WO2009067934A1 - A wapi unicast secret key negotiation method - Google Patents

A wapi unicast secret key negotiation method Download PDF

Info

Publication number
WO2009067934A1
WO2009067934A1 PCT/CN2008/073053 CN2008073053W WO2009067934A1 WO 2009067934 A1 WO2009067934 A1 WO 2009067934A1 CN 2008073053 W CN2008073053 W CN 2008073053W WO 2009067934 A1 WO2009067934 A1 WO 2009067934A1
Authority
WO
WIPO (PCT)
Prior art keywords
key negotiation
unicast
packet
unicast key
entity
Prior art date
Application number
PCT/CN2008/073053
Other languages
English (en)
French (fr)
Inventor
Manxia Tie
Jun Cao
Liaojun Pang
Xiaolong Lai
Zhenhai Huang
Original Assignee
China Iwncomm Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Iwncomm Co., Ltd. filed Critical China Iwncomm Co., Ltd.
Priority to EP08855081A priority Critical patent/EP2214368A1/en
Priority to JP2010533419A priority patent/JP2011504332A/ja
Priority to US12/743,032 priority patent/US20100250941A1/en
Publication of WO2009067934A1 publication Critical patent/WO2009067934A1/zh

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • H04L9/0841Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
    • H04L9/0844Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols with user authentication or key authentication, e.g. ElGamal, MTI, MQV-Menezes-Qu-Vanstone protocol or Diffie-Hellman protocols using implicitly-certified keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • H04L9/3273Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0431Key distribution or pre-distribution; Key agreement
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0433Key management protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/126Anti-theft arrangements, e.g. protection against subscriber identity module [SIM] cloning

Definitions

  • the present invention relates to the field of information security technologies, and in particular, to a WAPI unicast key negotiation method. Background technique
  • Wired Equivalent Privacy Wired Equivalent Privacy
  • WLAN Wireless Local Area Network
  • WAPI implements authentication and key distribution functions using certificates or pre-shared key authentication and key management protocols.
  • This security mechanism better solves the security problem of WLAN, but since it is designed with more security considerations and does not consider the availability of the protocol too much, its unicast key agreement protocol may suffer from denial of service DoS ( Denial of Service) The problem of attack. This is because the unicast key negotiation request packet in the WAPI unicast key agreement protocol does not take protection measures, and the exposed unicast key negotiation request packet may be used by the attacker.
  • DoS Denial of Service
  • the authenticator entity AE Authenticator Entity
  • ASUE Authentication Supplicant Entity
  • the authentication requester entity ASUE cannot use the same policy. If the authentication requester entity ASUE is configured to be in a full state, that is, only a response of a particular message is expected, it is now considered that the authentication requester entity ASUE receives the unicast key negotiation request packet and issues a unicast key negotiation response packet. If the unicast key negotiation response packet is lost for various reasons, the discriminator entity AE will not get the desired unicast key negotiation response packet, so the discriminator entity AE will re-broadcast the key negotiation request packet after timeout.
  • the authentication requester entity ASUE since the authentication requester entity ASUE only expects to receive the unicast key negotiation acknowledgement packet, the retransmitted unicast key negotiation request packet is discarded, causing the protocol to fail, and the attacker can use this to be preemptively legal.
  • the spoofed unicast key negotiation request packet is sent before the unicast key negotiation request packet, causing the authentication requester entity ASUE to block the protocol. Therefore, during the handshake process, the requester entity ASUE is authenticated. Multiple unicast key negotiation request packets must be allowed to accept to ensure that the protocol can continue, ie the authentication requester entity ASUE must allow multiple handshake instances to run simultaneously.
  • the protocol blocking attack is caused by the weakness of the unicast key negotiation request packet.
  • the authentication requester entity ASUE can store multiple unicast session keys USK (Unicast Session Key) when the protocol is implemented. It is a legal unicast session key, and the rest is a temporary unicast session key. Only the temporary unicast session key is updated when the unicast key negotiation request packet is received, and only the unicast key negotiation confirmation packet with the valid message integrity code MIC (Message Integrity Code) is received. Unicast session key.
  • USK Unicast Session Key
  • the authentication requester entity ASUE must use considerable storage.
  • the space stores all the received Nonce, the locally generated Nonce, and the corresponding temporary unicast session key in the received unicast key negotiation request packet until it completes the handshake and obtains a valid unicast session key.
  • the calculation of the unicast session key is not expensive, it does not cause a CPU exhaustion attack, but if the attacker intentionally increases the transmission frequency of the forged unicast key negotiation request packet, there is a danger that the storage is exhausted. This kind of forgery attack is easy to implement and the damage is serious. A successful attack will make the early efforts of the authentication process impossible.
  • the present invention provides a WAPI unicast key negotiation method for solving the above technical problem existing in the background art, so as to prevent Dos attacks by forging a unicast key to negotiate a request packet.
  • the technical solution is as follows:
  • a WAPI unicast key negotiation method includes:
  • the discriminator entity AE sends a new unicast key negotiation request packet to the authentication requester entity ASUE, the new unicast key negotiation request packet is: added on the originally defined content of the unicast key negotiation request packet a request packet formed by a message integrity code MIC;
  • the authentication requester entity ASUE After the authentication requester entity ASUE receives the unicast key negotiation confirmation packet, performs unicast key negotiation confirmation packet verification, and if the verification is successful, the unicast is successfully completed between the discriminator entity AE and the authentication requester entity ASUE.
  • the key negotiation process negotiates a consistent unicast session key.
  • the content of the originally defined content, the unicast key negotiation response packet, and the unicast key negotiation confirmation packet of the unicast key negotiation request packet are the same as those defined in the standard text of GB 15629.11-2003/XG1-2006, respectively.
  • the verification process of the new unicast key negotiation request packet, the unicast key negotiation response packet, and the unicast key negotiation confirmation packet is the same as the definition in the standard text of GB 15629.11-2003/XG1-2006, respectively.
  • the message integrity code MIC in the step 1) is a hash value calculated by the discriminator entity AE using the negotiated base key BK for all fields preceding the MIC field.
  • the invention adds a message integrity code MIC to the unicast key negotiation request packet of the original WAPI unicast key agreement protocol, so as to prevent the attacker from forging the unicast key negotiation request packet to enhance the security of the protocol.
  • Sexuality and robustness solve the problem of DoS attacks in the unicast key agreement protocol in the current WAPI security mechanism.
  • the present invention is applicable to the security of a WAPI framework method (Access Control method based on Tri-element Peer Authentication) in a specific network such as a wireless local area network or a wireless metropolitan area network. protocol.
  • WAPI framework method Access Control method based on Tri-element Peer Authentication
  • a specific network such as a wireless local area network or a wireless metropolitan area network. protocol.
  • the discriminator entity AE adds the message integrity code MIC to the content of the original definition of the unicast key negotiation request packet, and forms a new unicast key negotiation request packet, and sends it to the authentication requester entity ASUE;
  • the integrity code MIC is a hash value calculated by the discriminator entity AE using all the fields preceding the MIC field using the base key BK (Base Key) negotiated during the authentication phase;
  • the authentication requester entity ASUE After the authentication requester entity ASUE receives the new unicast key negotiation request packet, it performs an inspection. Verify that the MIC is correct. If not, discard the packet directly; if it is correct, perform the original verification. If the verification is successful, respond to the discriminator entity AE with the unicast key negotiation response packet; unicast key The content of the negotiation response packet is the same as the original definition;
  • the original definition and the original verification refer to the definition and verification in the standard text of GB 15629.11-2003/XG1-2006.
  • the discriminator entity AE After the discriminator entity AE receives the unicast key negotiation response packet, performs original verification, and if the verification is successful, responds to the authentication requester entity ASUE with a unicast key negotiation confirmation packet; the unicast key negotiation confirmation packet The content is the same as the original definition;
  • the authentication requester entity AE After the authentication requester entity AE receives the unicast key negotiation confirmation packet, the original verification is performed. If the verification succeeds, the unicast key negotiation process is successfully completed between the discriminator entity AE and the authentication requester entity ASUE. A consistent unicast session key is negotiated.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Mobile Radio Communication Systems (AREA)

Description

一种 WAPI单播密钥协商方法
本申请要求于 2007 年 11 月 16 日提交中国专利局、 申请号为 200710019092.8、 发明名称为 "一种 WAPI单播密钥协商方法"的中国专利申请 的优先权, 其全部内容通过引用结合在本申请中。
技术领域
本发明涉及信息安全技术领域, 尤其是一种 WAPI单播密钥协商方法。 背景技术
为了解决无线局域网 WLAN ( Wireless Local Area Network ) 国际标准 ISO/IEC 8802-11中定义的有线等效保密 WEP ( Wired Equivalent Privacy )安全 机制存在的安全漏洞,我国颁布了无线局域网国家标准及其第 1号修改单, 釆 用无线局域网认证与保密基础结构 WAPI ( WLAN Authentication and Privacy Infrastructure )替代 WEP , 解决无线局域网的安全问题。
WAPI利用证书或预共享密钥认证及密钥管理协议实现认证与密钥分发 功能。 该安全机制较好地解决了 WLAN的安全问题, 但由于其在设计时更多 考虑了安全性, 而没有过多考虑协议的可用性, 因此其单播密钥协商协议存在 可能遭受拒绝服务 DoS ( Denial of Service )攻击的问题。 这是由于 WAPI单播 密钥协商协议中单播密钥协商请求分组未釆取保护措施,棵露的单播密钥协商 请求分组可能被攻击者利用。
对于鉴别器实体 AE ( Authenticator Entity ) , 最多与每个鉴别请求者实体 ASUE ( Authentication Supplicant Entity )存在一个握手, 并具有超时重发功能, 但鉴别请求者实体 ASUE却不能釆用同样的策略。 若鉴别请求者实体 ASUE配 置成完全状态的,即仅期望某个特定消息的应答,现考虑鉴别请求者实体 ASUE 接收到单播密钥协商请求分组并发出单播密钥协商响应分组这种情况,若单播 密钥协商响应分组由于各种原因丟失了, 鉴别器实体 AE将得不到期望的单播 密钥协商响应分组, 因此鉴别器实体 AE超时之后会重传单播密钥协商请求分 组, 但由于鉴别请求者实体 ASUE仅期望收到单播密钥协商确认分组, 则会丟 弃该重传的单播密钥协商请求分组, 引起协议失败, 则攻击者利用这一点可以 抢先在合法单播密钥协商请求分组之前发送伪造的单播密钥协商请求分组,造 成鉴别请求者实体 ASUE阻塞协议。因此在握手过程中,鉴别请求者实体 ASUE 必须允许接受多个单播密钥协商请求分组以保证协议能够继续,即鉴别请求者 实体 ASUE必须允许多个握手实例同时运行。
协议阻塞攻击是由于单播密钥协商请求分组的薄弱性造成的,为避免此问 题, 在协议实施时, 鉴别请求者实体 ASUE 可存储多个单播会话密钥 USK ( Unicast Session Key ) , 一个为合法的单播会话密钥, 其余为临时的单播会 话密钥。 收到单播密钥协商请求分组时仅更新临时的单播会话密钥, 只有收到 带有有效消息完整性码 MIC ( Message Integrity Code )的单播密钥协商确认分 组时, 才更新合法的单播会话密钥。 若攻击者发送多个携带不同 Nonce (—次 性随机数)的单播密钥协商请求分组, 为了确保不阻塞合法鉴别器实体 AE的 协议执行,鉴别请求者实体 ASUE必须釆用相当大的存储空间来存储所有收到 的单播密钥协商请求分组中的 Nonce、本地新产生的 Nonce及对应的临时的单 播会话密钥, 直到它完成握手并得到一个合法的单播会话密钥。单播会话密钥 的计算虽然花费不大, 不会造成 CPU耗尽攻击, 但攻击者若有意提高伪造单 播密钥协商请求分组的发送频率, 则存在存储耗尽的危险。这种伪造攻击易于 实施,造成的危害也比较严重, 一次成功的攻击将使得先期的对认证过程的种 种努力化为泡影。
发明内容
本发明为解决背景技术中存在的上述技术问题,而提供一种 WAPI单播密 钥协商方法, 以防止通过伪造单播密钥协商请求分组而进行的 Dos攻击。技术 方案如下:
一种 WAPI单播密钥协商方法, 包括:
1 )鉴别器实体 AE向鉴别请求者实体 ASUE发送新单播密钥协商请求分 组, 所述新单播密钥协商请求分组为: 在单播密钥协商请求分组原有定义的内 容上, 添加消息完整性码 MIC所构成的请求分组;
2 ) 当鉴别请求者实体 ASUE收到新单播密钥协商请求分组后, 验证其中 的 MIC是否正确;
如果否, 则丟弃该分组;
如果是, 则对所述新单播密钥协商请求分组进行验证, 若验证成功, 则向 鉴别器实体 AE发送单播密钥协商响应分组; 3 ) 当鉴别器实体 AE收到单播密钥协商响应分组后, 进行单播密钥协商 响应分组验证,若验证成功,则向鉴别请求者实体 ASUE回应单播密钥协商确 认分组;
4 ) 当鉴别请求者实体 ASUE收到单播密钥协商确认分组后, 进行单播密 钥协商确认分组验证,若验证成功,则鉴别器实体 AE和鉴别请求者实体 ASUE 之间成功完成单播密钥协商过程, 协商出一致的单播会话密钥;
其中, 所述单播密钥协商请求分组原有定义的内容、单播密钥协商响应分 组和单播密钥协商确认分组的内容分别与 GB 15629.11-2003/XG1-2006标准文 本中的定义相同, 所述对新单播密钥协商请求分组、单播密钥协商响应分组和 单播密钥协商确认分组的验证过程分别与 GB 15629.11-2003/XG1-2006标准文 本中的定义相同。
所述步骤 1 )中消息完整性码 MIC为鉴别器实体 AE利用已协商的基密钥 BK对 MIC字段之前的所有字段计算的杂凑值。
本发明通过在原有的 WAPI单播密钥协商协议的单播密钥协商请求分组 的基础上添加消息完整性码 MIC, 防止攻击者对单播密钥协商请求分组的伪 造, 以增强协议的安全性和健壮性, 解决了目前 WAPI安全机制中单播密钥协 商协议存在的 DoS攻击问题。
具体实施方式
本发明适用于 WAPI 框架方法 (基于三元对等鉴别的访问控制方法 TePA-AC ( Access Control method based on Tri-element Peer Authentication ) )在 无线局域网、 无线城域网等具体网络中应用时的安全协议。
本发明的具体方法如下:
1 )鉴别器实体 AE在单播密钥协商请求分组原有定义的内容上, 添加消 息完整性码 MIC, 构成新的单播密钥协商请求分组后, 发送给鉴别请求者实 体 ASUE;其中消息完整性码 MIC为鉴别器实体 AE利用认证阶段已协商的基 密钥 BK ( Base Key )对 MIC字段之前的所有字段计算的杂凑值;
2 ) 当鉴别请求者实体 ASUE收到新的单播密钥协商请求分组后, 进行验 证, 验证其中的 MIC是否正确, 若不正确, 则直接丟弃该分组; 正确则进行 原有验证, 若验证成功, 则向鉴别器实体 AE回应单播密钥协商响应分组; 单 播密钥协商响应分组的内容与原有定义相同;
需要说明的是, 在本说明书中, 所述原有定义和原有验证指的是 GB 15629.11-2003/XG1-2006标准文本中的定义和验证。
3 ) 当鉴别器实体 AE收到单播密钥协商响应分组后, 进行原有验证, 若 验证成功,则向鉴别请求者实体 ASUE回应单播密钥协商确认分组;单播密钥 协商确认分组的内容与原有定义相同;
4 )当鉴别请求者实体 AE收到单播密钥协商确认分组后, 进行原有验证, 若验证成功,则鉴别器实体 AE和鉴别请求者实体 ASUE之间成功完成单播密 钥协商过程, 协商出一致的单播会话密钥。

Claims

权 利 要 求
1、 一种 WAPI单播密钥协商方法, 其特征在于, 该方法包括以下步骤:
1 )鉴别器实体 AE向鉴别请求者实体 ASUE发送新单播密钥协商请求分 组, 所述新单播密钥协商请求分组为: 在单播密钥协商请求分组原有定义的内 容上, 添加消息完整性码 MIC所构成的请求分组;
2 ) 当鉴别请求者实体 ASUE收到新单播密钥协商请求分组后, 验证其中 的 MIC是否正确;
如果否, 则丟弃该分组;
如果是, 则对所述新单播密钥协商请求分组进行验证, 若验证成功, 则向 鉴别器实体 AE发送单播密钥协商响应分组;
3 ) 当鉴别器实体 AE收到单播密钥协商响应分组后, 进行单播密钥协商 响应分组验证,若验证成功,则向鉴别请求者实体 ASUE回应单播密钥协商确 认分组;
4 ) 当鉴别请求者实体 ASUE收到单播密钥协商确认分组后, 进行单播密 钥协商确认分组验证,若验证成功,则鉴别器实体 AE和鉴别请求者实体 ASUE 之间成功完成单播密钥协商过程, 协商出一致的单播会话密钥;
其中, 所述单播密钥协商请求分组原有定义的内容、单播密钥协商响应分 组和单播密钥协商确认分组的内容分别与 GB 15629.11-2003/XG1-2006标准文 本中的定义相同, 所述对新单播密钥协商请求分组、单播密钥协商响应分组和 单播密钥协商确认分组的验证过程分别与 GB 15629.11-2003/XG1-2006标准文 本中的定义相同。
2、 根据权利要求 1所述的 WAPI单播密钥协商方法, 其特征在于, 所述 步骤 1 ) 中消息完整性码 MIC为鉴别器实体 AE利用已协商的基密钥 BK对 MIC字段之前的所有字段计算的杂凑值。
PCT/CN2008/073053 2007-11-16 2008-11-14 A wapi unicast secret key negotiation method WO2009067934A1 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
EP08855081A EP2214368A1 (en) 2007-11-16 2008-11-14 A wapi unicast secret key negotiation method
JP2010533419A JP2011504332A (ja) 2007-11-16 2008-11-14 Wapiユニキャストシークレットキー交渉方法
US12/743,032 US20100250941A1 (en) 2007-11-16 2008-11-14 Wapi unicast secret key negotiation method

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CNB2007100190928A CN100566240C (zh) 2007-11-16 2007-11-16 一种wapi单播密钥协商方法
CN200710019092.8 2007-11-16

Publications (1)

Publication Number Publication Date
WO2009067934A1 true WO2009067934A1 (en) 2009-06-04

Family

ID=39307479

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2008/073053 WO2009067934A1 (en) 2007-11-16 2008-11-14 A wapi unicast secret key negotiation method

Country Status (7)

Country Link
US (1) US20100250941A1 (zh)
EP (1) EP2214368A1 (zh)
JP (1) JP2011504332A (zh)
KR (1) KR20100072105A (zh)
CN (1) CN100566240C (zh)
RU (1) RU2448427C2 (zh)
WO (1) WO2009067934A1 (zh)

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100566240C (zh) * 2007-11-16 2009-12-02 西安西电捷通无线网络通信有限公司 一种wapi单播密钥协商方法
CN100593936C (zh) 2008-05-09 2010-03-10 西安西电捷通无线网络通信有限公司 一种基于wapi的漫游认证方法
CN101527905A (zh) * 2009-04-08 2009-09-09 刘建 无线局域网鉴别与保密基础结构单播密钥协商方法及系统
CN101557591B (zh) * 2009-05-14 2011-01-26 西安西电捷通无线网络通信股份有限公司 会聚式wlan中由wtp完成wpi时的sta切换方法及其系统
CN102006671B (zh) * 2009-08-31 2014-06-18 中兴通讯股份有限公司 一种实现来电转接的系统及方法
CN101741548B (zh) 2009-12-18 2012-02-01 西安西电捷通无线网络通信股份有限公司 交换设备间安全连接的建立方法及系统
CN101729249B (zh) * 2009-12-21 2011-11-30 西安西电捷通无线网络通信股份有限公司 用户终端之间安全连接的建立方法及系统
CN102131199B (zh) * 2011-03-21 2013-09-11 华为技术有限公司 一种wapi认证方法和接入点
US8806633B2 (en) * 2011-08-22 2014-08-12 Cisco Technology, Inc. Coordinated detection of a grey-hole attack in a communication network
CN118102139B (zh) * 2024-04-24 2024-06-25 云南云电信息通信股份有限公司 一种带ris相控阵的wapi无线设备及其防护机构

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101159543A (zh) * 2007-11-16 2008-04-09 西安西电捷通无线网络通信有限公司 一种wapi单播密钥协商方法

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1181648C (zh) * 2002-09-06 2004-12-22 联想(北京)有限公司 一种网络上设备间自动查找的方法
TWI268083B (en) * 2004-11-17 2006-12-01 Draytek Corp Method used by an access point of a wireless LAN and related apparatus
JP4804454B2 (ja) * 2005-03-04 2011-11-02 パナソニック株式会社 鍵配信制御装置、無線基地局装置および通信システム
CN100358282C (zh) * 2005-03-23 2007-12-26 西安电子科技大学 Wapi认证机制中的密钥协商方法
US20070097934A1 (en) * 2005-11-03 2007-05-03 Jesse Walker Method and system of secured direct link set-up (DLS) for wireless networks
CN100456725C (zh) * 2007-03-15 2009-01-28 北京安拓思科技有限责任公司 用于wapi的获取公钥证书的网络系统和方法

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101159543A (zh) * 2007-11-16 2008-04-09 西安西电捷通无线网络通信有限公司 一种wapi单播密钥协商方法

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
GBI5629.II-2003/XGI-2006,27 Jan 2006 pages 1,2,26,33-35 *
ZHANG H.: "Reasearch and Design of Authentication Security Infrastructure ofWLAN", CHINESE DOCTORAL DISSERTATIONS FULL-TEXT DATABASE, 15 May 2007 (2007-05-15), pages 64 - 67 *

Also Published As

Publication number Publication date
EP2214368A1 (en) 2010-08-04
KR20100072105A (ko) 2010-06-29
RU2448427C2 (ru) 2012-04-20
JP2011504332A (ja) 2011-02-03
RU2010123944A (ru) 2011-12-27
US20100250941A1 (en) 2010-09-30
CN100566240C (zh) 2009-12-02
CN101159543A (zh) 2008-04-09

Similar Documents

Publication Publication Date Title
WO2009067934A1 (en) A wapi unicast secret key negotiation method
US8312278B2 (en) Access authentication method applying to IBSS network
He et al. Analysis of the 802.11 i 4-way handshake
JP5414898B2 (ja) 有線lanのセキュリティアクセス制御方法及びそのシステム
KR101258845B1 (ko) Tcp통신을 이용한 정보 저장방법 및 시스템
Mun et al. 3G-WLAN interworking: security analysis and new authentication and key agreement based on EAP-AKA
US7421582B2 (en) Method and apparatus for mutual authentication at handoff in a mobile wireless communication network
WO2010048838A1 (zh) 网络认证方法、客户端请求认证的方法、客户端和装置
JP2009508403A (ja) 準拠性に基づくダイナミックネットワーク接続
WO2011038620A1 (zh) 一种移动通讯网络中的接入认证方法、装置及系统
WO2011022915A1 (zh) 一种基于预共享密钥的网络安全访问控制方法及其系统
WO2011009268A1 (zh) 一种基于wapi的认证系统及方法
WO2011020279A1 (zh) 一种基于公钥证书的身份鉴别方法及其系统
US8705734B2 (en) Method and system for authenticating a mobile terminal in a wireless communication system
WO2023036348A1 (zh) 一种加密通信方法、装置、设备及介质
WO2009067933A1 (fr) Procédé de gestion de clé
Kim et al. Improving Cross-domain Authentication overWireless Local Area Networks
KR20070062199A (ko) 아이디/패스워드를 이용한 사용자 인증 방법
WO2013097598A1 (zh) 一种实体鉴别方法和装置及系统
Yadav et al. Authentication process in ieee 802.11: Current issues and challenges
Roepke et al. A Survey on Protocols securing the Internet of Things: DTLS, IPSec and IEEE 802.11 i
Kim et al. Cross-Domain Mobility-Adaptive Authentication
Kumar et al. Understanding DoS attack on WLAN using IEEE 802.11 i

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08855081

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 12743032

Country of ref document: US

Ref document number: 2010533419

Country of ref document: JP

NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: 2008855081

Country of ref document: EP

ENP Entry into the national phase

Ref document number: 20107013120

Country of ref document: KR

Kind code of ref document: A

WWE Wipo information: entry into national phase

Ref document number: 2010123944

Country of ref document: RU