九、發明說明: 【發明所屬之技術領域】 本發明係有關於-種無線通訊系統,特別是有關於 無線傳輸網路中能夠產生及散佈一群組鑰。 【先前技術】 典型的無線網路系統包括一或多個用來通訊之接取 裝置。使用者可以透過無線裝置而藉由個人電腦及筆 記型電腦與接取裝置進行通訊傳輸。無線區域網路 (WLANs)最初是允許以無線方式傳輸到一有'線區域網 路(LAN),例如是有線系統不存在的地方或者是支 援傳統有線區域網路不足的區域。WLANs經常用來服 務移動裝置,例如膝上(或筆記)型電腦和個人數位助理 (PDAs)。一般來說,接取點(Access p〇int)是在無線區 域網路之服務區域中用來確保覆蓋範圍内具有足夠的 資料處理能力,以減少每一接取點的設置成本。而, 接取點也必須可以安裝來減小覆蓋範圍的間隙,並且 提供足夠的覆蓋範圍。 無線傳輸網路包括多數的無線連接裝置,是負責分 程傳遞相關移動用戶端的交通流量。舉例來說,無線 傳輸網路具有多數個可以提供IEEE 802.11或藍芽服務 的IEEE 802.11裝置,例如膝上型電腦、個人數位助理 或相類似之裝置。無線傳輸網路更包括一或多個的連 接關係’其係、藉由-或多個邊界裝置連接到有線網 路已配置完成之橋接器(Bridges)並具有無線通訊 及有線通訊的能力。 在無線傳輸網路中,數據流量的機密性與可信賴度 是相當重要的。傳輸領域(廣播)本質上就不安全,因此 加始在無線傳輸網路就變得十分必I。假如無法藉助 硬體方式加密(encrypd〇n)與解密(decrypti〇n)的話在 無線傳輸網路的每—相鄰無線網路裝置之間配對加密 與解密,不僅沒有效率且耗㈣間。數據訊框從一無 線裝置傳送出去後,由無線傳輸網路的一端傳送到該 ’’祠路的另一知,在到達最後目的地之前,必須經過多 次的加密與解密過程。因此,除了配對密鑰之外,仍 然有必要提供-種用於廣播或多重播送數據訊框的群 組金鑰。在無線傳輸網路中,一種更有效率與易於管 理的加岔/解密架構是使用一種全域密鑰(Gl〇bai Encryption Key),以提供無線傳輸網路的加密服務。一 數據訊框從行動用戶端進入無線傳輸網路時,需每次 加在,直到匕到達無線裝置,每次並會相應的解密。 此外,在無線傳輸網路中,無線裝置可能會暫時停 止服務,導致網路分離成數個區塊(segmem)。每個 網路區塊可能具有-個互不相同的全域密錄,它是專 門在該網路區塊所使用。當網路區塊加入一個新的無 線裝置’同時也會產生一個新的全域密錄。本發明特 別是關於-種用於無線裝置以形成無線傳輸網路的單 -全域密錄,以及新加人—個無線裝置的多數個無線 傳輸網路區塊。 【發明内容】 本發明之一目的為一無線傳輸網路中提供一密鑰散 佈的方法,複數個無線傳輸裝置及至少需要一邊緣裝 置在該網路中是需要的。 本發明之一較佳目的提供產生及散佈一新群組鑰, 藉由一设計群組鑰伺服器在該新群組鑰產生之後,包 括设定一群組鑰指標(index)加1。伺服器對每一入口州 仏查一鄰近表,假使每一入口 Ni未更新時,更新每一 入口 Ni新群組鑰及群組鑰指標,及使用入口州的密鑰 用來加岔新群組錄及群組錄指標,之後,該伺服器便 傳送加密群組鑰更新訊息給入口 Ni。 本發明之另一較佳目的藉由一新連接無線傳輸裝置 提供更進一步散佈一新群組鑰,包括從每一新發現鄰 近裝置接收一無線裝置群組鑰,下一步驟為接收表列 中之新連接的鄰近裝置’該裝置比較從每一鄰近的群 組鑰’假使群組鑰是相同的,會合併該結合至一單一 表單,之後,該裝置會選擇群組鑰擁有最大相關群組 繪表當做一新選擇的群組錄。 一種由一指定群組鑰伺服器產生一新群組鑰於新群 組鑰產生後的方法包括設定一群組鑰指標為群組鑰指 標加1 ;檢查鄰近裝置表單中每一入口於該鄰近装置表 單中,若入口尚未更新,更新該每一入口之該新群組 鑰及群組鑰指標;使用入口之一密鑰加密該新群組鑰 及群組鑰指標以及傳送密鑰之更新訊息於該每一入 α 〇 一種由一指定群組鑰伺服器產生一新群組鑰的方法 包括藉由無線裝置接收來自每一新發現鄰近裝置之群 、’且鑰,接收该鄰近新發現之無線裝置連接之表列裝置; 判斷接收群組鑰是否相同於該每一鄰近之新群組鑰 及指標;結合群組鑰於接收自相同鄰近裝置之表列裝 置,若該群組鑰相同時,比較來自該每一鄰近裝置的 所有群組鑰及合併相關表列之裝置至一單一表單中, 以及選擇與表列裝置中具有大相關連之群組錄為一新 選擇的群組錄。 上述方法更包括確保最少數目群組鑰更新訊息傳送 於傳輸網路中之步驟,以及更包括傳送群組繪更新訊 息及新群組錄到每-鄰近裝置具有群組錄不同於新選 擇群組鑰之步驟。 f種無線傳輸裝置自動發現-鄰近裝置及相互完成 'U且的方—無線傳輸裝置決定連接—無線傳 輸網路;發現一任何鄰近無線傳輸裝置;廣播一發現 訊息; 备任何鄰近無線傳輸裝置接收該發現訊息時,傳送 -發現回覆訊息給無線傳輸裝置以及以無線傳輸裝置 對於母-任何接收發現訊息之鄰近無線傳輸裝置啟動 一相互認證程序。 種於帛-無線傳輸裝置及一第二傳輸裝置間相 互認證的方法包括:該第—無線傳輸裝置產生一第一 隨機參數,當作-第一文字片段(cookie)訊息單元;該 第-無線傳輸裝置於該文字片段(⑽kie)訊息單元中選 擇文字片段’用來傳送—第—問候訊息給該第二無線 傳輸裝置’當所接收該第一問候訊息,該第二無線傳 輸裝置產生一第一隨機參數當作一第二文字片段訊息 單元;該第二無線傳輸裝置傳送一第二問候訊息包含 訊息單元給第一無線傳輸裝置;當接收該第二問候訊 息,該第一無線傳輸装置計算該第二問候訊息使用一 預先分享鑰的值,用來作為第一無線傳輸裝置對第二 1322608 無線傳輸裝置之認證;藉由第一無線傳輸裝置用來傳 送包含訊息單元之第三問候訊息;以及藉由第二無線 傳輸裝置接收第三問候訊息及使用安裝於第二無線傳 輸裝置之預先分享鑰確認第一無線傳輸裝置,假使第 一無線傳輸裝置的認證為正確’第二無線傳輸裝置會 傳送一第四問候訊息表示對第一無線傳輸裝置之相互 認證成功,反之,認證則為失敗。 上述方法更包括第一及第二無線傳輸裝置皆相立認 證成功時產生一配對密鑰。其中一但第一無線傳輸對 所有鄰近發現裝置已完成相互認證,第一無線傳輸裝 置傳送一配置要求給每一已認證之鄰近裝置。其中該 配置要求以該相互認證程序後產生之配對密鑰加密。 文字片段訊息單元提供服務於確認該第二無線傳輸裝 置以及於該相互認證完成之後產生配對鑰提供新鑰更IX. INSTRUCTIONS: TECHNICAL FIELD OF THE INVENTION The present invention relates to a wireless communication system, and more particularly to the generation and dissemination of a group of keys in a wireless transmission network. [Prior Art] A typical wireless network system includes one or more access devices for communication. Users can communicate with the access device via a personal computer and a pen-type computer via a wireless device. Wireless local area networks (WLANs) were originally allowed to wirelessly transmit to a 'line area network (LAN), such as where the wired system does not exist or where the traditional wired area network is insufficient. WLANs are often used to service mobile devices such as laptop (or note) computers and personal digital assistants (PDAs). In general, the access point (Access p〇int) is used in the service area of the wireless local area network to ensure sufficient data processing capability within the coverage to reduce the setup cost of each access point. However, the access point must also be installed to reduce the gap in coverage and provide adequate coverage. The wireless transmission network includes most of the wireless connection devices, which are responsible for distributing the traffic flow of the relevant mobile client. For example, a wireless transmission network has a number of IEEE 802.11 devices that can provide IEEE 802.11 or Bluetooth services, such as laptops, personal digital assistants, or the like. The wireless transmission network further includes one or more connection relationships, which are connected to the wired network bridges (Bridges) by a plurality of border devices and have the capability of wireless communication and wired communication. In wireless transmission networks, the confidentiality and trustworthiness of data traffic is important. The transmission domain (broadcasting) is inherently insecure, so it becomes imperative to start over the wireless transmission network. If it is impossible to encrypt and decrypt (decrypti〇n) and encrypt (decrypti〇n) each pair of adjacent wireless network devices in the wireless transmission network, it is not only inefficient and consumes (four). After the data frame is transmitted from a wireless device, another end of the wireless transmission network transmits another knowledge to the ''roadway', which must undergo multiple encryption and decryption processes before reaching the final destination. Therefore, in addition to the pairing key, it is still necessary to provide a group key for broadcasting or multicasting data frames. In wireless transmission networks, a more efficient and manageable encryption/decryption architecture uses a global key (Gl〇bai Encryption Key) to provide encryption services for wireless transmission networks. When a data frame enters the wireless transmission network from the mobile client, it needs to be added every time until it reaches the wireless device, and each time it will be decrypted accordingly. In addition, in a wireless transmission network, the wireless device may temporarily stop the service, causing the network to separate into several segmems. Each network block may have a different global secret record, which is specifically used in the network block. When the network block is added to a new wireless device, a new global secret record is also generated. More particularly, the present invention relates to a single-to-global secret recording for a wireless device to form a wireless transmission network, and a plurality of wireless transmission network blocks for a newly added wireless device. SUMMARY OF THE INVENTION One object of the present invention is to provide a method of key distribution in a wireless transmission network. A plurality of wireless transmission devices and at least one edge device are required in the network. A preferred object of the present invention provides for generating and distributing a new group key, by a design group key server, after the new group key is generated, including setting a group key index plus one. The server checks a neighboring table for each entry state, and if each entry Ni is not updated, updates each entry Ni new group key and group key indicator, and uses the key of the entry state to add a new group. The group and group record indicators, after which the server transmits an encrypted group key update message to the entry Ni. Another preferred object of the present invention is to provide a further distribution of a new group key by a new connection wireless transmission device, comprising receiving a wireless device group key from each newly discovered neighboring device, the next step being in the receiving list The newly connected neighboring device 'the device compares each neighboring group key', if the group key is the same, the combination is merged into a single form, after which the device selects the group key to have the largest relevant group Paint the table as a new selection of group records. A method for generating a new group key by a specified group key server after the new group key is generated includes setting a group key indicator to add 1 to the group key indicator; checking each entry in the neighboring device form in the proximity In the device form, if the portal has not been updated, the new group key and the group key indicator of each entry are updated; and the new group key and the group key indicator and the transmission key update message are encrypted by using one of the entry keys. The method for generating a new group key by a specified group key server includes receiving, by the wireless device, a group, 'and key from each newly discovered neighboring device, receiving the neighboring new discovery. a device for connecting the wireless device to the device; determining whether the received group key is the same as each of the neighboring new group keys and indicators; and combining the group key with the list device received from the same neighboring device, if the group key is the same Comparing all the group keys from the neighboring devices and the devices that merge the related table columns into a single form, and selecting the group having a large correlation with the list device to be recorded as a newly selected group. . The method further includes the steps of ensuring that a minimum number of group key update messages are transmitted in the transmission network, and further comprising transmitting a group map update message and recording the new group to each of the neighboring devices having a group record different from the new selection group. The key step. f kinds of wireless transmission devices automatically discover - neighboring devices and mutually complete 'U's party - wireless transmission device determines connection - wireless transmission network; find a neighboring wireless transmission device; broadcast a discovery message; prepare for any neighboring wireless transmission device In the discovery message, the transmission-discovery message is sent to the wireless transmission device and a mutual authentication procedure is initiated by the wireless transmission device for the parent-negative wireless transmission device that receives the discovery message. The method for mutual authentication between the wireless transmission device and a second transmission device includes: the first wireless transmission device generates a first random parameter, which is regarded as a - first text segment (cookie) message unit; the first wireless transmission The device selects a text segment in the text segment ((10) kie) to transmit a -first greeting message to the second wireless transmission device. When the first greeting message is received, the second wireless transmission device generates a first The random parameter is regarded as a second text segment message unit; the second wireless transmission device transmits a second greeting message including the message unit to the first wireless transmission device; and when receiving the second greeting message, the first wireless transmission device calculates the The second greeting message uses a pre-shared key value for authenticating the second 1322608 wireless transmission device as the first wireless transmission device; and the third wireless transmission device is configured to transmit the third greeting message including the message unit; Receiving the third greeting message by using the second wireless transmission device and using the pre-shared key installed in the second wireless transmission device Identify a first radio transmission device, if the authentication of the first wireless transmission apparatus to the correct 'second wireless transmission means sends a fourth message expressed regards mutual successful authentication of the first wireless transmission apparatus, on the contrary, the authentication was failure. The method further includes generating a pairing key when the first and second wireless transmission devices are successfully authenticated. One of the first wireless transmissions has completed mutual authentication for all of the proximity discovery devices, and the first wireless transmission device transmits a configuration request to each authenticated neighboring device. The configuration requires encryption with a pairing key generated after the mutual authentication procedure. The text segment message unit provides a service for confirming the second wireless transmission device and generating a new key after the mutual authentication is completed.
上述方法更包括該第二無線傳輸裝置產生一 Diffie-Hellman public key(DH_PubKey_B);以及,使用 一虛擬隨機參數(pseudo random function,PRF)和〆預 先配置分享鑰來簽定該第二無線傳輸裝置媒介存取裝 置(MAC)的位址。其中該虛擬隨機參數為HMAC-MD5 或HMAC-SHA1 〇 HMAC-MD5當做預設之虛擬隨機參 1322608 數。其中第三問候訊息具有該訊息單元包括第一無線 傳輸裝 置之一 Diffie-Hellman public key(DH一PubKey一A) ’及第一無線傳輸裝置所擁有的認 證(signature)HASH一 A。更包括當該第二無線傳輸裝置 不匹配時’藉由第一無線傳輸裝置,傳送一第四問候 訊息給第二無線傳輸裝置。 【實施方式】 本發明提供一種方法及一種在無線傳輸網路内提供 安全通訊的裝置。本發明提供一種方法,可以產生、 維護及分配全域密鑰至無線傳輸網路的所有無線裝 置。本發明提供一種裝置,其係使用於一無線裝置, 可以將具有不同全域密鑰的無線傳輸網路區塊加入到 具有單一全域密錄的無縫式(seamlessly)且整合的無線 傳輸網路。 無線傳輸網路 圖1顯示一無線傳輸網路’係包括至少一邊界裝 置(edge device) 100。有線網路140可以加入邊界裝置 1〇〇、橋接器(Bridges)及接取點(Access points)或基 地台(Base Stations)(圖中未示)。本發明更包括多 數個無線傳輸裝置110,該些裝置是藉由無線連接方式The method further includes the second wireless transmission device generating a Diffie-Hellman public key (DH_PubKey_B); and signing the second wireless transmission device by using a pseudo random function (PRF) and a pre-configured sharing key. The address of the Media Access Device (MAC). The virtual random parameter is HMAC-MD5 or HMAC-SHA1 〇 HMAC-MD5 is used as the preset virtual random parameter 1322608. The third greeting message has the message unit including a Diffie-Hellman public key (DH-PubKey-A) of the first wireless transmission device and a signature HASH-A owned by the first wireless transmission device. Further, when the second wireless transmission device does not match, a fourth greeting message is transmitted to the second wireless transmission device by the first wireless transmission device. [Embodiment] The present invention provides a method and an apparatus for providing secure communication within a wireless transmission network. The present invention provides a method of generating, maintaining, and distributing a global key to all wireless devices of a wireless transmission network. The present invention provides an apparatus for use in a wireless device that can add wireless transmission network blocks having different global keys to a seamlessly and integrated wireless transmission network having a single globally recorded voice. Wireless Transmission Network Figure 1 shows a wireless transmission network' including at least one edge device 100. The wired network 140 can be incorporated into border devices, bridges, and access points or base stations (not shown). The present invention further includes a plurality of wireless transmission devices 110, which are connected by wireless means.
1212
丄J厶厶VJVJO丄J厶厶VJVJO
耗合到—邊界裝置胸。該些無線傳輸裝置110具有在 無線網路中分程傳遞廣播訊框的能力。已配置完成之 邊界裝置1GG並具有無線軌及有.㈣訊的能力。每個 邊界裝置100均可與無線傳輸裝置進行通訊,無線傳輸 裝置110再與其他鄰近裝置通訊,該鄰近裝置例如是 或夕個行動用戶端120或其他鄰近的無線傳輸裝 擊 月,考圖1,無線傳輸網路包括一或多個具有IEEE 802·11能力的裝置,以提供具有IEEE 802 u或藍牙能 力的用戶端傳輸服務,該用戶端例如是膝上(或筆記) 型電腦、個人數位助理或是其他類似的裝置。無線傳 • 輸網路更包括一或多個的連接關係,其係藉由一或多 - 個邊界裝置1〇〇連接到有線網路。 如圖1所示,所有的無線傳輸裝置可以經由無線 _ 網路傳遞廣播訊框到其他的行動用戶端或無線傳輸裝 置。本發明並不是直接涉及控制傳輸的路徑,而係有 關於無線網路的加密及/或解密服務。無線傳輪裝置包 括具有一資訊表格,該資訊包含鄰近裝置,來自特定 的無線傳輸裝置所傳送之廣播訊框可被該鄰近裝置接 收。無線傳輸網路包括至少一個邊界裝置100,耦接於 有線區域網路與無線區域網路之間。至少一個無線傳 輸裝置110,是經由無線網路連接到邊界裝置1〇〇及至 13 1322608 少一個行動用戶端120。無線傳輸裝置11〇可以建構出 無線傳輸網路之其中一個區塊。 提供加密服務的方法 本發明係有關於一種在無線傳輸網路提供加密 服務的方法。請參考圖2所示,本發明之方法包括一初 始步驟200,其指定一無線裝置當作全域密鑰之伺服 # 器,以產生、維護供無線傳輸網路加密用之全域密鑰。 無線裝置可以是任一行動無線裝置、邊界裝置或橋接 器。上述提到之裝置藉以建構出無線傳輸網路之其中 一個區塊❶隨後進入步驟210,全域密鑰從全域密鑰之 ' 伺服器(已指定之無線裝置)散佈至在同一無線傳輸 - 網路内的所有無線裝置。當無線裝置接收到全域密鑰 後’該無線裝置會執行隨後之程序,將一現在的全域 _ 讼鑰取代成一新的密鑰(步驟22〇),換言之為目前接 收的全域密錄(Current Received Global Encryption Key)。在步驟230中,無線裝置在同一無線傳輸網路 内以未失去流量及安全的方式將一到期的全域密鑰轉 換為一新的全域密錄。 在下一步驟240中,若無線傳輸網路中已指定的 全域密錄伺服器發生暫時的故障,則由使用者、控制 單凡或網路服務提供業者選擇一新且已指定的全域密 14 、 1322608 鑰伺服器。在步驟250中,當故障的全域密鑰伺服器恢 復時,系統服務業者重新選擇一個全域密鑰的伺服器。 請參考圖3所示,當無線傳輸網路間相互通訊時,一 802.11 WDS訊框格式擁有一特定標頭(WIT Shim標頭) 於所有無線傳輸裝置中,以利於一傳輸網路控制、管 理和資料轉換。圖3顯示該協定標頭及訊息格式,包括 控制/管理資料訊框格式。該Shim標頭為24位元組其格 式顯示於圖4中。該鑰位址使用表示群組鑰使用於一無 線傳輸網路,WIT控制訊息使用在無線傳輸裝置維持和 管理一無線傳輸網路,該格式顯示於圖5中。舉例言 之,在群組鑰散佈過程時,群組鑰更新訊息傳送給一 無線傳輸傳送至其鄰近裝置。 因此,本發明提供shim標頭架構,包括: 一具有版本數字號的版本資訊的位元群組; 一具有格式資訊的位元群組; 一具有旗標的位元群組; 一具有優先權訊框資訊的位元群組; 一具有群組識別碼資訊的位元群組; 一具有生命週期值資訊的位元群組; 一具有鑰位址資訊的位元群組; 一具有封包片段識別碼資訊的位元群組; 15 1322608 一具有預備資訊的位元群組;以及 一具有保存乙太格式資訊的位元群組。 其中該位元群組提供的格式資訊,包括: 100b係為控制訊框以路由訊息、發現的鄰近節點及 ping/追蹤路由訊框; 010b係為管理者訊框以發佈公佈用戶端會員;以及 000b係為從用戶者或到用戶者的資料訊框,包括用 戶端資料、配置及網路管理者。 該位元組群組提供的旗標資訊,包括: 位元8係為會員的公佈; 位元9係為通道訊框; 位元10係為骨幹節點警報; 位元11係為不轉送的位元; 位元12係為封包片段旗標; 位元13係為另外的封包片段旗標;以及 位元14及15係為預備的位元。 該位元群組提供優先權的訊框資訊包括從最低位元 0到最高位元7的訊框。 該位元群組提供鑰位址資訊,包括群組鑰位址,在 傳輸裝置之間若配對鑰被使用,則該群組鑰位址為〇, 若所有的内容均為〇,則該訊框沒有加密。 1322608 該位元組群組提供的輔助位址資訊,包括: 旗標位元8,設定係為來源者的位址; 旗標位元9的設定係為通道目的地傳輸裝置的位 址;以及 旗標位元8及位元9係為未設定的及該廣播訊框係 為之前發送此廣播訊框兩步前裝置的位址。 該位元群組提供保留資訊,包括2位元組領域被使用 於標頭4位元組對齊。 該位元群組提供預存的乙太格式資訊以運送原始的 乙太格式值。 請參照圖5所示,一 WIT控制訊息包括一訊息標頭及0 或更多訊息單元,該WIT格式控制訊息包括多數訊息單 元1-N,N為一整數。 WIT訊息標頭格式如圖6所示,該標頭包括: 一具有格式資訊的位元群組; 一具有訊息種類資訊的位元群組; 一具有訊息型態資訊的位元群組; 一具有序列資訊的位元群組; 一具有訊息長度資訊的位元群組; 一具有APX MAC位址資訊的位元群組; 一具有保留資訊的位元群組;以及 17 一具有訊息單元資訊的位元群組。 圖7表示本發明訊息單元格式,包括一具有訊息單元 典型資訊的位元群組,一具有訊息長度的位元群組以 及群組鑰值。 群組鑰由設計群組鑰伺服器產生,該伺服器為一無 線傳輸網路中主要邊緣無線裝置,產生方法如下所示: 群組鑰=PRF(預先分享鑰,”網狀網路群組鑰” || 通知||指定設計鑰伺服器媒介存取控制位址), PRF為虛擬隨機參數,在此使用HMAC-MD5,預先 分旱錄由所有無線傳輸裝置在相同無線傳輸網路間為 一預先機密安裝分享。通知為一隨機產生64位元組, 提供新群組鑰。使用上述參數當作輸入值,該群組鑰 首先由網狀網路群組鑰、通知及指定設計鑰伺服器媒 介存取控制位址計算連成單串一序列(single string),隨 後使用HMAC-MD5當作虛擬隨機參數將其與混合預先 分享錄混合。 在一群組鑰產生之後,指定設計群組鑰伺服器散佈 該新群組鑰經過無線傳輸網路,該散佈過程採用兩種 演算法。第一演算法,當一新群組鑰產生時,由設計 指定群組鑰伺服器完成。第二演算法,當接收一鄰近 群組鑰更新訊息時,由一網狀節點實行。 1322608 圖8表示當-新群組錄產生時,該程序藉由設計指定 群組鑰伺服器完成。群組鑰伺服器將修改該群組鑰為 一特定週期或隨機。因此,為了產生該新群組鑰,群 組鑰伺服器設定該群組鑰指標加丨,如步驟8〇〇。隨後, 該伺服器檢查每一入口 Ni鄰近表,步驟81〇。若尚未更 新,該伺服器會更新每一入口 Ni之一新群組鑰及新群 組指標,步驟820。之後,使用密鑰加密該新群組鑰及 指標,步驟830。傳送加密群組鑰更新訊息給每一入口 Ni,步驟840。之後群組錄伺服器會重回步驟81 〇 ,直 到迴路完成。 一無線傳輸裝置之錄分佈如圖9A及圖9B所示,圖9B 中,步驟900, 一無線傳輸裝置由一鄰近裝置接收一群 組鑰更新訊息。步驟910,接收新群組鑰及群組鑰指標 和現有群組鑰及群組鑰指標做比較,當比較結果相同 時’不需採取進一步的過程。反之,步驟920,將更新 原本群組鑰及群組鑰指標更新為一新接收的群組鑰部 分’檢查鄰近表中每一鄰近群組及群組鑰指標。更新 鄰近表中的資訊給和群組鑰及群組鑰指標不相同的鄰 近裝置。步驟930,傳送一群組鑰更新訊息,加密一雙 絞線配對密鑰給每一有紀錄更新於步驟9 20之鄰近裝 置。 1322608 上述更清楚的流程圖於圖9 A中。 900A:由鄰近Ni接收一群組鑰更新訊阜. 觀:設定Gkey_new為所接收新的鮮峰和群組餘 指標; 92(^判斷目前群組錄和位址是否相同於該接收群 組鑰和群組鑰指標,若結果相同,則不需要更進一步 的程序; 930A:反之,檢查每一鄰近表群組鑰及群組鑰指標, 更新鄰近表中和目刖群組鑰和群組錄指標不相同的資 訊; 940A :設定GkeyJ為目前入口 Nj群組鑰及群組鑰指 標; 945A :決定目前入口 Nj是否為新群組鑰傳送者; 950A :若目前入口 Nj為新群組鑰的傳送者,以 Gkey—new更新入口並回到步驟930A ; 960A :否則,檢查是否新Gkey_new相同於GkeyJ, 若結果相同,回到步驟930A ; 970A:反之,由Gkey_new更新Nj入口表; 980A :使用雙絞線配對密鑰Nj加密新群組鑰; 990A :傳送加密群組鑰更新訊息給Nj ’並回至步驟 930A。 20 1322608 一無線傳輸裝置自動發現該鄰近裝置及完成相互認 證。圖10表示該無線傳輸裝置中發現及相互認證協 定。舉例言之,無線裝置A決定加入一無線傳輸網路, 發現任何鄰近無線傳輸裝置時,會首先廣播一發現訊 息,任何無線傳輸裝置接收該發現訊息,會傳送一發 現回覆訊息給裝置A。在一小段時間過後,裝置A開始 相互認證過程給每一接收發現回覆訊息裝置。 裝置A及裝置B間相互認證的步驟: 1. 裝置A產生一隨機參數(CK 一 A)當作文字片段 (cookie)訊息單元,此隨機參數可為32位元組’該文字 片段承載服務包含確認與裝置B間相互認證及當產生 雙絞線配對鑰在相互認證完成之後提供新鑰。 2. 裝置A傳送該第一問候訊息包含由文字片段訊息 單元選擇之文字片段給裝置B。 3. 根據接收該第一問候訊息,裝置B產生一隨機參數 CK_B當做文字片段。選擇性地選擇無線裝置B能夠產 生 Diffie-Hellman public key(DH_PubKey_B),B表示媒 介存取控制位置使用虛擬隨機參數及預先安裝分享鑰 指定媒介存取控制位置。該典型虛擬隨機參數使用 HMAC-MD5或HMAC-SHA1。我們使用 HMAC-MD5當 做預先值,該簽證HASH_B計算為·· ③ 21 1322608 HASH_B = PRF(預先分享鑰網狀網路” || Β 的媒介存取控制位址), 或若一 使用, HASH_A = PRF(預先分享鑰,”網狀網路”丨丨 DH_PubKey_B丨| B的媒介存取控制位址)。 4_裝置B傳送一第二問候訊息單元CK_B給裝置A,選 擇性傳送DH_PubKey_B之後為HASH_B。 5.當根據接收該第二問候訊息,裝置A藉由使用裝置 A的預先分享鑰值計算HASH_B以驗證裝置B之簽證。 若該簽證簽證(signature)不相同,裝置A傳送第三問候 訊息CK—A及AUTH_FAILED給裝置B。 若該簽證確認後,裝置A傳送該第三問候訊息單 元 CK_A,選擇選取性 Diffie_Hellman public key(DH—PubKey_A)、AUTH_OK 及所本身之簽證 HASH_A本身簽證,簽證HASH_A以下列方式計算為: HASH_A = PRF(預先分享鑰,”網狀網路” ||A的媒 介存取控制位址), 或若一 DH—使用, HASH_B = PRF(預先分享鑰網狀網路” |丨 DH一PubKey_A || A的媒介存取控制位址)。 若 Diffie-Hellman 被使用,之後 一 ⑧ 22 1322608Consumed to the border device chest. The wireless transmission devices 110 have the ability to relay broadcast frames in a wireless network. The boundary device 1GG has been configured and has the capability of a wireless track and a (four) message. Each of the border devices 100 can communicate with a wireless transmission device, and the wireless transmission device 110 communicates with other neighboring devices, such as a mobile mobile terminal 120 or other nearby wireless transmission loading month. The wireless transmission network includes one or more IEEE 802.11 capable devices to provide an IEEE 802 u or Bluetooth capable client transmission service, such as a laptop (or note) type computer, personal digital Assistant or other similar device. The wireless transmission network further includes one or more connection relationships, which are connected to the wired network by one or more border devices. As shown in Figure 1, all wireless transmission devices can transmit broadcast frames to other mobile clients or wireless transmission devices via the wireless network. The present invention is not directly related to the path of controlling transmission, but is related to encryption and/or decryption services for wireless networks. The wireless transport device includes a form of information containing neighboring devices from which broadcast frames transmitted by a particular wireless transmission device can be received. The wireless transmission network includes at least one border device 100 coupled between the wired area network and the wireless area network. At least one wireless transmission device 110 is connected to the border device 1 via the wireless network and to one mobile client 120 via 13 1322608. The wireless transmission device 11 can construct one of the blocks of the wireless transmission network. The present invention relates to a method of providing an encryption service over a wireless transmission network. Referring to Figure 2, the method of the present invention includes an initial step 200 of designating a wireless device as a global key server to generate and maintain a global key for wireless transmission network encryption. The wireless device can be any mobile wireless device, border device or bridge. The above mentioned device constructs one of the blocks of the wireless transmission network, and then proceeds to step 210, and the global key is spread from the global key 'server (designated wireless device) to the same wireless transmission-network All wireless devices inside. When the wireless device receives the global key, the wireless device performs a subsequent procedure to replace a current global_claim key with a new one (step 22〇), in other words, the currently received global secret record (Current Received). Global Encryption Key). In step 230, the wireless device converts an expired global key into a new global secret record in the same wireless transmission network in a manner that does not lose traffic and security. In the next step 240, if a temporary failure occurs in the specified local secret server in the wireless transmission network, the user, the control unit or the network service provider selects a new and designated global secret 14 . 1322608 key server. In step 250, when the failed global key server is restored, the system service provider reselects a server for the global key. Referring to FIG. 3, when the wireless transmission networks communicate with each other, an 802.11 WDS frame format has a specific header (WIT Shim header) for all wireless transmission devices to facilitate control and management of a transmission network. And data conversion. Figure 3 shows the protocol header and message format, including the control/management data frame format. The Shim header is a 24-bit tuple whose format is shown in Figure 4. The key address is used to indicate that the group key is used in a wireless transmission network, and the WIT control message is used to maintain and manage a wireless transmission network in the wireless transmission device. The format is shown in FIG. For example, during the group key distribution process, the group key update message is transmitted to a wireless transmission for transmission to its neighbors. Therefore, the present invention provides a shim header architecture, including: a group of bits having version information of a version number; a group of bits having format information; a group of bits having a flag; a group of bits of frame information; a group of bits having group identification code information; a group of bits having life cycle value information; a group of bits having key address information; and having a segment identification A group of bits of code information; 15 1322608 a group of bits having preliminary information; and a group of bits having information for saving the format of the Ethernet. The format information provided by the bit group includes: 100b is a control frame to route messages, discovered neighbor nodes, and ping/tracking routing frames; 010b is a manager frame to publish and publish user members; 000b is the data frame from the user or the user, including the client data, configuration and network administrator. The flag information provided by the byte group includes: bit 8 is the member's announcement; bit 9 is the channel frame; bit 10 is the backbone node alarm; bit 11 is the non-transferred bit Element; bit 12 is the packet fragment flag; bit 13 is the additional packet fragment flag; and bits 14 and 15 are the reserved bits. The frame information for which the bit group provides priority includes a frame from the lowest bit 0 to the highest bit 7. The bit group provides key address information, including a group key address. If a pairing key is used between transmission devices, the group key address is 〇, if all the content is 〇, then the message The box is not encrypted. 1322608 The auxiliary address information provided by the byte group includes: a flag bit 8, which is set as the address of the source; and a flag bit 9 is set as the address of the channel destination transmission device; The flag bit 8 and the bit 9 are unset and the broadcast frame is the address of the device before the two-step transmission of the broadcast frame. This bit group provides retention information, including a 2-byte field that is used for header 4-byte alignment. This bit group provides pre-stored Ether format information to carry the original Ether format value. Referring to FIG. 5, a WIT control message includes a message header and 0 or more message units. The WIT format control message includes a plurality of message units 1-N, and N is an integer. The WIT message header format is as shown in FIG. 6. The header includes: a bit group having format information; a bit group having message type information; and a bit group having message type information; a group of bits having sequence information; a group of bits having message length information; a group of bits having APX MAC address information; a group of bits having reserved information; and 17 having information about the message unit Bit group. Figure 7 shows the message unit format of the present invention, including a group of bits having typical information of the message unit, a group of bits having a length of the message, and a group key value. The group key is generated by a design group key server, which is a primary edge wireless device in a wireless transmission network, and is generated as follows: Group Key = PRF (Pre-Share Key, "Mesh Network Group Key" || Notification||Specify Design Key Server Media Access Control Address), PRF is a virtual random parameter, here HMAC-MD5, pre-sorted by all wireless transmission devices between the same wireless transmission network A pre-confidential installation share. The notification is a random generation of 64 bytes, providing a new group key. Using the above parameters as input values, the group key is first concatenated into a single string by the mesh network group key, the notification, and the specified design key server medium access control address, and then HMAC is used. - MD5 is mixed with the hybrid pre-shared record as a virtual random parameter. After a group key is generated, the designated design group key server distributes the new group key through the wireless transmission network, and the scatter process employs two algorithms. The first algorithm, when a new group key is generated, is done by the designation specified group key server. The second algorithm is implemented by a mesh node when receiving a neighboring group key update message. 1322608 Figure 8 shows that when a new group record is generated, the program is completed by designating a specified group key server. The group key server will modify the group key to a specific period or random. Therefore, in order to generate the new group key, the group key server sets the group key indicator to be incremented, as in step 8〇〇. Subsequently, the server checks each entry Ni proximity table, step 81. If not updated, the server updates one of the new group keys and the new group indicator for each entry Ni, step 820. Thereafter, the new group key and indicator are encrypted using the key, step 830. An encrypted group key update message is transmitted to each entry Ni, step 840. The group recording server will then return to step 81 〇 until the loop is complete. The recording distribution of a wireless transmission device is as shown in Figs. 9A and 9B. In Fig. 9B, in step 900, a wireless transmission device receives a group key update message from a neighboring device. In step 910, the new group key and the group key indicator are compared with the existing group key and the group key indicator, and when the comparison result is the same, no further process is required. Otherwise, in step 920, the update original group key and the group key indicator are updated to a newly received group key portion to check each neighbor group and group key indicator in the proximity table. The information in the neighboring table is updated to a neighboring device that is different from the group key and the group key indicator. In step 930, a group key update message is transmitted, and a twisted pair pairing key is encrypted for each of the neighboring devices updated in step 920. 1322608 The more clear flow chart above is shown in Figure 9A. 900A: Receive a group key update message from neighboring Ni. View: set Gkey_new as the received new peak and group residual indicator; 92 (^ determine whether the current group record and address are the same as the receiving group key And the group key indicator, if the result is the same, no further procedure is needed; 930A: otherwise, check each neighboring table group key and group key indicator, update the neighboring table and the directory group key and group record Information with different indicators; 940A: Set GkeyJ as the current entry Nj group key and group key indicator; 945A: Determine whether the current entry Nj is the new group key transmitter; 950A: If the current entry Nj is the new group key The sender updates the entry with Gkey_new and returns to step 930A; 960A: Otherwise, it checks if the new Gkey_new is the same as GkeyJ, and if the result is the same, returns to step 930A; 970A: otherwise, the Nj entry table is updated by Gkey_new; 980A: used The twisted pair pairing key Nj encrypts the new group key; 990A: transmits the encrypted group key update message to Nj ' and returns to step 930A. 20 1322608 A wireless transmission device automatically discovers the neighboring device and completes mutual authentication. The In the line transmission device, a mutual authentication agreement is found. For example, the wireless device A decides to join a wireless transmission network, and when any adjacent wireless transmission device is found, a discovery message is first broadcasted, and any wireless transmission device receives the discovery message. Send a discovery reply message to device A. After a short period of time, device A starts the mutual authentication process for each receiving discovery reply message device. Steps of mutual authentication between device A and device B: 1. Device A generates a random parameter ( CK A) is used as a text message (cookie) message unit. The random parameter can be a 32-bit tuple. The text fragment bearer service includes mutual authentication between the device and the device B. When the cross-pair pairing key is generated, the mutual authentication is completed. The new key is provided. 2. The device A transmits the first greeting message to the device B selected by the text segment message unit. 3. According to receiving the first greeting message, the device B generates a random parameter CK_B as a text segment. Selectively selecting the wireless device B can generate a Diffie-Hellman public key (DH_PubKey_B), and B indicates media access control. The location uses the virtual random parameters and the pre-installed share key to specify the medium access control location. The typical virtual random parameter uses HMAC-MD5 or HMAC-SHA1. We use HMAC-MD5 as the pre-value, and the visa HASH_B is calculated as ············· HASH_B = PRF (pre-shared key network) || Β medium access control address), or if used, HASH_A = PRF (pre-shared key, "mesh network" 丨丨DH_PubKey_B丨| B Media access control address). 4_Device B transmits a second hello message unit CK_B to device A, and selectively transmits DH_PubKey_B followed by HASH_B. 5. Upon receiving the second greeting message, device A verifies the visa of device B by calculating HASH_B using the pre-shared key value of device A. If the visa is not the same, device A transmits a third greeting message CK_A and AUTH_FAILED to device B. If the visa is confirmed, the device A transmits the third greeting message unit CK_A, selects the selective Diffie_Hellman public key (DH-PubKey_A), AUTH_OK and the visa of the visa HASH_A itself, and the visa HASH_A is calculated as follows: HASH_A = PRF (Pre-shared key, "mesh network" ||A media access control address), or if a DH-use, HASH_B = PRF (pre-shared key mesh network) |丨DH-PubKey_A || A Media access control address). If Diffie-Hellman is used, then 8 22 1322608
Diffie-Hellman(DH_Shared_Secret)分享機密在此時計 算。 6. 最後’裝置B接收該第三問候訊息及使用其安裝預 先分享鑰確認該裝置A簽證。當簽證和HASH_A不相同 時,B傳送第四及最後問候訊息單元CK_B和 AUTH_FAILED表示相互認證失敗。若A的簽證是正確 的,裝置B傳送第四及最後問候訊息單元CK_B和 AUTH一OK給裝置A。若Diffie-Hellman被使用,之後一 Diffie-Hellman(DH_Shared_Secret)分享機密在此時計 算。 7. 當裝置A及裝置B相互認證成功之後,一雙絞線配 對密鑰使用下述方式產生: 最小文字片段檔案=min(CK_A,CK_B), 最大文字片段檔案=max(CK_A,CK_B), 最小媒介存取控制=min(A的媒介存取控制位址,b 的媒介存取控制位址), 最大媒介存取控制=max(A的媒介存取控制位址, B的媒介存取控制位址), 雙絞線配對鑰=PRF(預先分享鑰JS配對雙絞線 錄”丨丨最小文字片段檔案丨丨最大文字檔案片段丨| 最小媒介存取控制丨丨最大媒介存取控制),The Diffie-Hellman (DH_Shared_Secret) shared secret is calculated at this time. 6. Finally, Device B receives the third greeting message and uses its installation pre-shared key to confirm the device A visa. When the visa and HASH_A are different, B transmits the fourth and last greeting message units CK_B and AUTH_FAILED to indicate that the mutual authentication fails. If A's visa is correct, device B transmits the fourth and last greeting message units CK_B and AUTH-OK to device A. If Diffie-Hellman is used, then a Diffie-Hellman (DH_Shared_Secret) shared secret is calculated at this time. 7. After device A and device B have successfully authenticated each other, a twisted pair pairing key is generated as follows: minimum text segment file = min (CK_A, CK_B), maximum text segment file = max (CK_A, CK_B), Minimum medium access control = min (A medium access control address, b medium access control address), maximum medium access control = max (A medium access control address, B medium access control Address), twisted pair partner key = PRF (pre-shared key JS paired twisted pair record) 丨丨 minimum text segment file 丨丨 maximum text file segment 丨 | minimum media access control 丨丨 maximum media access control),
23 1322608 或 Diffie-Hellman被使用 雙絞線配對鑰=PRF(預先分享鑰,” JS雙絞線配對 鑰” II最小文字檔案II最大文字檔案||最小媒介 存取控制||最大媒介存取控制||DH_Shared_Seeret); 一旦當裝置A對所有發現鄰近裝置已相互認證後,傳 送安裝要求(configuration request)給認證鄰近裝置。安 裝要求訊息由在每一相互認證之後產生之雙絞線配對 密錄,安裝回覆訊息單元間為由現有網狀網路使用之 群組鑰。 當一無線傳輸裝置連接一無線傳輸網路時,有兩種 不同的方案當作群組鑰安裝,請參考圖11(例1)及圖 12(例2)。 例1 : 在此例子中,該新無線裝置從所有新鄰近接收相同 群組鑰,主因為新鄰近是處於相同無線傳輸網路。 例2 : 在此例子中,該新無線裝置從鄰近接收不同群組 錄,主因為無線傳輸網路分開為一或是多個島樓(指分 隔之區域或隔離區間)。圖13顯示演算法流程,其涵蓋 不同群組鑰,從每一島嶼(分隔之區域)進入一單一群組 鑰。該演算法也服務一群大部分無線傳輸裝置之群組 24 錄會被選為新的群組餘。此結果為-無線傳輸網路 中’演算法有最少群組錄更新訊息需求,該無線裝置 從每-新發現鄰近如Ni(步驟簡)接收一群組餘。也接 收該鄰近裝置連接所列的連接之無線裝置,該裝置將 判斷接收群組餘和鄰近_新群域及指標是否相 同’步驟131G ’結合具有自由相同相鄰裝置所接收之 表列裝置之鄰近群組鑰之每__所列裝置密錄,步驟 1310中’若該群組錄相同時,該裝置比較來自每一相 鄰裝置之所有群組錄,以及合併結合無線裝置相關表 單為進入-單-表列單,之後於步驟1320中該裝置 選擇該有最大關聯的無線裝置群崎成為新群組錄。 4步驟確保最少數目量之群峰更新訊息傳送於傳輸 網路。步驟U30中,當每一鄰近新群組錄不相同於新 所選擇群組鑰時,該無線裝置會傳送一每一鄰近群組 錄更新δίΐ息包含新群組鑰給予不同於新所選擇群組錄 之每一鄰近裝置。 當一無線傳輸裝置自新發現鄰近裝置接收到不同群 組錄及群組錄指標,必須選擇一新群組錄及指標和更 新其他停止的網路中無線傳輸裝置。為了減少群組傳 送無線網路更新訊息的數目,必須選擇大部份無線傳 輸裝置使用之群組鑰及群組鑰指標。此,可以藉由保23 1322608 or Diffie-Hellman is using twisted pair pairing key = PRF (pre-shared key, "JS twisted pair pairing key" II minimum text file II maximum text file | | minimum media access control | | maximum media access control ||DH_Shared_Seeret); Once device A has mutually authenticated all discovered neighbors, a configuration request is sent to the authenticated neighbor. The installation request message is recorded by the twisted pair pairing generated after each mutual authentication, and the installation reply message unit is a group key used by the existing mesh network. When a wireless transmission device is connected to a wireless transmission network, two different schemes are installed as a group key. Please refer to Figure 11 (Example 1) and Figure 12 (Example 2). Example 1: In this example, the new wireless device receives the same group key from all new neighbors, primarily because the new proximity is on the same wireless transmission network. Example 2: In this example, the new wireless device receives different group records from the vicinity, mainly because the wireless transmission network is divided into one or more island buildings (referring to separate areas or isolated areas). Figure 13 shows the algorithm flow, which covers different group keys, entering a single group key from each island (separated area). The algorithm also serves a group of most wireless transmission devices. The recording is selected as the new group. The result is that the algorithm in the wireless transmission network has a minimum group record update message requirement, and the wireless device receives a group from each new discovery neighbor such as Ni (step simplification). And receiving, by the neighboring device, the connected wireless device listed in the connection, the device determining whether the receiving group and the neighboring_new group domain and the indicator are the same 'step 131G' combined with the list device received by the free neighboring device Each device listed in the neighboring group key is occluded, in step 1310, 'If the group records are the same, the device compares all group records from each neighboring device, and merges the wireless device related forms to enter - Single-table list, then in step 1320 the device selects the wireless device group with the greatest association to become a new group record. Step 4 ensures that the minimum number of peak update messages are transmitted to the transport network. In step U30, when each neighboring new group record is not the same as the newly selected group key, the wireless device transmits a neighboring group record update δίΐ, including a new group key to be given to the new selected group. Each adjacent device is grouped. When a wireless transmission device receives a different group record and group record indicator from a newly discovered neighboring device, it must select a new group record and indicator and update the wireless transmission device in other stopped networks. In order to reduce the number of wireless network update messages transmitted by the group, it is necessary to select the group key and group key indicator used by most wireless transmission devices. This can be guaranteed by
25 1322608 持達到維持追蹤群組鑰及其相關接合之無線傳輸裝置 來達成。具有該最大相關之無線傳輸裝置群組鑰及群 組鑰指標能夠被使用當做無線網路中新群組鑰及群組 錄指標。 因此,本發明提供唯一的方式用來產生及散佈該無 線傳輸網路中無線傳輸裝置的群組鑰。 以上所述僅為舉例性,而非為限制性者。任何未脫 離本發明之精神與範疇,而對其進行之等效修改或變 更,均應包含於後附之申請專利範圍中。 【圖式簡單說明】 圖1為無線傳輸網路例子的示意圖; 圖2為本發明流程圖; 圖3為本發明協定標頭及訊息格式包括控制/管理訊框 格式及貧料訊框格式, 圖4為孔隙標頭格式包含24位元組; 圖5為本發明WIT控制訊息格式; 圖6為本發明WIT訊息標頭格式; 圖7為本發明訊息單元格式; 圖8為經由一設計之群組鑰伺服器產生一新群組鑰的 過程; 圖9A、9B為群組鑰伺服器之散佈鑰的流程圖; 26 1322608 圖ίο為無線傳輸裝置發現及相互認證協定; 發現過程中,再一次解決多重群組鑰; 圖11、12為不同群組鑰安裝的情況; 圖13為聚集從每一群組進入一單一群組鑰的不同群組 鑰法則。 【主要元件符號說明】 φ 100邊緣裝置; 110無線傳輸裝置; 120移動用戶端; 140有線網路; 步驟200〜250本發明之流程步驟; ' 步驟800〜840本發明之流程步驟; 步驟900A〜990A本發明之流程步驟; ® 步驟900~930本發明之流程步驟; 步驟1300〜1330本發明之流程步驟。25 1322608 This is achieved by a wireless transmission device that maintains the tracking group key and its associated connections. The wireless transmission device group key and the group key indicator having the largest correlation can be used as a new group key and group record indicator in the wireless network. Accordingly, the present invention provides a unique way to generate and distribute a group key for a wireless transmission device in the wireless transmission network. The above is intended to be illustrative only and not limiting. Any changes or modifications to the spirit and scope of the present invention are intended to be included in the scope of the appended claims. BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a schematic diagram of an example of a wireless transmission network; FIG. 2 is a flowchart of the present invention; FIG. 3 is a protocol header and message format including a control/management frame format and a poor frame frame format according to the present invention; 4 is a bit header format including 24 bytes; FIG. 5 is a WIT control message format of the present invention; FIG. 6 is a WIT message header format of the present invention; FIG. 7 is a message unit format of the present invention; The process of generating a new group key by the group key server; FIG. 9A, FIG. 9B are flowcharts of the scatter key of the group key server; 26 1322608 Figure ί is a wireless transmission device discovery and mutual authentication protocol; Resolving multiple group keys at a time; Figures 11 and 12 are the different group key installations; Figure 13 is a different group key rule for aggregating a single group key from each group. [Major component symbol description] φ 100 edge device; 110 wireless transmission device; 120 mobile client; 140 wired network; steps 200 to 250 process steps of the present invention; 'step 800 to 840 process steps of the present invention; step 900A~ 990A Process Steps of the Invention; ® Steps 900-930 Process Steps of the Invention; Steps 1300~1330 Process Steps of the Invention.
2727