wireless The network access point (Αρι) is sent out with the first wireless network access point (Ap 1 ) received, and the new third wireless network device (sta3) is received. Synchronous inquiry for the connection authentication of the first wireless network access point (AP1), please: transmit the device name of the new third wireless network device (STA3) to the first A user-friendly interface, 〇τ Λ >, ...', fruit, and, user interface of STA1, so that users can still use the same wireless network device (stai) Whether to enable the encrypted m network access point (AP1) to perform connection authentication with the wireless network device (STA3); , : The wireless network device of the domain network can be quickly compared with the wireless network access: if there is any malicious connection, the non-legal connection: the network clothing pair to the authenticated U-line network access point Send a synchronous inquiry, please contact this device - Synchronous device request material H material, save: Certificate method 1: After completing the authentication procedure, add to this - wireless: Chenglian 15 200845650, then you can judge this by default. The synchronous inquiry request of the wireless network device effectively improves the security. The second network device described above is the same as the first wireless network device, and is provided with a user interface, so that each wireless network device can provide the use. The wireless network access point for which the connection is to be authenticated is selected. However, not all products of the current wireless network device are provided with a user interface, so if the third wireless network device is a product that does not have a user interface built in, The connection authentication process of the wireless network device of the present invention is changed. The following 2th wireless network device (STA4) calls it because it does not have a user" _Confirm the button and search for the wireless signal strength to identify whether there is a wireless network access point around. Please refer to the seventh picture, ς is ^Wireless (4) (10c), that is, add a new user without the user interface The wireless network device (STA4), and the first wireless network device (STA1) has completed connection authentication (S70) with the first wireless network access point (Αρι), please refer to the eighth figure a, b: - The fourth wireless network device (STA4) issues a request for inquiry (pr〇be latch) (ST') containing the site identification code and the non-three-digit "face" code. The field number to the Nth wireless network When any of the access points (AP1~APn) receives this inquiry request, it will retrieve its site identification code to determine whether it is a replyable plant identification code, and if so, wireless (AP1~APn) The search point x 3 has a query reply of its device name (p "〇b response" (S72); the fourth wireless network I access point (AP1) reset (STA4) is purely obtained - the first wireless network When it is over, it is connected to the first wireless network access point 16 200845650 (AP1). If there is no wireless network # take a reply, then it will return. Step-S (S71); and, if the first to N-th network access points (Ap-APn) are received, the first-to-ninth wireless network is sorted according to the wireless signal strength and sequentially The access point (Ap Apn) performs connection authentication (S73); when the fourth wireless network device (STA4) and the first wireless network access point (AP1) perform connection authentication (S74), it is confirmed first. Whether the password of the wireless_access point (AP1) has been stored, if any, the system 2 connection authentication procedure (S75) is directly performed; otherwise, the following steps are performed; the fourth hotline network device (STA4) Directly issuing a Syncpr〇be request containing the device name of the fourth wireless network device (STA4) (S76); this day τ 'If the user passes the user of the first wireless network device (STA1) As the acknowledgment mode of the η plane, send a Syncjng devjce request (S77) to the first wireless network access point (Ap) lx to know the current first wireless network access point (AP1). Whether it is required to be connected by other wireless network devices; because the wireless network access point (AP1) has been installed by the fourth wireless network Setting (STA4) requires connection, so a synchronization device reply (syncjng devjce response) containing the device name of the fourth wireless network device (STA4) is sent to the first wireless network device (STA1) (S78); The wireless network device (STA1) receives the Syncing device response transmitted by the authenticated first wireless network access point (AP1), and then the device of the fourth wireless network device (STA4) 17 200845650 The name is displayed to the first wireless network device (stai) (S79) 'for the user to determine whether to allow or refuse the connection, the user chooses to refuse to connect, and then sends a _ rejection device request (request) to the authenticated wireless Network access point (Api) (S8〇) and this - wireless network access 35 (AP1) will store the fourth wireless network: (STA4) MAC address (S81), never reply to this a synchronous interrogation request of the fourth wireless network device (STA4); conversely, if the user allows the authenticated wireless network access point (Αρι) to receive the synchronous inquiry request, an ancient monument φ p Request (G "ant"equest) to the certified wireless network Access Point (AP1) (S82) · " When the wireless network access point (AP1) receives the permission request, it will transmit the synchronization h 5 (four) overlay (Sync pmbe "espQnse" to the fourth wireless network device ( STA4) (S83); when the fourth wireless network device (STA4) receives the synchronous inquiry reply, wait for the user to press the confirmation button on the fourth wireless network device (STA4); when the confirmation button is pressed The fourth wireless network device (sta4) sends a confirmation request (confirmrequest) (S84); - when the first wireless network access point (AP1) receives the confirmation request, the =-wireless network The point (AP1) allocates the |p address to the fourth wireless network nine (STA4), and returns a key containing the 、P address of the fourth wireless network device (STA4) and the wireless network access point ( IP address of AP1)
的=認回覆(Confi「m resp〇nse ),該確認回覆係經過AM 加控後再對外發出(S85 ); 當第四無線網路裝置(STA4)接收此一確認回覆,即 18 200845650 可將該確認回覆加以解密,並取出WPAPSK_AES宓鈐 第四無線網路裝置(STA4)的丨P位址、無線網路存:點 (A P1 )的| P位址; 第四無線網路裝置(STA4 )將此一無線網路存取點 (AP1)的MAC位址、ss丨D、wpApsf<_AEs密鑰予以儲 存後,再轉換為WPAPSK-AES加密模式(S86); 進行制式化的認證交握程序(S87 ) ( S88 )。 由於第四無線網路裝置係於首次發出探詢請求時,嗜 探詢請求已包含有指示其係無使用者介面的識別碼^因Z 配合採用非具使用者介面的無線網路裝置的無線網路存取 點,係進一步增加上述判斷及回應確認回覆之機制,即加 密認證程序❹第四㉟線網路裝置發出確認目|後才開始口 =之:是以’本發明配合不具有使用者介面之無線二: 衣置,則同樣可快速完成連線認證。 構圖 【圖式簡單說明】 第一圖:係本發 明第一較佳實施例的無線網路系統穴 弟—圖A、B :係本發明應用於第一圖系統 線認證方法時序流程圖。 勺連 第三圖:係本發明第二較佳實施例的無 構圖。 j吩乐統架 統架構的連 線認證方法時序流程 第四圖A、B :係本發明應用於第三圖系 圖 19 係本發明第 二較佳實施例的無 200845650 第五圖 構圖。 第/、圖A、B ··係本發明應用於第五圖 線認證方法時序流程圖。 第 圖·係本發明第四較佳實施例的無 構圖。 μ 第八圖A、β ··係本發明應用於第七圖 線認證方法時序流程圖。 【主要元件符號說明】 (1〇) (10a) (l〇b) (10 線網路系統架 系統架構的連 線網路系統架 系統架構的連 :)無線網路 20Confi "m resp〇nse", the confirmation reply is sent out after AM control (S85); when the fourth wireless network device (STA4) receives this confirmation reply, ie 18 200845650 The confirmation reply is decrypted, and the WP address of the WPAPSK_AES 宓钤 fourth wireless network device (STA4), the wireless network storage: the P address of the point (A P1 ), and the fourth wireless network device (STA4) are extracted. The MAC address, ss丨D, wpApsf<_AEs key of the wireless network access point (AP1) are stored, and then converted into WPAPSK-AES encryption mode (S86); the standardized authentication handshake is performed. Program (S87) (S88). Since the fourth wireless network device sends the inquiry request for the first time, the query request includes an identification code indicating that the user interface is not provided, and the Z is combined with the non-user interface. The wireless network access point of the wireless network device further increases the above-mentioned mechanism for judging and responding to the confirmation reply, that is, the encryption authentication program is issued after the fourth 35-line network device sends a confirmation message| The invention cooperates with the wireless two without the user interface The clothing can also be quickly completed. The first picture: the wireless network system of the first preferred embodiment of the present invention - Figure A, B: The present invention is applied to The first figure is a sequence diagram of the system line authentication method. The third figure is the non-patterning of the second preferred embodiment of the present invention. The timing sequence of the connection authentication method of the j-enclosed architecture is shown in the fourth figure A and B. The present invention is applied to the third diagram. FIG. 19 is a diagram of the fifth embodiment of the second preferred embodiment of the present invention without the 200845650. The first, fourth, and fourth embodiments of the present invention are applied to the fifth image line authentication method timing. Fig. 3 is a non-patterning according to a fourth preferred embodiment of the present invention. μ Figure 8A, β······················································· 1〇) (10a) (l〇b) (Connected to the network architecture of the 10-wire network system architecture system architecture:) Wireless network 20