WO2009103214A1 - A network authentication communication method and a mesh network system - Google Patents

A network authentication communication method and a mesh network system Download PDF

Info

Publication number
WO2009103214A1
WO2009103214A1 PCT/CN2008/073615 CN2008073615W WO2009103214A1 WO 2009103214 A1 WO2009103214 A1 WO 2009103214A1 CN 2008073615 W CN2008073615 W CN 2008073615W WO 2009103214 A1 WO2009103214 A1 WO 2009103214A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
identifier
mkd
network
network device
Prior art date
Application number
PCT/CN2008/073615
Other languages
French (fr)
Chinese (zh)
Inventor
樊唱东
莫良耀
冯丹凤
张慧敏
张炜
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2009103214A1 publication Critical patent/WO2009103214A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless
    • H04L2209/805Lightweight hardware, e.g. radio-frequency identification [RFID] or sensor

Definitions

  • the present invention relates to a network authentication communication method and a mesh network system, and more particularly to a method for authenticating a network device in a wireless mesh network and establishing a key for secure communication between devices, and a network capable of implementing the method Network system.
  • FIG. 1 is a schematic diagram of a network topology structure of an existing mesh network.
  • the mesh network includes four logical network devices. They are Terminal (Station, abbreviated as STA), Mesh Point (MP), Mesh Access Point (MAP), and Mesh Point with a Portal. , referred to as: MPP).
  • STA Terminal
  • MP Mesh Point
  • MAP Mesh Access Point
  • MPP Mesh Point with a Portal
  • the 802.Hi standard for access authentication and communication security between STAs and APs provides a mature solution, so mutual authentication and communication security between nodes in MAP, MP, and MPP in mesh networks. It is an urgent problem to be solved in a mesh network.
  • the main idea of the existing wireless mesh network security framework in 802. lis is to divide the devices of the entire wireless mesh network according to the main logical functions of the device, as shown in Figure 2, which is a logical function partition structure of the existing wireless mesh network. schematic diagram.
  • MAP can be seen as The function of the MP logical node is added on the basis of the 802.11AP (Access Point); the MPP can be regarded as the function of adding the MP logical node on the basis of the portal.
  • MKD Mesh Key Distributor
  • FIG. 3A shows a mesh key hierarchy diagram of an existing wireless mesh network.
  • MSK indicates the main session key (Main Session Key)
  • PSK indicates the pre-shared key
  • indicates the pairwise master key (Pairwise Master Key)
  • MKDK indicates the mesh key distribution key ( Mesh Key Distribution Key)
  • PTK stands for Pairwise Transient Key
  • PMK-MKD stands for Mesh Key Distributor PMK shared with MKD
  • PMK-MA stands for PMK shared with MA (Mesh Authent icator PMK )
  • MPTK-KD represent Mesh PTK for Key Distribution for key distribution.
  • Figure 3B shows a flow chart of initial authentication of an existing MP node.
  • Figure 3C shows the security association flow chart after the existing two MP nodes are authenticated.
  • the existing security mechanism is bound to the MAC address of the radio that the device is requesting authentication when performing the authentication establishment key hierarchy.
  • each radio has an independent media access control (Media Access). Controlling, referred to as: MAC) address.
  • MAC media access control
  • each key level is bound to the MAC address of the radio module.
  • one network device may be connected to multiple radio modules, and several radio modules work on different channels at the same time. If a network device, such as an MP device, a MAP device, or an MPP device, has multiple RF modules, each RF module establishes security with the RF module of other network devices. When fully associated, it is necessary to establish their respective key levels through authentication. Therefore, a network device having multiple radio frequency modules needs to perform multiple authentications when performing authentication based on an existing security mechanism.
  • the MKD indexes the MKDK through the MAC address obtained in the handshake message with the MP device. Therefore, the index of the MKDK is also one-to-one corresponding to each RF module in the network device. . If the network device has multiple radio modules, you need to re-authenticate the security association between each radio and the MKD node and establish a different MKDK. Therefore, for multi-radio devices, multiple authentications are required when performing security association with MKD.
  • the access server (Acces s Server, hereinafter referred to as AS) may cause confusion of authentication behavior, thereby causing charging. pickle.
  • An embodiment of the present invention provides a network authentication communication method, including: the network device calculates and records a secondary key and a corresponding key identifier according to the key credential information and the device identifier of the network device;
  • the radio frequency module in the network device establishes a security association with the mesh key distribution node MKD according to the key identifier.
  • An embodiment of the present invention provides a mesh network system including an MKD and a network device, where The MKD includes:
  • a first distribution module configured to calculate and record the secondary keys MKDK and PMK-MKD and corresponding key identifiers MKDKName and PMK-MKDName according to the key credential information and the device identifier of the network device;
  • a second distribution module configured to establish a security association with the network device according to the secondary key obtained by the first distribution module and the corresponding key identifier
  • the network device includes:
  • a first device module configured to calculate and record secondary keys MKDK and PMK-MKD and corresponding key identifiers MKDKName and PMK-MKDName according to the key credential information and the device identifier of the network device;
  • radio frequency modules configured to establish a security association with the MKD according to the secondary key obtained by the first device module and the corresponding key identifier.
  • One embodiment of the present invention provides a method for providing a key and a key identification for a multi-radio network device in a mesh network, including:
  • the mesh key distribution node obtains the key credential information and the identifier of the multi-radio network device; and calculates the second-level key and the corresponding key identifier according to the key credential information and the identifier of the multi-radio network device.
  • An embodiment of the present invention provides a mesh key distribution node device, including: a module for obtaining key credential information; and
  • a module for calculating a secondary key and a corresponding key identifier according to the key credential information and the identifier of the multi-radio network device And a module for calculating a secondary key and a corresponding key identifier according to the key credential information and the identifier of the multi-radio network device.
  • the calculation process of the secondary key It only associates with the device ID and is not bound to each RF module in the device. Therefore, it is not necessary for each RF module to perform repeated initial authentication processes, so that network devices with multiple RF modules can communicate with other networks only after one initial authentication.
  • the device establishes a security association. This eliminates duplicate certification and improves the efficiency of authentication.
  • FIG. 1 is a schematic diagram of a network topology structure of an existing mesh network
  • FIG. 2 is a schematic diagram of a logical function division structure of an existing wireless mesh network
  • FIG. 3A is a mesh key hierarchy of an existing wireless mesh network.
  • FIG. 3B is a flowchart of initial authentication of an existing MP node;
  • FIG. 3C is a flowchart of security association after initial authentication of two existing MP nodes;
  • FIG. 1 is a schematic diagram of a network topology structure of an existing mesh network
  • FIG. 2 is a schematic diagram of a logical function division structure of an existing wireless mesh network
  • FIG. 3A is a mesh key hierarchy of an existing wireless mesh network.
  • FIG. 3B is a flowchart of initial authentication of an existing MP node
  • FIG. 3C is a flowchart of security association after initial authentication of two existing MP nodes;
  • FIG. 4 is a network according to Embodiment 1 of the network authentication communication method of the present invention
  • Figure 5 is a signaling diagram of the network authentication communication method according to Embodiment 1 of the network authentication communication method of the present invention
  • Figure 6 is a key hierarchy of the network authentication communication method embodiment 1 of the present invention
  • FIG. 7 is a schematic diagram of a frame format of a multi-hop behavior frame according to Embodiment 1 of the network authentication communication method of the present invention
  • FIG. 8 is a flowchart of a four-step handshake process according to Embodiment 1 of the network authentication communication method of the present invention
  • 8 is a signaling diagram of the four-step handshake process according to Embodiment 1 of the network authentication communication method of the present invention
  • FIG. 9 is a flowchart of Embodiment 2 of the network authentication communication method of the present invention
  • FIG. 10 is a mesh network system of the present invention; Schematic.
  • the mesh network includes: network devices such as MP, MAP, and ⁇ .
  • the MP is used to support the routing function of the mesh network interconnection, and can obtain the same wireless coverage with low transmission power through wireless multi-hop communication;
  • the MAP has the function of the MP and the function of the AP in the traditional WLAN, It provides relay/gateway functions, supports mesh network interconnection, and provides access functions for user terminals.
  • MPP can also implement bandwidth management to implement Layer 2 and Layer 3 conversion.
  • the MP is taken as an example.
  • the principles are the same and will not be described again.
  • This embodiment provides a network authentication communication method, as shown in FIG. 4, including:
  • Step 101 The authentication server (Authenticating Server, AS for short) performs initial authentication on the MP, and returns the key credential information after the authentication is passed.
  • the specific process can be completed by using steps 3-1 to 3-9 in the flow shown in Figure 5 of the signaling. Including the following steps:
  • the MP acts as the Supplicant to access the mesh network, and finds an MP node that has been authenticated as a Mesh Authenticator (MA) in the neighboring MP, and initiates an authentication request.
  • MA Mesh Authenticator
  • the MA issues an Extensible Authentication Protocol (EAP) packet (EAP-Packet) to query the identity of the newly accessed MP;
  • EAP Extensible Authentication Protocol
  • the MA node encapsulates the identity information of the MP in an action frame format and forwards it to the yang;
  • MKD encapsulates the identity information of the MP and sends it to the AS by using the remote authentication dialing user service (Remote Authentication Dial In User Service, Radius) / Diameter protocol;
  • the AS selects a pre-registered authentication protocol according to the identity information of the MP, and performs mutual authentication with the MP;
  • the AS After the authentication is completed, the AS returns the response information based on the authentication result. If it fails, return a failure message (EAP-Failure); if successful, return a success message (EAP-Success) and return Key certificate information after authentication, such as MSK.
  • MKD encapsulates the authentication result into a behavior frame and sends it to the MA
  • the MA forwards the authentication result to the newly accessed MP.
  • Step 102 The MKD and the MP calculate and record the secondary key PMK-MKD, MKDK, and the key identifiers PMK-MKDName and MKDKName 0 for uniquely identifying the secondary key according to the MSK obtained in the initial authentication process.
  • the specific calculation method can be performed by using the following key derivation formula:
  • PMK-MKD KDF (MSK, MeshlDlength
  • MKDK KDF (MSK, MeshlDlength
  • PMK-MKDName Truncate-128 (SHA-256 ( "MKD Key Name”
  • MKDKName Truncate-128 (SHA-256 ( "MKD Key Name”
  • MKDD-ID indicates the MAC address of the MKD
  • MPTKANonce is the random number generated at the time of initial authentication.
  • the network identifier MeshID of the mesh network, the NAS identifier MKD-NAS-ID of the mesh key distribution node (MKD), the domain identifier MKDD-ID of the mesh key distribution node, and the SP-ID of the multi-radio device identifier are connected.
  • the generated partial stream lengths are taken as the secondary keys PMK-MKD and MKDK, respectively, and the relevant fields for calculating the secondary key, such as Mesh-ID, MKD, are used.
  • -NAS-ID, MKDD-ID, SP-ID, etc. for hash processing taking part of the fixed length as the key identifier PMK-MKDName bound to the secondary key And MKDKName, which identify the secondary keys PMK-MKD and MKDK, respectively.
  • the "Dev_ID" field used in this embodiment is used to identify a network device MP.
  • the user name (User_Name) in the device authentication information, the primary MAC address identifier of the MP, or the initial authentication in the MP may be used.
  • the MP sends the user name to the AS in the initial authentication process, so that the AS obtains the user name of the MP.
  • the primary MAC address is obtained by the AS from the information exchanged with the MP. If the primary MAC address identifier is selected, the MP needs to be obtained.
  • the MP uses the radio module with the primary MAC address identifier for authentication during initial authentication.
  • the pre-shared PSK may be used instead of the above key derivation formula.
  • the MSK in the calculation is performed.
  • PSK is the key credential information shared by MP and MKD in advance, so there is no need to pass the initial authentication process.
  • the secondary key PMK-MKD and MKDK generated by the authentication and the corresponding key identifiers PMK-MKDName and MKDKName are only related to the device information of the MP. Associated with, regardless of the MAC address of each RF module.
  • the secondary key is stored and managed by the device management layer of the MP, and each of the internal RF modules of the MP shares the authenticated secondary key information.
  • Figure 6 shows the corresponding key hierarchy.
  • the PMK-MKD and MKDK calculated by MSK or PSK belong to the device management layer.
  • the device management layer generates and stores PMK-MKD and MKDK, and the device management layer completes the authentication.
  • Key certificate management; PMK-MA, PTK and MPTK-KD calculated by PMK and MKDK belong to the RF management layer, and the RF management layer generates and stores the respective PMK-MA, PTK and MPTK-KD, and the RF management layer is used to manage each RF session level key.
  • Step 103 Each radio frequency module in the MP establishes a security association with another device and the MKD.
  • the generated session key information PMK-MA, PTK, MPTK-KD, etc. after the establishment of the security association is independently maintained by each radio frequency module.
  • establishing a security association with other devices is consistent with the existing solution, and the following steps are mainly included in FIG. 3C:
  • the MP node uses the peer link open (Peer link open) frame to inform the other party that the existing PMK-MA can be used for the session connection, and the upper layer key PMK corresponding to the key.
  • the key identifier of the MKD is PMK-MKDName; then the two parties negotiate which PMK-MA to use according to the key agreement rule in the 11 s draft;
  • the MKD obtains the corresponding key PMK-MKD according to the PMK-MKDName provided in the key request of the MP2, and generates PMK-MA1 according to the MAC address of the radio frequency module communicated by the two parties, and responds by the key.
  • the message is returned to MP2;
  • MP1 and MP2 confirm the negotiated PMK-MA key and establish a secure link. Thereafter, a security association can be established through an associated process.
  • the MP establishes a security association with the MKD, the four-step handshake process as described below can be employed.
  • a multihop action frame can be used for transmission, and its frame format is as shown in FIG. 7.
  • MKD can be simultaneously included with MP.
  • Multiple network devices communicate, so a key identification field is added to the Key Holder Security element to indicate the MKDK's key identifier MKDKName.
  • the key identifier MKDKName in the key identifier field is used to find the MKDK corresponding to a certain network device.
  • the mesh identifier Me sh ID in the multi-hop behavior frame represents an identifier of a mesh network.
  • the flowchart of the four-step handshake process is as shown in FIG. 8A.
  • the signaling diagram is as shown in FIG. 8B, and includes: Step 110:
  • the MP sets the handshake sequence "HandShakeSequence" field in the first handshake message to 1; in the "MA-ID" In the field, fill in the MAC address of the RF module that wants to establish a security association with the MKD in the MP; fill in the MAC address of the MKD in the "MKD-ID” field; fill in the random number generated by the MP in the "MANonce” field;
  • the identifier of the generated MKDK key is MKDKName.
  • Step 111 After receiving the first handshake message, the MKD generates a random number in the "MKDNonce" field, and obtains a secondary key MKDK corresponding to the MP according to the key identifier MKDKName index, according to MA-Nonce, MKD-Nonce. , MA-ID, MKD-ID, etc. calculate the session key information MPTK-KD, and calculate the MIC code, set "HandShakeSequence" to 2 in the second handshake message, fill in MA-Nonce, MKD-Nonce, MA-ID , MKD-ID, MKDKName, Message Integrity Check (MIC) and other information, and sent to the MP.
  • MKDNonce the key identifier MKDKName index
  • Step 112 After receiving the second handshake message, the MP checks the consistency of the MKDKName, the MA-ID, the MKD-ID, and the MA-Nonce. If the MKD-Nonce is generated, the MPTK-KD is calculated according to the MKD-Nonce generated by the MKD. Checking, verifying correctly, returning the third handshake message, including MA-Nonce, MKD-Nonce, MA-ID, MKD-ID, MKDK-Name, MIC, etc., to MKD;
  • Step 113 The MKD also performs a session parameter consistency check and a MIC check on the third handshake message. After the verification is passed, the fourth handshake message is sent to confirm the third handshake message.
  • Step 201 When the AS performs initial authentication on the MP, the MP sends the MAC address of all the radio frequency modules as the identity information to the MKD. .
  • Step 202 The itMKD associates the received itMAC address with the i-device identifier of the i ⁇ MP.
  • Step 203 The MKD and the MP calculate and record the secondary key and the corresponding key identifier according to the obtained MSK. Specifically, the user name of the MP, the primary MAC address identifier of the MP, or the MAC address identifier of the radio module that is initially authenticated in the MP may be used as the Dev_ID field in the key derivation formula. See step 102 for a specific key derivation formula.
  • Step 204 After completing the calculation of the secondary key, a security association is also established. Specifically, the MP establishes a security association with other MPs, and the specific process is consistent with the prior art. For details, refer to FIG. 3C and related descriptions, and details are not described herein again. In addition, when each radio module in the MP establishes a security association with the MKD, the four-step handshake process as described in step 105 can still be used.
  • the key identifier MKDKName is not required to be indexed in the multi-hop behavior frame to index the secondary key MKDK, but the MAC address associated with the MP in the MKD and the device identifier of the MP are Find the MKDK corresponding to the MP, and then establish a security association with the radio module in the MKDK according to the MKDK.
  • the network device 20 includes an MKD 10 and a network device 20, where the network device 20 may be MP, MAP or MPP. Its working principle is as follows:
  • the first distribution module 11 in the MKD 10 and the first device module 21 in the network device 20 calculate and record the secondary keys MKDK and PMK-MKD and corresponding keys according to the key credential information and the device identification of the network device 20. Identifies MKDKName and PMK-MKDName. Among them, each of the MKD1 and the network device 20 can be used.
  • the PSK shared first is calculated.
  • the AS 30 may be further provided. Before the second level key is calculated, the first authentication module 31 in the AS 30 performs initial authentication on the network device 20.
  • the network device 20 and the AS 30 respectively generate corresponding MSKs; and the second authentication module 32
  • the MSK generated after the first authentication module 31 of the AS 30 is authenticated is sent to the MKD 10 as key credential information.
  • the first distribution module 11 in the MKD 10 and the first device module 21 in the network device 20 are further calculated according to the respective MSK and the device identification of the network device 20.
  • two secondary keys PMK-MKD and MKDK in the key hierarchy between the network device 20 and the MKD 10 are established.
  • a specific key derivation formula refer to method embodiment 1.
  • a security association is also established.
  • the network device 20 is required to establish a security association with other network devices, and the specific process is consistent with the prior art. For details, refer to FIG. 3C and related descriptions, and details are not described herein.
  • the network device 20 is also required to be established with the MKD10.
  • the security association is as follows:
  • the second distribution module 12 in the MKD 10 establishes a security association with the network device 20 according to the secondary key obtained by the first distribution module 11 and the corresponding key identifier.
  • the network device 20 is further provided with multiple radio frequencies.
  • the module, as shown in FIG. 10, is represented by the radio frequency module 22.
  • the radio frequency module 22 is configured to establish a security association with the MKD 10 according to the secondary key obtained by the first device module 21 and the corresponding key identifier.
  • the calculation process of the key hierarchy is re-divided, so that the calculation process of the secondary key is only related to the device identification, and is not bound to each radio module in the device, so Each RF module performs a repeated initial authentication process, so that the network device with multiple RF modules can establish a security association with other network devices after an initial authentication. This eliminates duplicate certification and improves the efficiency of authentication.

Abstract

A network authentication communication method and a mesh network system, in which the method includes: the network equipment computes and records the secondary key and the corresponding key identification according to the key credential information and the equipment identification of the network equipment; the Radio Frequency (RF) module in the network equipment establishes a security association with the Mesh Key Distributor (MKD) according to the key identification. The system includes a MKD and network equipments. By applying the invention, because of dividing the computing process of the key hierarchy renewedly, the computing process of the secondary key only associates with the equipment identification, rather than being bound with each RF module of the equipment. Therefore, it is not required to repeat the initial authentication process by every RF module, and a security association can be established between the network equipment which has multiple RF modules and the other network equipment only through one time initial authentication. The repeat authentication is avoided, and the efficiency of the authentication is enhanced.

Description

网络认证通信方法及网状网络系统 技术领域  Network authentication communication method and mesh network system
本发明涉及一种网络认证通信方法及网状网络系统, 尤其涉及一种可以 对无线网状网络中的网络设备进行认证和设备之间建立密钥进行安全通信的 方法及能够实现该方法的网状网络系统。 背景技术  The present invention relates to a network authentication communication method and a mesh network system, and more particularly to a method for authenticating a network device in a wireless mesh network and establishing a key for secure communication between devices, and a network capable of implementing the method Network system. Background technique
网状网络(也称: Mesh网络)是一种新型的无线网络技术, 网状网络中的 每个节点都可以发送和接收信号, 每个节点都可以与一个或者多个对等节点 进行直接通信。 各网络节点通过相邻的其他网络节点以无线多跳方式相连, 可以大大增加无线系统的覆盖范围。 如图 1所示为现有网状网络的网络拓朴结构示意图。 其中, 网状网络包括 四种逻辑网络设备。分别为终端( Station,简称: STA),网状节点(Mesh Point , 简称: MP) , 网状接入节点(Mesh Access Point,简称: MAP)和带入口的网状 节点(Mesh Point with a Portal, 简称: MPP)。 为了防止非法设备的接入和 通信窃听, 构建安全的接入认证和私密通信机制。  Mesh network (also known as Mesh network) is a new type of wireless network technology. Each node in a mesh network can send and receive signals, and each node can directly communicate with one or more peer nodes. . Each network node is connected in a wireless multi-hop manner through neighboring other network nodes, which can greatly increase the coverage of the wireless system. FIG. 1 is a schematic diagram of a network topology structure of an existing mesh network. Among them, the mesh network includes four logical network devices. They are Terminal (Station, abbreviated as STA), Mesh Point (MP), Mesh Access Point (MAP), and Mesh Point with a Portal. , referred to as: MPP). In order to prevent the access of illegal devices and communication eavesdropping, a secure access authentication and private communication mechanism is constructed.
在网状网络中, 关于 STA和 AP之间的接入认证和通信安全 802. Hi标准已提 供了成熟的解决方案, 因此网状网络中 MAP、 MP、 MPP之间节点的互相认证和通 信安全是网状网络中亟需解决的问题。现有 802. lis中无线网状网络安全框架主 要思路是将整个无线网状网络的设备按照设备的主要逻辑功能进行划分,如图 2 所示, 为现有无线网状网络的逻辑功能划分结构示意图。 其中, MAP可看成在 802.11AP (接入点, Access point ) 的基础之上增加 MP逻辑节点的功能; MPP可 看成是在 portal的基础上增加 MP逻辑节点的功能。 因此 , 无线网状网的安全问 题归根于 MP逻辑节点之间的互相认证和安全通信。 具体地, 在无线网状网络中 增加一个称为网状密钥分发节点(Mesh Key Distributor,简称: MKD)的逻辑节点, 对每一个节点进行认证, 并为网状网络中的网状设备提供互相通信的主密钥。 In the mesh network, the 802.Hi standard for access authentication and communication security between STAs and APs provides a mature solution, so mutual authentication and communication security between nodes in MAP, MP, and MPP in mesh networks. It is an urgent problem to be solved in a mesh network. The main idea of the existing wireless mesh network security framework in 802. lis is to divide the devices of the entire wireless mesh network according to the main logical functions of the device, as shown in Figure 2, which is a logical function partition structure of the existing wireless mesh network. schematic diagram. Among them, MAP can be seen as The function of the MP logical node is added on the basis of the 802.11AP (Access Point); the MPP can be regarded as the function of adding the MP logical node on the basis of the portal. Therefore, the security of wireless mesh networks is rooted in mutual authentication and secure communication between MP logical nodes. Specifically, a logical node called a mesh key distributor (Mesh Key Distributor, MKD) is added to the wireless mesh network to authenticate each node and provide the mesh device in the mesh network. The master key that communicates with each other.
MKD对网络设备进行认证时的安全机制主要包括密钥层次、初始认证和认 证后的安全关联三个部分。图 3A所示为现有无线网状网络的网状密钥层次图。 其中, MSK表示主会话密钥(Main Session Key) , PSK表示预共享密钥 (Pre-Shared Key) , ΡΜΚ表示成对主密钥(Pairwise Master Key) , MKDK表示 网状密钥分发密钥(Mesh Key Distribution Key) , PTK表示成对瞬时密钥 (Pairwise Transient Key), PMK-MKD表示与 MKD共享的成对主密钥( Mesh Key Distributor PMK ) , PMK-MA表示与 MA共享的 PMK ( Mesh Authent icator PMK ) , 和 MPTK-KD表示用于密钥分发的临时成对密钥 ( Mesh PTK for Key Distribution) 。 图 3B所示为现有 MP节点的初始认证的流程图。 图 3C所示为 现有两个 MP节点认证后的安全关联流程图。  The security mechanism when MKD authenticates network devices mainly includes three parts: key level, initial authentication and security association after authentication. Figure 3A shows a mesh key hierarchy diagram of an existing wireless mesh network. MSK indicates the main session key (Main Session Key), PSK indicates the pre-shared key, ΡΜΚ indicates the pairwise master key (Pairwise Master Key), and MKDK indicates the mesh key distribution key ( Mesh Key Distribution Key), PTK stands for Pairwise Transient Key, PMK-MKD stands for Mesh Key Distributor PMK shared with MKD, and PMK-MA stands for PMK shared with MA (Mesh Authent icator PMK ) , and MPTK-KD represent Mesh PTK for Key Distribution for key distribution. Figure 3B shows a flow chart of initial authentication of an existing MP node. Figure 3C shows the security association flow chart after the existing two MP nodes are authenticated.
现有的上述安全机制在进行认证建立密钥层次时与设备正在请求认证 的射频的 MAC地址绑定, 当 MP设备有多个射频时, 每个射频有一个独立的媒体 接入控制(Media Access Controlling,简称: MAC)地址。 此时, 上述安全机 制会存在如下问题:  The existing security mechanism is bound to the MAC address of the radio that the device is requesting authentication when performing the authentication establishment key hierarchy. When the MP device has multiple radios, each radio has an independent media access control (Media Access). Controlling, referred to as: MAC) address. At this time, the above security mechanism will have the following problems:
1. 网络设备的重复认证问题。  1. Duplicate authentication of network devices.
由于现有对网络设备进行认证的过程是与密钥分配在一起的, 通过认证 建立密钥层次。 但是各密钥层次都是与射频模块的 MAC地址绑定的, 而在有些 情况下, 为了增加系统容量, 一个网络设备可能挂靠多个射频模块, 几个射 频模块同时工作在不同信道。 如果一个网络设备, 如: MP设备、 MAP设备、 MPP 设备等具有多个射频模块, 每个射频模块与其他网络设备的射频模块建立安 全关联时, 都需要通过认证建立各自相应的密钥层次。 因此, 具有多个射频 模块的网络设备基于现有安全机制进行认证时需要重复多次认证。 Since the existing process of authenticating a network device is assigned with a key, a key hierarchy is established by authentication. However, each key level is bound to the MAC address of the radio module. In some cases, in order to increase the system capacity, one network device may be connected to multiple radio modules, and several radio modules work on different channels at the same time. If a network device, such as an MP device, a MAP device, or an MPP device, has multiple RF modules, each RF module establishes security with the RF module of other network devices. When fully associated, it is necessary to establish their respective key levels through authentication. Therefore, a network device having multiple radio frequency modules needs to perform multiple authentications when performing authentication based on an existing security mechanism.
2. 网络设备与 MKD节点进行安全关联时的重复认证问题。  2. Duplicate authentication when the network device is securely associated with the MKD node.
现有安全机制中, 网络设备与 MKD节点关联时, MKD通过在与 MP设备的握 手消息中获得的 MAC地址索引 MKDK, 因此, MKDK的索引也是与网络设备中的每 个射频模块一一对应的。 如果网络设备有多个射频模块, 则需要为每个射频 与 MKD节点之间的安全关联进行重新认证并建立不同的 MKDK。 因此, 对于多射 频的设备在与 MKD进行安全关联时也需要重复多次认证。  In the existing security mechanism, when the network device is associated with the MKD node, the MKD indexes the MKDK through the MAC address obtained in the handshake message with the MP device. Therefore, the index of the MKDK is also one-to-one corresponding to each RF module in the network device. . If the network device has multiple radio modules, you need to re-authenticate the security association between each radio and the MKD node and establish a different MKDK. Therefore, for multi-radio devices, multiple authentications are required when performing security association with MKD.
另外, 在上述的重复多次认证过程中, 当每个射频模块都重复进行认证 时, 在接入服务器(Acces s Server,以下简称: AS)上, 会造成认证行为的混 乱, 从而导致计费的混乱。 发明内容  In addition, in the above-mentioned repeated multiple authentication process, when each radio frequency module is repeatedly authenticated, the access server (Acces s Server, hereinafter referred to as AS) may cause confusion of authentication behavior, thereby causing charging. pickle. Summary of the invention
提供一种支持具有多射频模块的网络设备使用安全机制进行认证和密钥 管理, 使网络设备仅需要一次初始认证, 即可以与其他网络设备和 MKD节点 进行安全关联的方法。  A method for supporting network devices with multiple radio modules to use the security mechanism for authentication and key management, so that the network device only needs one initial authentication, that is, a security association with other network devices and MKD nodes.
本发明的一个实施例是提供了一种网络认证通信方法, 其中包括: 网络设备根据密钥凭证信息及所述网络设备的设备标识, 计算并记录二 级密钥及相应的密钥标识;  An embodiment of the present invention provides a network authentication communication method, including: the network device calculates and records a secondary key and a corresponding key identifier according to the key credential information and the device identifier of the network device;
所述网络设备中的射频模块根据所述密钥标识与网状密钥分发节点 MKD 建立安全关联。  The radio frequency module in the network device establishes a security association with the mesh key distribution node MKD according to the key identifier.
本发明的一个实施例是提供了网状网络系统,其中包括 MKD和网络设备, 其中, 所述 MKD包括: An embodiment of the present invention provides a mesh network system including an MKD and a network device, where The MKD includes:
第一分发模块, 用于根据密钥凭证信息及所述网络设备的设备标识, 计 算并记录二级密钥 MKDK 和 PMK-MKD 及相应的密钥标识 MKDKName 和 PMK-MKDName;  a first distribution module, configured to calculate and record the secondary keys MKDK and PMK-MKD and corresponding key identifiers MKDKName and PMK-MKDName according to the key credential information and the device identifier of the network device;
第二分发模块, 用于根据由第一分发模块得到的二级密钥及相应的密钥 标识与所述网络设备建立安全关联;  a second distribution module, configured to establish a security association with the network device according to the secondary key obtained by the first distribution module and the corresponding key identifier;
所述网络设备包括:  The network device includes:
第一设备模块, 用于根据密钥凭证信息及所述网络设备的设备标识, 计 算并记录二级密钥 MKDK 和 PMK-MKD 及相应的密钥标识 MKDKName 和 PMK-MKDName;  a first device module, configured to calculate and record secondary keys MKDK and PMK-MKD and corresponding key identifiers MKDKName and PMK-MKDName according to the key credential information and the device identifier of the network device;
多个射频模块, 用于根据由第一设备模块得到的二级密钥及相应的密钥 标识与所述 MKD建立安全关联。  And a plurality of radio frequency modules, configured to establish a security association with the MKD according to the secondary key obtained by the first device module and the corresponding key identifier.
本发明的一个实施例是提供了一种为网状网络中多射频网络设备提供 密钥及密钥标识的方法, 其中包括:  One embodiment of the present invention provides a method for providing a key and a key identification for a multi-radio network device in a mesh network, including:
网状密钥分发节点获得密钥凭证信息及所述多射频网络设备的标识; 根据所述密钥凭证信息及所述多射频网络设备的标识计算二级密钥 及相应的密钥标识。  The mesh key distribution node obtains the key credential information and the identifier of the multi-radio network device; and calculates the second-level key and the corresponding key identifier according to the key credential information and the identifier of the multi-radio network device.
本发明的一个实施例是提供了一种网状密钥分发节点设备, 其中包括: 用于获得密钥凭证信息的模块; 及  An embodiment of the present invention provides a mesh key distribution node device, including: a module for obtaining key credential information; and
用于根据所述密钥凭证信息及所述多射频网络设备的标识计算二级密钥 及相应的密钥标识的模块。  And a module for calculating a secondary key and a corresponding key identifier according to the key credential information and the identifier of the multi-radio network device.
由于对密钥层次的计算过程进行了重新划分, 使得二级密钥的计算过程 仅与设备标识相关联系, 而不与设备中的各个射频模块绑定, 因此无需各个 射频模块进行重复的初始认证过程, 使具有多个射频模块的网络设备仅经过 一次初始认证就能与其他网络设备建立安全关联。 从而避免了重复认证, 提 高了认证的效率。 Due to the re-division of the key hierarchy calculation process, the calculation process of the secondary key It only associates with the device ID and is not bound to each RF module in the device. Therefore, it is not necessary for each RF module to perform repeated initial authentication processes, so that network devices with multiple RF modules can communicate with other networks only after one initial authentication. The device establishes a security association. This eliminates duplicate certification and improves the efficiency of authentication.
附图说明 图 1为为现有网状网络的网络拓朴结构示意图; 图 2为现有无线网状网络的逻辑功能划分结构示意图; 图 3A为现有无线网状网络的网状密钥层次图; 图 3B为现有 MP节点的初始认证的流程图; 图 3C为现有两个 MP节点初始认证后的安全关联流程图; 图 4为本发明的网络认证通信方法实施例 1所述网络认证通信方法的 u呈图; 图 5为本发明的网络认证通信方法实施例 1所述网络认证通信方法的信令图; 图 6为本发明的网络认证通信方法实施例 1所述密钥层次示意图; 图 7为本发明的网络认证通信方法实施例 1所述多跳行为帧的帧格式示意图; 图 8Α为本发明的网络认证通信方法实施例 1所述四步握手过程的流程图; 图 8Β为本发明的网络认证通信方法实施例 1所述四步握手过程的信令图; 图 9为本发明的网络认证通信方法实施例 2的流程图; 图 10为本发明的网状网络系统结构示意图。 BRIEF DESCRIPTION OF DRAWINGS FIG. 1 is a schematic diagram of a network topology structure of an existing mesh network; FIG. 2 is a schematic diagram of a logical function division structure of an existing wireless mesh network; FIG. 3A is a mesh key hierarchy of an existing wireless mesh network. FIG. 3B is a flowchart of initial authentication of an existing MP node; FIG. 3C is a flowchart of security association after initial authentication of two existing MP nodes; FIG. 4 is a network according to Embodiment 1 of the network authentication communication method of the present invention; Figure 5 is a signaling diagram of the network authentication communication method according to Embodiment 1 of the network authentication communication method of the present invention; Figure 6 is a key hierarchy of the network authentication communication method embodiment 1 of the present invention; FIG. 7 is a schematic diagram of a frame format of a multi-hop behavior frame according to Embodiment 1 of the network authentication communication method of the present invention; FIG. 8 is a flowchart of a four-step handshake process according to Embodiment 1 of the network authentication communication method of the present invention; 8 is a signaling diagram of the four-step handshake process according to Embodiment 1 of the network authentication communication method of the present invention; FIG. 9 is a flowchart of Embodiment 2 of the network authentication communication method of the present invention; FIG. 10 is a mesh network system of the present invention; Schematic.
具体实施方式 detailed description
首先需要说明的是, 网状网络中包括: MP、 MAP和 ΜΡΡ等种网络设备。 其 中, MP用于支持网状网络互连的路由功能, 可以通过无线多跳通信, 以较低 的发射功率获得同样的无线覆盖范围; MAP具有 MP的功能和传统 WLAN中 AP的功 能, 用于提供中继 /网关功能, 支持 mesh网络互联, 并为用户终端提供接入功 能; MPP除了具备安全功能, 实现用户漫游外, 还可以进行带宽管理, 以实现 二层和三层的转换。 为了便于叙述和表达, 本发明以下各实施例中仅以 MP为 例进行说明, 而对于 MAP和 MPP等其他网络设备, 原理相同, 不再赘述。 The first thing to note is that the mesh network includes: network devices such as MP, MAP, and ΜΡΡ. Its The MP is used to support the routing function of the mesh network interconnection, and can obtain the same wireless coverage with low transmission power through wireless multi-hop communication; the MAP has the function of the MP and the function of the AP in the traditional WLAN, It provides relay/gateway functions, supports mesh network interconnection, and provides access functions for user terminals. In addition to security functions, MPP can also implement bandwidth management to implement Layer 2 and Layer 3 conversion. For the convenience of description and expression, in the following embodiments of the present invention, only the MP is taken as an example. For other network devices such as MAP and MPP, the principles are the same and will not be described again.
方法实施例 1  Method embodiment 1
本实施例提供了一种网络认证通信方法, 如图 4所示, 包括:  This embodiment provides a network authentication communication method, as shown in FIG. 4, including:
步骤 101, 认证服务器(Authenticating Server,简称: AS)对 MP进行初始 认证, 认证通过后返回密钥凭证信息。 具体过程可釆用如信令图 5所示流程中 的步骤 3-1至 3-9完成。 包括如下步骤:  Step 101: The authentication server (Authenticating Server, AS for short) performs initial authentication on the MP, and returns the key credential information after the authentication is passed. The specific process can be completed by using steps 3-1 to 3-9 in the flow shown in Figure 5 of the signaling. Including the following steps:
3-1 ) MP作为请求方(Supplicant)接入 mesh网络, 在相邻 MP中寻找一个宣 称已认证过的 MP节点作为网状认证服务器(Mesh Authenticator, 简称: MA) , 并发起认证请求;  3-1) The MP acts as the Supplicant to access the mesh network, and finds an MP node that has been authenticated as a Mesh Authenticator (MA) in the neighboring MP, and initiates an authentication request.
3-2 ) MA发出扩展认证协议 ( Extensible Authentication Protocol, 简 称: EAP) 包(EAP-Packet)询问新接入的 MP的身份;  3-2) The MA issues an Extensible Authentication Protocol (EAP) packet (EAP-Packet) to query the identity of the newly accessed MP;
3-3 ) MP向 MA响应其身份(EAP_Response Identity);  3-3) MP responds to the identity of the MA (EAP_Response Identity);
3-4 ) MA节点以行为帧(action frame)的格式封装所述 MP的身份信息, 并 转发给陽;  3-4) The MA node encapsulates the identity information of the MP in an action frame format and forwards it to the yang;
3-5 )MKD以远端用户拨入验证服务(Remote Authentication Dial In User Service, 简称: Radius) / Diameter协议封装 MP的身份信息, 发送给 AS;  3-5) MKD encapsulates the identity information of the MP and sends it to the AS by using the remote authentication dialing user service (Remote Authentication Dial In User Service, Radius) / Diameter protocol;
3-6) AS根据所述 MP的身份信息, 选择预先注册的认证协议, 与 MP进行交 互认证;  3-6) The AS selects a pre-registered authentication protocol according to the identity information of the MP, and performs mutual authentication with the MP;
3-7)认证完成之后, AS根据认证结果返回响应的信息。 如果失败, 返回 失败消息(EAP-Failure); 如果成功, 返回成功消息(EAP-Success) , 并返回 认证后的密钥凭证信息, 如 MSK。 3-7) After the authentication is completed, the AS returns the response information based on the authentication result. If it fails, return a failure message (EAP-Failure); if successful, return a success message (EAP-Success) and return Key certificate information after authentication, such as MSK.
3-8) MKD将认证结果封装为行为帧发送给 MA;  3-8) MKD encapsulates the authentication result into a behavior frame and sends it to the MA;
3-9) MA将该认证结果转发给新接入的所述 MP。  3-9) The MA forwards the authentication result to the newly accessed MP.
步骤 102, MKD及 MP根据在初始认证过程中获得的 MSK, 计算并记录二级密 钥 PMK-MKD、 MKDK及用于唯一标识二级密钥的密钥标识 PMK-MKDName、 MKDKName0 Step 102: The MKD and the MP calculate and record the secondary key PMK-MKD, MKDK, and the key identifiers PMK-MKDName and MKDKName 0 for uniquely identifying the secondary key according to the MSK obtained in the initial authentication process.
具体计算方法可以釆用如下密钥推导公式进行:  The specific calculation method can be performed by using the following key derivation formula:
PMK-MKD=KDF (MSK, MeshlDlength | |MeshID| | NASIDlength IMKD-NAS-ID | | MKDD-IDI |Dev-ID| |MPTKAnoce)  PMK-MKD=KDF (MSK, MeshlDlength | |MeshID| | NASIDlength IMKD-NAS-ID | | MKDD-IDI |Dev-ID| |MPTKAnoce)
MKDK=KDF (MSK, MeshlDlength | |MeshID| | NASIDlength | |MKD-NAS-ID| |MK DD-IDI |Dev-ID| |MPTKAnoce)  MKDK=KDF (MSK, MeshlDlength | |MeshID| | NASIDlength | |MKD-NAS-ID| |MK DD-IDI |Dev-ID| |MPTKAnoce)
PMK-MKDName=Truncate-128 (SHA-256 ( "MKD Key Name" | | MeshlDlength | | MeshlDl | NASIDlength | |MKD-NAS-ID| | MKDD-IDI |Dev_ID| |MPTKANonce) )  PMK-MKDName=Truncate-128 (SHA-256 ( "MKD Key Name" | | MeshlDlength | | MeshlDl | NASIDlength | |MKD-NAS-ID| | MKDD-IDI |Dev_ID| |MPTKANonce) )
MKDKName=Truncate-128 (SHA-256 ( "MKD Key Name" | |MeshIDlength | | MeshlDl | NASIDlength | |MKD-NAS-ID| | MKDD-IDI |Dev_ID| |MPTKANonce) ) 其中, "M"表示字段连接符; MKDD-ID表示 MKD的 MAC地址; MPTKANonce 是在初始认证时产生的随机数。 将网状网的网络标识 MeshID, 网状密钥分发 节点(MKD)的 NAS标识 MKD-NAS-ID, 网状密钥分发节点的域标识 MKDD-ID和多 射频设备标识 SP-ID等连接起来, 并使用密钥凭证信息进行随机散列处理, 产 生的比特流中截取前部分长度分别作为二级密钥 PMK-MKD和 MKDK ,并且使用计 算二级密钥的相关字段如 Mesh-ID、 MKD-NAS-ID, MKDD-ID, SP-ID等进行散列 处理, 取部分固定长度作为与该二级密钥对应绑定的密钥标识 PMK-MKDName 和 MKDKName , 分别标识二级密钥 PMK-MKD和 MKDK。 MKDKName=Truncate-128 (SHA-256 ( "MKD Key Name" | |MeshIDlength | | MeshlDl | NASIDlength | |MKD-NAS-ID| | MKDD-IDI |Dev_ID| |MPTKANonce) ) where "M" indicates field connection MKDD-ID indicates the MAC address of the MKD; MPTKANonce is the random number generated at the time of initial authentication. The network identifier MeshID of the mesh network, the NAS identifier MKD-NAS-ID of the mesh key distribution node (MKD), the domain identifier MKDD-ID of the mesh key distribution node, and the SP-ID of the multi-radio device identifier are connected. And using the key credential information for random hash processing, the generated partial stream lengths are taken as the secondary keys PMK-MKD and MKDK, respectively, and the relevant fields for calculating the secondary key, such as Mesh-ID, MKD, are used. -NAS-ID, MKDD-ID, SP-ID, etc. for hash processing, taking part of the fixed length as the key identifier PMK-MKDName bound to the secondary key And MKDKName, which identify the secondary keys PMK-MKD and MKDK, respectively.
在本实施例中釆用的 "Dev_ ID" 字段用于标识一个网络设备 MP , 具体可 以使用设备认证信息中的用户名(User—Name)、 MP的主 MAC地址标识或 MP中通 过初始认证的射频模块的 MAC地址标识。 其中, MP在上述初始认证过程中会向 AS发送其用户名, 使 AS获得该 MP的用户名; 主 MAC地址是 AS从与 MP交互的信息 中获得的,如果选用主 MAC地址标识,则需要 MP在初始认证时使用具有该主 MAC 地址标识的射频模块进行认证。  The "Dev_ID" field used in this embodiment is used to identify a network device MP. Specifically, the user name (User_Name) in the device authentication information, the primary MAC address identifier of the MP, or the initial authentication in the MP may be used. MAC address identifier of the radio module. The MP sends the user name to the AS in the initial authentication process, so that the AS obtains the user name of the MP. The primary MAC address is obtained by the AS from the information exchanged with the MP. If the primary MAC address identifier is selected, the MP needs to be obtained. The MP uses the radio module with the primary MAC address identifier for authentication during initial authentication.
此处需要说明的是, MKD及 MP计算二级密钥及相应的密钥标识时, 除了根 据从初始认证过程中获得的 MSK以外, 还可以釆用各自预先共享的 PSK代替上 述密钥推导公式中的 MSK进行计算。 其中, PSK是 MP和 MKD预先已共享的密钥凭 证信息, 因此无需通过初始认证过程进行传递。  It should be noted that when the MKD and the MP calculate the secondary key and the corresponding key identifier, in addition to the MSK obtained from the initial authentication process, the pre-shared PSK may be used instead of the above key derivation formula. The MSK in the calculation is performed. Among them, PSK is the key credential information shared by MP and MKD in advance, so there is no need to pass the initial authentication process.
通过使用设备标识字段, 在认证时, 不管 MP通过哪个射频模块接口进行 认证, 认证产生的二级密钥 PMK-MKD和 MKDK及相应的密钥标识 PMK-MKDName和 MKDKName均只与 MP的设备信息相关联的, 而与每个射频模块的 MAC地址无关。 该二级密钥由 MP的设备管理层进行存储管理, 而 MP内部的各个射频模块均共 用该认证后的二级密钥信息。 如图 6所示为相应的密钥层次, 其中, 由 MSK或 PSK计算得到的 PMK-MKD和 MKDK属于设备管理层, 设备管理层生成和存储 PMK-MKD和 MKDK, 设备管理层完成认证的密钥凭证管理; 由 PMK和 MKDK计算得 到的 PMK-MA、 PTK及 MPTK-KD属于射频管理层, 射频管理层生成和存储各自的 PMK-MA, PTK及 MPTK-KD, 射频管理层用于管理各射频会话级密钥。  By using the device identification field, at the time of authentication, regardless of which RF module interface the MP is authenticated, the secondary key PMK-MKD and MKDK generated by the authentication and the corresponding key identifiers PMK-MKDName and MKDKName are only related to the device information of the MP. Associated with, regardless of the MAC address of each RF module. The secondary key is stored and managed by the device management layer of the MP, and each of the internal RF modules of the MP shares the authenticated secondary key information. Figure 6 shows the corresponding key hierarchy. The PMK-MKD and MKDK calculated by MSK or PSK belong to the device management layer. The device management layer generates and stores PMK-MKD and MKDK, and the device management layer completes the authentication. Key certificate management; PMK-MA, PTK and MPTK-KD calculated by PMK and MKDK belong to the RF management layer, and the RF management layer generates and stores the respective PMK-MA, PTK and MPTK-KD, and the RF management layer is used to manage each RF session level key.
至此, 该新节点 MP完成了 mesh网络的入网认证, 该 MP与 MKD之间建立了密 钥层次中的两个二级密钥 PMK-MKD和 MKDK。 步骤 103 ,所述 MP中的各个射频模块分别与其他设备和所述 MKD建立安全关 联。 建立安全关联后的产生的会话密钥信息 PMK-MA、 PTK、 MPTK-KD等由各个 射频模块独立维护。 具体地, 建立与其他设备的安全关联与现有的方案一致, 如图 3C所示主要包括以下步骤: At this point, the new node MP completes the network access authentication of the mesh network, and the two secondary keys PMK-MKD and MKDK in the key hierarchy are established between the MP and the MKD. Step 103: Each radio frequency module in the MP establishes a security association with another device and the MKD. The generated session key information PMK-MA, PTK, MPTK-KD, etc. after the establishment of the security association is independently maintained by each radio frequency module. Specifically, establishing a security association with other devices is consistent with the existing solution, and the following steps are mainly included in FIG. 3C:
2-1 ) 至 2-2) , MP节点通过对端链路开启(Peer link open)帧, 告知对方 可用于双方会话连接的已有 PMK-MA,以及该密钥对应的上层密钥 PMK-MKD的密 钥标识 PMK-MKDName; 然后双方再根据 11 s草案中的密钥协商规则协商使用哪 个 PMK-MA;  2-1) to 2-2), the MP node uses the peer link open (Peer link open) frame to inform the other party that the existing PMK-MA can be used for the session connection, and the upper layer key PMK corresponding to the key. The key identifier of the MKD is PMK-MKDName; then the two parties negotiate which PMK-MA to use according to the key agreement rule in the 11 s draft;
2-3 ) , 如果双方协商后决定使用 MP1的 PMK-MA1, 而 MP 2没有 PMK-MA 1 , 则 可以通过与 MKD建立的安全隧道发起密钥请求(key request) , 以请求获得用 于与 MP 1通信的会话主密钥 PMK-MA1; 2-3) If the two parties decide to use PMK-MA1 of MP1 and MP2 does not have PMK-MA 1, the key request can be initiated through the secure tunnel established with MKD to obtain the request. Session master key PMK-MA1 for MP 1 communication;
2-4 ) , MKD根据 MP2的密钥请求中提供的 PMK-MKDName, 索引得到相对应的 密钥 PMK-MKD, 并根据双方通信的射频模块的 MAC地址, 产生 PMK-MA1, 通过密 钥响应消息返回给 MP2; 2-4), the MKD obtains the corresponding key PMK-MKD according to the PMK-MKDName provided in the key request of the MP2, and generates PMK-MA1 according to the MAC address of the radio frequency module communicated by the two parties, and responds by the key. The message is returned to MP2;
2-5 )至 2-6) , MP1与 MP2确认协商后的 PMK-MA密钥, 并建立安全链路。 此 后, 可通过关联(associate)过程建立安全关联。 另外, 所述 MP建立与所述 MKD的安全关联时, 可以釆用如下所述的四步握 手过程。 2-5) to 2-6), MP1 and MP2 confirm the negotiated PMK-MA key and establish a secure link. Thereafter, a security association can be established through an associated process. In addition, when the MP establishes a security association with the MKD, the four-step handshake process as described below can be employed.
此处, 首先对四步握手过程中可釆用的帧格式进行说明。 在建立安全关 联的四步握手过程中, 可以釆用多跳行为帧(multihop action frame)进行传 输, 其帧格式如图 7所示。 由于在实际应用中, MKD可以同时与包括 MP在内的 多个网络设备进行通信, 因此, 在密钥持有者安全(Key Holder Security) 元素中增加了一个密钥标识字段, 用于表示 MKDK的密钥标识 MKDKName。 其中, 密钥标识字段中的密钥标识 MKDKName用于查找与某个网络设备相对应的 MKDK。 多跳行为帧中的网状标识 Me s h I D表示一个网状网络的标识符。 Here, the frame format that can be used in the four-step handshake process is first described. In the four-step handshake process of establishing a security association, a multihop action frame can be used for transmission, and its frame format is as shown in FIG. 7. Because in practical applications, MKD can be simultaneously included with MP. Multiple network devices communicate, so a key identification field is added to the Key Holder Security element to indicate the MKDK's key identifier MKDKName. The key identifier MKDKName in the key identifier field is used to find the MKDK corresponding to a certain network device. The mesh identifier Me sh ID in the multi-hop behavior frame represents an identifier of a mesh network.
四步握手过程的流程图如图 8A所示, 信令图如图 8B所示, 包括: 步骤 110, MP将第一握手消息中的握手序列 "HandShakeSequence" 字段 设置为 1;在 "MA-ID"字段中填写 MP中欲与 MKD建立安全关联的射频模块的 MAC 地址; 在 "MKD-ID" 字段中填写 MKD的 MAC地址; 在 "MANonce" 字段中填写 MP 产生的随机数; 在初始认证时产生的 MKDK密钥的标识 MKDKName。  The flowchart of the four-step handshake process is as shown in FIG. 8A. The signaling diagram is as shown in FIG. 8B, and includes: Step 110: The MP sets the handshake sequence "HandShakeSequence" field in the first handshake message to 1; in the "MA-ID" In the field, fill in the MAC address of the RF module that wants to establish a security association with the MKD in the MP; fill in the MAC address of the MKD in the "MKD-ID" field; fill in the random number generated by the MP in the "MANonce" field; The identifier of the generated MKDK key is MKDKName.
步骤 111, MKD收到第一握手消息后, 产生随机数填写于 "MKDNonce" 字段 中, 根据密钥标识 MKDKName索引得到与所述 MP相应的二级密钥 MKDK , 根据 MA-Nonce, MKD-Nonce, MA-ID, MKD-ID等计算得到会话密钥信息 MPTK-KD, 并 计算 MIC码, 在第二握手消息中将 "HandShakeSequence" 设置为 2, 填写 MA-Nonce, MKD-Nonce, MA-ID, MKD-ID, MKDKName,消息完整性校 3全码 (Message Integrity Check,简称: MIC)等信息, 并发送给 MP。  Step 111: After receiving the first handshake message, the MKD generates a random number in the "MKDNonce" field, and obtains a secondary key MKDK corresponding to the MP according to the key identifier MKDKName index, according to MA-Nonce, MKD-Nonce. , MA-ID, MKD-ID, etc. calculate the session key information MPTK-KD, and calculate the MIC code, set "HandShakeSequence" to 2 in the second handshake message, fill in MA-Nonce, MKD-Nonce, MA-ID , MKD-ID, MKDKName, Message Integrity Check (MIC) and other information, and sent to the MP.
步骤 112, MP接收到第二握手消息后, 检查 MKDKName, MA-ID, MKD-ID, MA-Nonce等的一致性,如果一致,则根据 MKD产生的 MKD-Nonce,计算 MPTK-KD, 对 MIC进行校验, 校验正确, 返回第三握手消息, 包括 MA-Nonce, MKD-Nonce, MA-ID, MKD-ID, MKDK-Name, MIC等, 发送给 MKD;  Step 112: After receiving the second handshake message, the MP checks the consistency of the MKDKName, the MA-ID, the MKD-ID, and the MA-Nonce. If the MKD-Nonce is generated, the MPTK-KD is calculated according to the MKD-Nonce generated by the MKD. Checking, verifying correctly, returning the third handshake message, including MA-Nonce, MKD-Nonce, MA-ID, MKD-ID, MKDK-Name, MIC, etc., to MKD;
步骤 113, MKD同样对第三握手消息进行会话参数一致性校验和 MIC校验, 校验通过后, 发送第四握手消息对第三握手消息进行确认。  Step 113: The MKD also performs a session parameter consistency check and a MIC check on the third handshake message. After the verification is passed, the fourth handshake message is sent to confirm the third handshake message.
方法实施例 2 本实施例提供了另一种网络认证通信方法, 如图 9所示, 包括: 步骤 201 , AS对 MP进行初始认证时,所述 MP将其所有的射频模块的 MAC 地址作为身份信息发送给 MKD。 Method embodiment 2 This embodiment provides another network authentication communication method. As shown in FIG. 9, the method includes the following steps: Step 201: When the AS performs initial authentication on the MP, the MP sends the MAC address of all the radio frequency modules as the identity information to the MKD. .
步骤 202 , 所 itMKD将接收到的所 itMAC地址与所 i^MP的 i殳备标识相关联 。 步骤 203 ,所述 MKD及所述 MP根据获得的 MSK计算并记录二级密钥及相应的 密钥标识。 其中, 具体可以釆用 MP的用户名、 MP的主 MAC地址标识或 MP中通过 初始认证的射频模块的 MAC地址标识作为密钥推导公式中的 Dev_ ID字段。具体 的密钥推导公式可参见步骤 102。  Step 202: The itMKD associates the received itMAC address with the i-device identifier of the i^MP. Step 203: The MKD and the MP calculate and record the secondary key and the corresponding key identifier according to the obtained MSK. Specifically, the user name of the MP, the primary MAC address identifier of the MP, or the MAC address identifier of the radio module that is initially authenticated in the MP may be used as the Dev_ID field in the key derivation formula. See step 102 for a specific key derivation formula.
步骤 204 , 完成二级密钥的计算后, 还要建立安全关联。 具体地, 所述 MP 建立与其他 MP的安全关联, 其具体过程与现有技术一致, 可参见图 3C及其相 关说明, 此处不再赘述。 另外, 所述 MP中的各个射频模块分别与所述 MKD建立 安全关联时, 仍然可以釆用如步骤 105所述的四步握手过程。 但区别在于, 本 实施例中不需要在多跳行为帧中增加密钥标识 MKDKName对二级密钥 MKDK进行 索引, 而是根据 MKD中相关联保存的所述 MAC地址与所述 MP的设备标识查找与 该 MP相应的 MKDK , 然后再根据该 MKDK与所 i^MP中的所述射频模块建立安全关联。  Step 204: After completing the calculation of the secondary key, a security association is also established. Specifically, the MP establishes a security association with other MPs, and the specific process is consistent with the prior art. For details, refer to FIG. 3C and related descriptions, and details are not described herein again. In addition, when each radio module in the MP establishes a security association with the MKD, the four-step handshake process as described in step 105 can still be used. The difference is that, in this embodiment, the key identifier MKDKName is not required to be indexed in the multi-hop behavior frame to index the secondary key MKDK, but the MAC address associated with the MP in the MKD and the device identifier of the MP are Find the MKDK corresponding to the MP, and then establish a security association with the radio module in the MKDK according to the MKDK.
系统实施例  System embodiment
本实施例提供了一种能够实现上述方法的网状网络系统, 如图 10所示, 包括 MKD10和网络设备 20 , 其中的网络设备 20具体可以为 MP , MAP或 MPP。 其工作原理如下:  This embodiment provides a mesh network system capable of implementing the foregoing method. As shown in FIG. 10, the network device 20 includes an MKD 10 and a network device 20, where the network device 20 may be MP, MAP or MPP. Its working principle is as follows:
MKD 10中的第一分发模块 11和网络设备 20中的第一设备模块 21根据密钥凭 证信息及网络设备 20的设备标识,计算并记录二级密钥 MKDK和 PMK-MKD及相应的 密钥标识 MKDKName和 PMK-MKDName。其中, 可以釆用 MKD1和网络设备 20中各自预 先共享的 PSK进行计算。 或者, 也可以图 10所示, 进一步设置 AS30。 在计算二级 密钥之前, 由 AS30中的第一认证模块 31于对网络设备 20进行初始认证, 在认证 过程中, 网络设备 20与 AS30会分别产生相应的 MSK; 再由第二认证模块 32将 AS30 的第一认证模块 31认证通过后产生的 MSK作为密钥凭证信息发送给 MKD10。 MKD10 中的第一分发模块 11和网络设备 20中的第一设备模块 21再根据各自的 MSK及网 络设备 20的设备标识进行计算。从而建立网络设备 20与 MKD10之间密钥层次中的 两个二级密钥 PMK-MKD和 MKDK。 具体的密钥推导公式可参见方法实施例 1。 The first distribution module 11 in the MKD 10 and the first device module 21 in the network device 20 calculate and record the secondary keys MKDK and PMK-MKD and corresponding keys according to the key credential information and the device identification of the network device 20. Identifies MKDKName and PMK-MKDName. Among them, each of the MKD1 and the network device 20 can be used. The PSK shared first is calculated. Alternatively, as shown in Fig. 10, the AS 30 may be further provided. Before the second level key is calculated, the first authentication module 31 in the AS 30 performs initial authentication on the network device 20. In the authentication process, the network device 20 and the AS 30 respectively generate corresponding MSKs; and the second authentication module 32 The MSK generated after the first authentication module 31 of the AS 30 is authenticated is sent to the MKD 10 as key credential information. The first distribution module 11 in the MKD 10 and the first device module 21 in the network device 20 are further calculated according to the respective MSK and the device identification of the network device 20. Thereby two secondary keys PMK-MKD and MKDK in the key hierarchy between the network device 20 and the MKD 10 are established. For a specific key derivation formula, refer to method embodiment 1.
完成二级密钥的计算后, 还要建立安全关联。 具体地, 网络设备 20要建 立与其他网络设备的安全关联, 其具体过程与现有技术一致, 可参见图 3C及 其相关说明,此处不再赘述; 另外, 网络设备 20还要建立与 MKD10的安全关联, 具体如下:  After completing the calculation of the secondary key, a security association is also established. Specifically, the network device 20 is required to establish a security association with other network devices, and the specific process is consistent with the prior art. For details, refer to FIG. 3C and related descriptions, and details are not described herein. In addition, the network device 20 is also required to be established with the MKD10. The security association is as follows:
MKD10中的第二分发模块 12根据由第一分发模块 11得到的二级密钥及相应 的密钥标识与所述网络设备 20建立安全关联; 相应地, 网络设备 20中还设置有 多个射频模块, 图 10中以射频模块 22为代表进行说明。射频模块 22用于根据由 第一设备模块 21得到的二级密钥及相应的密钥标识与 MKD10建立安全关联。具体 建立安全关联的过程可参见方法实施例 1所述的四步握手过程, 此处不再赘述。  The second distribution module 12 in the MKD 10 establishes a security association with the network device 20 according to the secondary key obtained by the first distribution module 11 and the corresponding key identifier. Correspondingly, the network device 20 is further provided with multiple radio frequencies. The module, as shown in FIG. 10, is represented by the radio frequency module 22. The radio frequency module 22 is configured to establish a security association with the MKD 10 according to the secondary key obtained by the first device module 21 and the corresponding key identifier. For the process of establishing a security association, refer to the four-step handshake process described in the method embodiment 1, and details are not described herein again.
通过本发明上述各实施例, 由于对密钥层次的计算过程进行了重新划分, 使得二级密钥的计算过程仅与设备标识相关联系, 而不与设备中的各个射频模 块绑定, 因此无需各个射频模块进行重复的初始认证过程, 使具有多个射频模 块的网络设 ^又经过一次初始认证就能与其他网络设备建立安全关联。 从而避 免了重复认证, 提高了认证的效率。  With the foregoing embodiments of the present invention, the calculation process of the key hierarchy is re-divided, so that the calculation process of the secondary key is only related to the device identification, and is not bound to each radio module in the device, so Each RF module performs a repeated initial authentication process, so that the network device with multiple RF modules can establish a security association with other network devices after an initial authentication. This eliminates duplicate certification and improves the efficiency of authentication.

Claims

权利要求 Rights request
1、 一种网络认证通信方法, 其特征在于包括:  A network authentication communication method, characterized in that:
网络设备根据密钥凭证信息及所述网络设备的设备标识, 计算并记录二 级密钥及相应的密钥标识;  The network device calculates and records the second-level key and the corresponding key identifier according to the key credential information and the device identifier of the network device;
所述网络设备中的射频模块根据所述密钥标识与网状密钥分发节点 MKD 建立安全关联。  The radio frequency module in the network device establishes a security association with the mesh key distribution node MKD according to the key identifier.
2、 根据权利要求 1 所述网络认证通信方法, 其特征在于所述网络设备 根据所述密钥凭证信息及所述设备标识计算所述二级密钥及相应的密钥标识 包括:  2. The network authentication communication method according to claim 1, wherein the calculating, by the network device, the secondary key and the corresponding key identifier according to the key credential information and the device identifier comprises:
所述网络设备与认证服务器 AS进行初始认证, 认证通过后返回主会话密 钥 MSK;  The network device performs initial authentication with the authentication server AS, and returns to the primary session key MSK after the authentication is passed;
所述网络设备根据所述 MSK及所述设备标识计算所述二级密钥及相应的 密钥标识。  The network device calculates the secondary key and the corresponding key identifier according to the MSK and the device identifier.
3、 根据权利要求 1 所述网络认证通信方法, 其特征在于所述网络设备 根据所述密钥凭证信息及所述设备标识计算所述二级密钥及相应的密钥标识 包括: 所述网络设备根据预共享密钥 PSK及所述设备标识计算所述二级密钥 及相应的密钥标识。  The network authentication communication method according to claim 1, wherein the calculating, by the network device, the secondary key and the corresponding key identifier according to the key credential information and the device identifier comprises: the network The device calculates the secondary key and the corresponding key identifier according to the pre-shared key PSK and the device identifier.
4、 根据权利要求 1 所述网络认证通信方法, 其特征在于所述二级密钥 包括网状密钥分发密钥 MKDK和与网状密钥分发节点 MKD共享的成对主密钥 PMK-MKD, 所述 MKDK 的密钥标识为网状密钥分发密钥标识 MKDKName , 所述 PMK-MKD的密钥标识为与 MKD共享的成对主密钥标识 PMK-MKDName。  4. The network authentication communication method according to claim 1, wherein said secondary key comprises a mesh key distribution key MKDK and a pairwise master key PMK-MKD shared with the mesh key distribution node MKD. The key identifier of the MKDK is a mesh key distribution key identifier MKDKName, and the key identifier of the PMK-MKD is a pairwise master key identifier PMK-MKDName shared with the MKD.
5、 根据权利要求 4所述网络认证通信方法, 其特征在于所述网络设备 中的射频模块根据所述密钥标识与所述 MKD建立安全关联包括:  The network authentication communication method according to claim 4, wherein the establishing, by the radio frequency module in the network device, the security association with the MKD according to the key identifier comprises:
所述网络设备将该网络设备产生的 MK訓 ame发送给所述陽;  Transmitting, by the network device, the MK training ame generated by the network device to the yang;
所述 MKD根据所述 MKDKName索引得到该 MKD产生的 MKDK;  The MKD obtains the MKDK generated by the MKD according to the MKDKName index;
所述网络设备根据所述 MKDK与所述 MKD建立安全关联。 The network device establishes a security association with the MKD according to the MKDK.
6、 根据权利要求 5所述网络认证通信方法, 其特征在于所述网络设备 将该网络设备产生的 MKDKName发送给所述 MKD为将所述 MKDKName携带于 第一握手消息中发送给所述 MKD; The network authentication communication method according to claim 5, wherein the network device sends the MKDKName generated by the network device to the MKD, and the MKDKName is carried in the first handshake message and sent to the MKD;
所述第一握手消息为多跳行为帧,将所述 MKDKName携带于所述多跳行为 帧中的密钥标识字段中。  The first handshake message is a multi-hop behavior frame, and the MKDKName is carried in a key identifier field in the multi-hop behavior frame.
7、 根据权利要求 2所述网络认证通信方法, 其特征在于所述计算并记 录二级密钥及相应的密钥标识之前还包括:  7. The network authentication communication method according to claim 2, wherein the calculating and recording the secondary key and the corresponding key identifier further comprises:
所述网络设备将其所有的射频模块的 MAC地址作为身份信息发送给所述 The network device sends the MAC address of all its radio frequency modules as identity information to the
MKD; MKD;
所述 MKD将接收到的所述 MAC地址与所述网络设备的设备标识相关联保 存。  The MKD saves the received MAC address in association with the device identifier of the network device.
8、 根据权利要求 7所述网络认证通信方法, 其特征在于所述网络设备 中的射频模块根据所述密钥标识分别与所述 MKD建立安全关联包括:  The network authentication communication method according to claim 7, wherein the establishing, by the radio frequency module in the network device, the security association with the MKD according to the key identifier comprises:
所述 MKD根据在该 MKD中相关联保存的所述 MAC地址与所述网络设备的 设备标识查找与该网络设备相应的 MKDK;  The MKD searches for an MKDK corresponding to the network device according to the MAC address associated with the MKD and the device identifier of the network device;
所述 MKD根据查找到的该 MKDK与所述射频模块建立安全关联。  The MKD establishes a security association with the radio frequency module according to the found MKDK.
9、 根据权利要求 1-8任一所述网络认证通信方法, 其特征在于所述设 备标识包括: 所述网络设备的用户名、 主媒体访问控制层 MAC地址标识或所 述网络设备中通过初始认证的射频模块的 MAC地址标识。  The network authentication communication method according to any one of claims 1 to 8, wherein the device identifier comprises: a user name of the network device, a primary media access control layer MAC address identifier, or an initial through the network device. MAC address identifier of the certified RF module.
10、 根据权利要求 1 所述的方法, 其特征在于, 还包括网状密钥分发 节点根据其密钥凭证信息及所述网络设备的设备标识, 计算并记录二级密钥 及相应的密钥标识。  10. The method according to claim 1, further comprising: the mesh key distribution node calculating and recording the secondary key and the corresponding key according to the key credential information and the device identifier of the network device Logo.
11、 一种网状网络系统, 其特征在于包括 MKD和网络设备, 其中, 所述 MKD包括:  A mesh network system, comprising: an MKD and a network device, wherein the MKD includes:
第一分发模块, 用于根据密钥凭证信息及所述网络设备的设备标识, 计 算并记录二级密钥 MKDK 和 PMK-MKD 及相应的密钥标识 MKDKName 和 PMK-MKDName ; a first distribution module, configured to calculate and record the secondary key MKDK and PMK-MKD and the corresponding key identifier MKDKName according to the key credential information and the device identifier of the network device PMK-MKDName ;
第二分发模块, 用于根据由第一分发模块得到的二级密钥及相应的密钥 标识与所述网络设备建立安全关联;  a second distribution module, configured to establish a security association with the network device according to the secondary key obtained by the first distribution module and the corresponding key identifier;
所述网络设备包括:  The network device includes:
第一设备模块, 用于根据密钥凭证信息及所述网络设备的设备标识, 计 算并记录二级密钥 MKDK 和 PMK-MKD 及相应的密钥标识 MKDKName 和 PMK-MKDName ;  a first device module, configured to calculate and record secondary keys MKDK and PMK-MKD and corresponding key identifiers MKDKName and PMK-MKDName according to the key credential information and the device identifier of the network device;
多个射频模块, 用于根据由第一设备模块得到的二级密钥及相应的密钥 标识与所述 MKD建立安全关联。  And a plurality of radio frequency modules, configured to establish a security association with the MKD according to the secondary key obtained by the first device module and the corresponding key identifier.
12、 根据权利要求 1 1所述网状网络系统,其特征在于还包括 AS ,其中, 所述 AS包括:  12. The mesh network system according to claim 1, further comprising an AS, wherein the AS comprises:
第一认证模块, 用于对所述网络设备进行初始认证;  a first authentication module, configured to perform initial authentication on the network device;
第二认证模块, 用于将第一认证模块认证通过后产生的 MSK作为密钥凭 证信息发送给所述 MKD。  The second authentication module is configured to send the MSK generated after the first authentication module is authenticated as the key credential information to the MKD.
1 3、 根据权利要求 1 1或 12所述网状网络系统,其特征在于所述网络设 备为网状节点 MP , 网状接入节点 MAP或带入口的网状节点 MPP。  The mesh network system according to claim 1 or 12, wherein the network device is a mesh node MP, a mesh access node MAP or a mesh node MPP with an entry.
1 4、 一种为网状网络中多射频网络设备提供密钥及密钥标识的方法, 其特征在于, 所述方法包括:  A method for providing a key and a key identifier for a multi-radio network device in a mesh network, the method comprising:
网状密钥分发节点获得密钥凭证信息及所述多射频网络设备的标识; 根据所述密钥凭证信息及所述多射频网络设备的标识计算二级密钥 及相应的密钥标识。  The mesh key distribution node obtains the key credential information and the identifier of the multi-radio network device; and calculates the second-level key and the corresponding key identifier according to the key credential information and the identifier of the multi-radio network device.
1 5、 根据权利要求 1 4所述的方法, 其特征在于所述根据所述密钥凭证 信息及网状网络中网络设备的标识计算二级密钥及相应的密钥标识过程 为:  The method according to claim 14, wherein the calculating the secondary key and the corresponding key identification process according to the key credential information and the identifier of the network device in the mesh network is:
将网络标识、 网状密钥分发节点的网络接入服务器标识、 网状密钥分 发节点的域标识及多射频设备标识连接起来, 并使用密钥凭证信息进行随 机散列处理。 Connect the network identifier, the network access server identifier of the mesh key distribution node, the domain identifier of the mesh key distribution node, and the multi-radio device identifier, and use the key credential information to perform Machine hash processing.
16、 根据权利要求 14所述的方法, 其特征在于所述的多射频网络设备 的标 i只为:  16. The method according to claim 14, wherein the identifier of the multi-radio network device is only:
使用设备认证信息中的用户名或网状节点 MP的主 MAC地址标识或 MP中 通过初始认证的射频模块的 MAC地址标识。  Use the user name in the device authentication information or the primary MAC address of the mesh node MP or the MAC address of the radio module that is initially authenticated in the MP.
17、 根据权利要求 14所述的方法, 其特征在于所述根据所述密钥凭证 信息及所述多射频网络设备的标识计算二级密钥及相应的密钥标识过程 之后还包括:  The method according to claim 14, wherein the calculating the secondary key and the corresponding key identification process according to the key credential information and the identifier of the multi-radio network device further comprises:
保存所述二级密钥及相应的密钥标识。  The secondary key and the corresponding key identifier are saved.
18、 一种网状密钥分发节点设备, 其特征在于所述设备包括: 用于获得密钥凭证信息的模块;  18. A mesh key distribution node device, characterized in that the device comprises: a module for obtaining key voucher information;
用于根据所述密钥凭证信息及所述多射频网络设备的标识计算二级 密钥及相应的密钥标识的模块。  And a module for calculating a secondary key and a corresponding key identifier according to the key credential information and the identifier of the multi-radio network device.
19、 根据权利要求 18所述的设备, 其特征在于所述设备还包括: 用于保存所述二级密钥及相应的密钥标识的模块。  19. The device according to claim 18, wherein the device further comprises: means for saving the secondary key and a corresponding key identifier.
PCT/CN2008/073615 2008-02-20 2008-12-19 A network authentication communication method and a mesh network system WO2009103214A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200810082212.3 2008-02-20
CN200810082212.3A CN101516090B (en) 2008-02-20 2008-02-20 Network authentication communication method and mesh network system

Publications (1)

Publication Number Publication Date
WO2009103214A1 true WO2009103214A1 (en) 2009-08-27

Family

ID=40985057

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2008/073615 WO2009103214A1 (en) 2008-02-20 2008-12-19 A network authentication communication method and a mesh network system

Country Status (2)

Country Link
CN (1) CN101516090B (en)
WO (1) WO2009103214A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103312495A (en) * 2013-06-25 2013-09-18 杭州华三通信技术有限公司 Grouped connectivity association (CA) forming method and device
CN104968032A (en) * 2015-05-04 2015-10-07 广东欧珀移动通信有限公司 Mesh point (MP) network-admittance method, MP node and mesh portal point (MPP) node

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102056163B (en) * 2009-11-03 2013-06-05 杭州华三通信技术有限公司 Distributed mesh network key management method and wireless access point device
CN103490887B (en) 2012-06-14 2017-06-13 中兴通讯股份有限公司 A kind of network equipment and its certification and key management method
US9253185B2 (en) * 2012-12-12 2016-02-02 Nokia Technologies Oy Cloud centric application trust validation
CN103368942A (en) * 2013-05-25 2013-10-23 中山市中商港科技有限公司 Cloud data security storage and management method
CN104283853B (en) 2013-07-08 2018-04-10 华为技术有限公司 A kind of method, terminal device and network equipment for improving Information Security
CN105744524B (en) * 2016-05-06 2019-03-22 重庆邮电大学 Mobile device networking authentication method in a kind of WIA-PA industry wireless network
CN107979498B (en) * 2018-01-03 2020-12-11 深圳市吉祥腾达科技有限公司 Mesh network cluster and large file transmission method based on cluster
CN108964912B (en) * 2018-10-18 2022-02-18 深信服科技股份有限公司 PSK generation method, PSK generation device, user equipment, server and storage medium
US20210184869A1 (en) * 2019-12-17 2021-06-17 Microchip Technology Incorporated Mutual authentication protocol for systems with low-throughput communication links, and devices for performing the same
CN114697958A (en) * 2020-12-30 2022-07-01 中兴通讯股份有限公司 Network access method and system of wireless access point, AP and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1996837A (en) * 2006-01-05 2007-07-11 恩益禧电子股份有限公司 Microcontroller and authentication method between the controllers
US20080016338A1 (en) * 2006-07-17 2008-01-17 Sheng Sun System and method for secure wireless multi-hop network formation
US20080031155A1 (en) * 2006-08-02 2008-02-07 Motorola, Inc. Managing establishment and removal of security associations in a wireless mesh network

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101047978A (en) * 2006-03-27 2007-10-03 华为技术有限公司 Method for updating key in user's set

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1996837A (en) * 2006-01-05 2007-07-11 恩益禧电子股份有限公司 Microcontroller and authentication method between the controllers
US20080016338A1 (en) * 2006-07-17 2008-01-17 Sheng Sun System and method for secure wireless multi-hop network formation
US20080031155A1 (en) * 2006-08-02 2008-02-07 Motorola, Inc. Managing establishment and removal of security associations in a wireless mesh network

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103312495A (en) * 2013-06-25 2013-09-18 杭州华三通信技术有限公司 Grouped connectivity association (CA) forming method and device
CN103312495B (en) * 2013-06-25 2016-07-06 杭州华三通信技术有限公司 The forming method of a kind of CA in groups and device
CN104968032A (en) * 2015-05-04 2015-10-07 广东欧珀移动通信有限公司 Mesh point (MP) network-admittance method, MP node and mesh portal point (MPP) node
CN104968032B (en) * 2015-05-04 2018-05-29 广东欧珀移动通信有限公司 A kind of MP nodes network access method, MP nodes and MPP nodes
CN108834198A (en) * 2015-05-04 2018-11-16 广东欧珀移动通信有限公司 MP node network access method, MP node and MPP node and medium product
CN108834198B (en) * 2015-05-04 2021-03-12 Oppo广东移动通信有限公司 MP node network access method, MP node, MPP node and medium product

Also Published As

Publication number Publication date
CN101516090B (en) 2013-09-11
CN101516090A (en) 2009-08-26

Similar Documents

Publication Publication Date Title
WO2009103214A1 (en) A network authentication communication method and a mesh network system
RU2446606C1 (en) Method of access with authentication and access system with authentication in wireless multi-hop network
KR101054202B1 (en) Secure authentication and key management within infrastructure-based wireless multihop networks
US8374582B2 (en) Access method and system for cellular mobile communication network
US7814322B2 (en) Discovery and authentication scheme for wireless mesh networks
CN101222331B (en) Authentication server, method and system for bidirectional authentication in mesh network
US20170257818A1 (en) Wireless extender secure discovery and provisioning
US20100293378A1 (en) Method, device and system of id based wireless multi-hop network authentication access
US9515824B2 (en) Provisioning devices for secure wireless local area networks
CN101375545A (en) Method and arrangement for providing a wireless mesh network
WO2014040481A1 (en) Authentication method and system for wireless mesh network
CN102215487A (en) Method and system safely accessing to a private network through a public wireless network
US20110035592A1 (en) Authentication method selection using a home enhanced node b profile
CN102421095B (en) Access authentication method for wireless mesh network
WO2012174959A1 (en) Group authentication method, system and gateway in machine-to-machine communication
WO2009152749A1 (en) A binding authentication method, system and apparatus
CN101527907B (en) Wireless local area network access authentication method and wireless local area network system
KR20090002328A (en) Method for joining new device in wireless sensor network
KR100686736B1 (en) The method of joining in the mobile ad-hoc network through the authentication
US20230308868A1 (en) Method, devices and system for performing key management
Bansal et al. Threshold based Authorization model for Authentication of a node in Wireless Mesh Networks
WO2024026735A1 (en) Authentication method and apparatus, device, and storage medium
Liu et al. The Wi-Fi device authentication method based on information hiding
Safdar et al. Existing wireless network security mechanisms and their limitations for ad hoc networks
CN116847350A (en) D2D communication method, terminal and medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08872577

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08872577

Country of ref document: EP

Kind code of ref document: A1