WO2011017876A1 - Method and system for re-authenticating a terminal - Google Patents

Method and system for re-authenticating a terminal Download PDF

Info

Publication number
WO2011017876A1
WO2011017876A1 PCT/CN2009/075686 CN2009075686W WO2011017876A1 WO 2011017876 A1 WO2011017876 A1 WO 2011017876A1 CN 2009075686 W CN2009075686 W CN 2009075686W WO 2011017876 A1 WO2011017876 A1 WO 2011017876A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
aaa server
message
response message
firmware
Prior art date
Application number
PCT/CN2009/075686
Other languages
French (fr)
Chinese (zh)
Inventor
李冬贵
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2011017876A1 publication Critical patent/WO2011017876A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Definitions

  • Sending, by the AAA server, the challenge message of the predetermined algorithm to the authentication client includes: transmitting, by the AAA server, the challenge message of the predetermined algorithm to the card via the gateway, the base station, and the firmware Right client.
  • 3 is a flow chart of the WiMAX terminal of the present invention implementing fast re-authentication
  • Man-in-the-Middle Attack means that an attacker inserts himself between two communicating objects to intercept information that he cannot access or is not eligible to access.
  • the middle man attack is considered to be the most dangerous attack on the WiMAX network.

Abstract

A method and system for re-authenticating a terminal are provided. The method includes that: a firmware sends an authentication start message to an authentication client; the authentication client generates an authentication response message, and sends the authentication response message to an Authentication, Authorization and Accounting (AAA) server; the AAA server sends a challenge message of a predetermined algorithm to the authentication client; the authentication client sends a response message of the predetermined algorithm corresponding to the challenge message of the predetermined algorithm to the AAA server; the AAA server sends an authentication success message to the authentication client, wherein, the identification information of the terminal is carried in the authentication response message. By changing initiation manner of re-authentication, and on the basis of completing initialization authentication, the method of the present invention simplifies re-authentication flow, and solves the problems that the speed of the existing World Interoperability for Microwave Access (WiMAX) terminal is slow in the re-authentication process, the operation is not relatively stabile and the stress of the AAA server is great and so on.

Description

一种对终端进行重鉴权的方法和系统 技术领域  Method and system for re-authenticating terminal
本发明涉及无线通讯中的鉴权技术, 尤其涉及一种对终端进行重鉴权 的方法和系统。 背景技术  The present invention relates to an authentication technology in wireless communication, and in particular, to a method and system for re-authenticating a terminal. Background technique
全球 波接入互操作 '1 "生 ( WiMAX, World Interoperability for Microwave Access )是一项基于 IEEE 802.16系列标准的宽带无线接入城域网( WMAN, Wireless Metropolitan Area Network )技术, WiMAX是针对 波和毫米波频 段提出的一种新的空中接口标准。 WiMAX的基本目标是在城域网接入环境 下, 确保不同厂商的无线设备互连互通, 主要用于为家庭、 企业以及移动 通信网络提供 "最后一公里" 的高速宽带接入, 以及将来的个人移动通信 业务。 相比于其他宽带无线接入技术, WiMAX具有覆盖范围广、 可扩展性 强以及业务质量(QoS )可控制等优点, 具体如下:  WiMAX (World Interoperability for Microwave Access) is a broadband wireless access metropolitan area network (WMAN) technology based on the IEEE 802.16 series of standards. WiMAX is for the wave and A new air interface standard proposed by the millimeter wave band. The basic goal of WiMAX is to ensure the interconnection of wireless devices from different vendors in the metro access environment, mainly for providing home, enterprise and mobile communication networks. High-speed broadband access in the last mile, and future personal mobile communication services. Compared to other broadband wireless access technologies, WiMAX has the advantages of wide coverage, scalability, and controllable quality of service (QoS). as follows:
( 1 )高速移动, WiMAX终端可以在车速移动的场景中进行无线接入, 通常认为可以达到 120km/h。  (1) High-speed mobile, WiMAX terminals can wirelessly access in the scene of moving speed, which is generally considered to be 120km/h.
( 2 )宽带接入, 终端可以在不同的载波宽带和调制方式下获得不同的 接入速度, 最高速率可以达到 30Mbit/s。  (2) Broadband access, the terminal can obtain different access speeds under different carrier broadband and modulation modes, and the maximum rate can reach 30 Mbit/s.
( 3 )覆盖范围广, 覆盖范围达到几 km量级。  (3) The coverage is wide and the coverage is on the order of several km.
( 4 )主要提供数据业务, 面向个人用户提供数据接入业务, 也可以提 供话音业务。  (4) It mainly provides data services, provides data access services for individual users, and can also provide voice services.
WiMAX产业链逐步完善, 从系统设备到终端, WiMAX上下游供应链 都在为该技术的发展做着不懈的努力, 将共同促进 WiMAX市场的商业化 进程。 目前, WiMAX终端的鉴权方式都采用 EAP协议, 市场上主要采用的 是 EAP-TTLS/MSCHAPv2和 EAP-TLS这两种 EAP鉴权方法。 WiMAX协 议标准规定, WiMAX终端在一定时间之后需要进行重鉴权, 所以 EAP鉴 权过程可以分为两种: EAP初始鉴权过程和 EAP重鉴权过程。 The WiMAX industry chain is gradually improving. From system equipment to terminals, WiMAX upstream and downstream supply chains are making unremitting efforts for the development of this technology, and will jointly promote the commercialization of the WiMAX market. Currently, the authentication methods of WiMAX terminals adopt the EAP protocol. The EAP-TTLS/MSCHAPv2 and EAP-TLS EAP authentication methods are mainly used in the market. The WiMAX protocol standard stipulates that the WiMAX terminal needs to perform re-authentication after a certain time. Therefore, the EAP authentication process can be divided into two types: an EAP initial authentication process and an EAP re-authentication process.
图 1是现有 WiMAX终端初始鉴权的流程图, 图 1以 EAP-TLS为例显 示了现有 EAP初始鉴权过程。  FIG. 1 is a flowchart of initial authentication of an existing WiMAX terminal, and FIG. 1 shows an existing EAP initial authentication process by using EAP-TLS as an example.
图 2是现有 WiMAX终端重鉴权的流程图, 图 2以 EAP-TLS为例显示 了现有 EAP重鉴权过程。  2 is a flow chart of re-authentication of an existing WiMAX terminal, and FIG. 2 shows an existing EAP re-authentication process by using EAP-TLS as an example.
对比图 1和图 2, 可以看到, EAP重鉴权过程相比 EAP初始鉴权过程, 仅仅多了一条发起重鉴权的 EAP-start消息, 其余过程是完全一样的。 而这 个现有 EAP重鉴权过程, 存在如下的缺点:  Comparing Figure 1 and Figure 2, it can be seen that the EAP re-authentication process has only one more EAP-start message that initiates re-authentication than the EAP initial authentication process, and the rest of the process is exactly the same. This existing EAP re-authentication process has the following disadvantages:
1 ) 交互信息相对较多, 重鉴权速度相对较慢。  1) The interaction information is relatively large, and the re-authentication speed is relatively slow.
2 )如果运营商设定的重鉴权时间较短, 比如 5分钟, 在大规模商用的 场景下, AAA服务器将面临非常大的压力。  2) If the re-authentication time set by the operator is short, such as 5 minutes, the AAA server will face great pressure in the large-scale commercial scenario.
3 )降低了 WiMAX终端的稳定性, 在信号强度较差的情况, 容易出现 重鉴权接入困难或掉线的情况。 发明内容  3) The stability of the WiMAX terminal is reduced. In the case of poor signal strength, it is prone to difficulty in re-authentication access or dropped calls. Summary of the invention
本发明的主要目的在于提供一种终端进行重鉴权的方法和系统, 能够 优化现有 WiMAX终端在重鉴权的接入过程, 提高 WiMAX终端重鉴权速 度、 緩解 AAA服务器压力。  The main object of the present invention is to provide a method and system for re-authentication of a terminal, which can optimize the access procedure of the existing WiMAX terminal in re-authentication, improve the re-authentication speed of the WiMAX terminal, and relieve the pressure of the AAA server.
本发明提出了一种对终端进行重鉴权的方法, 包括以下步骤: 固件将鉴权开始消息发送至鉴权客户端;  The present invention provides a method for re-authenticating a terminal, including the following steps: The firmware sends an authentication start message to the authentication client;
鉴权客户端生成鉴权响应消息,并将所述鉴权响应消息发送至 AAA服 务器;  The authentication client generates an authentication response message, and sends the authentication response message to the AAA server;
AAA服务器将预定算法的挑战消息发送至所述鉴权客户端; 鉴权客户端将与所述预定算法的挑战消息相对应的预定算法的响应消 息发送至所述 AAA服务器; The AAA server sends a challenge message of the predetermined algorithm to the authentication client; The authentication client sends a response message of a predetermined algorithm corresponding to the challenge message of the predetermined algorithm to the AAA server;
AAA服务器将鉴权成功消息发送至所述鉴权客户端;  Sending, by the AAA server, an authentication success message to the authentication client;
其中, 所述鉴权响应消息携带有终端的标识信息。  The authentication response message carries the identifier information of the terminal.
所述 AAA服务器将鉴权成功消息发送至鉴权客户端之后,该方法还包 括:  After the AAA server sends the authentication success message to the authentication client, the method further includes:
所述鉴权客户端根据所述预定算法的挑战消息、 挑战报文标识符和共 享密钥计算 MSK密钥, 并将计算得到的密钥发送至所述固件。  The authentication client calculates an MSK key according to the challenge message of the predetermined algorithm, the challenge message identifier, and the shared key, and sends the calculated key to the firmware.
在固件将鉴权开始消息发送至鉴权客户端之后,所述 AAA服务器将预 定算法的挑战消息发送至鉴权客户端之前, 该方法还包括:  After the firmware sends the authentication start message to the authentication client, before the AAA server sends the challenge message of the predetermined algorithm to the authentication client, the method further includes:
所述固件通知鉴权客户端所使用的算法为预定算法。  The algorithm used by the firmware to notify the authentication client is a predetermined algorithm.
将所述鉴权响应消息发送至 AAA服务器包括:  Sending the authentication response message to the AAA server includes:
所述鉴权客户端依次经由所述固件、 基站和网关将所述鉴权响应消息 传输至所述 AAA服务器。  The authentication client transmits the authentication response message to the AAA server via the firmware, the base station, and the gateway in sequence.
所述 AAA服务器将预定算法的挑战消息发送至所述鉴权客户端包括: 所述 AAA服务器依次经由所述网关、所述基站和所述固件将所述预定 算法的挑战消息传输至所述鉴权客户端。  Sending, by the AAA server, the challenge message of the predetermined algorithm to the authentication client includes: transmitting, by the AAA server, the challenge message of the predetermined algorithm to the card via the gateway, the base station, and the firmware Right client.
所述鉴权客户端将与所述预定算法的挑战消息相对应的预定算法的响 应消息发送至所述 AAA服务器包括:  Sending, by the authentication client, a response message of a predetermined algorithm corresponding to the challenge message of the predetermined algorithm to the AAA server includes:
所述鉴权客户端依次经由所述固件、 所述基站和所述网关将所述预定 算法的响应消息传输至所述 AAA服务器。  The authentication client sequentially transmits a response message of the predetermined algorithm to the AAA server via the firmware, the base station, and the gateway.
所述 AAA服务器将鉴权成功消息发送至所述鉴权客户端包括: 所述 AAA服务器依次经由所述网关、所述基站和所述固件将所述鉴权 成功消息传输至所述鉴权客户端。 当所述鉴权响应消息从所述网关传输至所述 AAA服务器时,将所述鉴 权响应消息封装为所述 AAA服务器识别的信息,而当所述鉴权响应消息从 所述 AAA服务器传输至所述网管时, 对所述鉴权响应消息进行解封装。 Sending, by the AAA server, the authentication success message to the authentication client includes: the AAA server sequentially transmitting the authentication success message to the authentication client via the gateway, the base station, and the firmware end. And when the authentication response message is transmitted from the gateway to the AAA server, encapsulating the authentication response message as information identified by the AAA server, and when the authentication response message is transmitted from the AAA server And when the network management is performed, the authentication response message is decapsulated.
所述终端为 WiMAX终端, 包括所述固件和所述鉴权客户端, 其中, 所述固件为 WiMAX芯片。  The terminal is a WiMAX terminal, including the firmware and the authentication client, where the firmware is a WiMAX chip.
一种对终端进行重鉴权的系统, 包括: 固件、 鉴权客户端及 AAA服务 器, 其中,  A system for re-authenticating a terminal, comprising: a firmware, an authentication client, and an AAA server, where
固件, 用于将鉴权开始消息发送至鉴权客户端;  Firmware, configured to send an authentication start message to the authentication client;
鉴权客户端,用于生成鉴权响应消息,并经由固件、基站和 AGW网关, 将鉴权响应消息发送至 AAA服务器; 收到挑战消息, 将与预定算法的挑战 消息相对应的预定算法的响应消息, 发送至 AAA服务器;  An authentication client, configured to generate an authentication response message, and send an authentication response message to the AAA server via the firmware, the base station, and the AGW gateway; and receive the challenge message, and the predetermined algorithm corresponding to the challenge message of the predetermined algorithm The response message is sent to the AAA server;
AAA服务器, 用于将预定算法的挑战消息经由 AGW网关、 基站和固 件发送至鉴权客户端; 收到预定算法的响应消息, 将鉴权响应消息发送至 鉴权客户端;  An AAA server, configured to send a challenge message of the predetermined algorithm to the authentication client via the AGW gateway, the base station, and the firmware; receiving a response message of the predetermined algorithm, and sending the authentication response message to the authentication client;
其中, 所述鉴权响应消息携带有终端的标识信息。  The authentication response message carries the identifier information of the terminal.
该系统还包括: 基站、 AGW网关,  The system also includes: a base station, an AGW gateway,
所述鉴权客户端经由基站、 AGW网关, 将与预定算法的挑战消息相对 应的预定算法的响应消息, 发送至 AAA服务器;  The authentication client sends a response message of a predetermined algorithm corresponding to the challenge message of the predetermined algorithm to the AAA server via the base station and the AGW gateway;
所述 AAA服务器经由 AGW网关、 基站, 将鉴权响应消息发送至鉴权 客户端。  The AAA server sends an authentication response message to the authentication client via the AGW gateway and the base station.
所述终端为 WiMAX终端, 包括所述固件和所述鉴权客户端; 其中, 所述固件为 WiMAX芯片。  The terminal is a WiMAX terminal, including the firmware and the authentication client; wherein the firmware is a WiMAX chip.
从上述本发明方法可见, 包括固件将鉴权开始消息发送至鉴权客户端; 鉴权客户端生成鉴权响应消息, 并将鉴权响应消息发送至 AAA服务器; AAA服务器将预定算法的挑战消息发送至鉴权客户端; 鉴权客户端将与预 定算法的挑战消息相对应的预定算法的响应消息发送至 AAA服务器; AAA 服务器将鉴权成功消息发送至鉴权客户端, 其中, 鉴权响应消息携带有终 端的标识信息。 本发明方法主要通过更改重鉴权的发起方式, 同时在初始 鉴权完成的基站上, 筒化了重鉴权的流程, 解决了现有 WiMAX终端在重 鉴权过程中的速度慢、 运行相对不稳定和 AAA服务器压力大等问题。 It can be seen from the above method of the present invention that the firmware includes sending an authentication start message to the authentication client; the authentication client generates an authentication response message, and sends an authentication response message to the AAA server; the AAA server will schedule the challenge message of the algorithm. Sending to the authentication client; the authentication client sends a response message of the predetermined algorithm corresponding to the challenge message of the predetermined algorithm to the AAA server; AAA The server sends an authentication success message to the authentication client, where the authentication response message carries the identifier information of the terminal. The method of the invention mainly changes the initiation mode of the re-authentication right, and simultaneously reorganizes the re-authentication process on the base station where the initial authentication is completed, and solves the problem that the existing WiMAX terminal is slow in the process of re-authentication and relatively operates. Unstable and AAA server pressure and other issues.
本发明具有如下优点和效果:  The invention has the following advantages and effects:
1 )重鉴权速度提升。 通过优化重鉴权流程, 使得 WiMAX终端在重鉴 权过程中, 能够快速完成交互过程, 从而明显提升重鉴权的接入速度。  1) The speed of re-authentication is increased. By optimizing the re-authentication process, the WiMAX terminal can quickly complete the interaction process in the process of re-authentication, thereby significantly improving the access speed of re-authentication.
2 )緩解 AAA压力。 由于减少了 WiMAX终端和 AAA在重鉴权过程的 数据交互量, 使得在大规模商用的情景下, 明显的緩解了 AAA的压力。  2) Relieve AAA stress. As the amount of data interaction between the WiMAX terminal and the AAA in the re-authentication process is reduced, the pressure on the AAA is significantly alleviated in the large-scale commercial scenario.
3 )提高稳定性。 通过优化重鉴权流程, 使得在重鉴权过程不需要传递 AAA服务器端的 CA证书、 设备证书等消息, 这样就提高 WiMAX终端在 重鉴权过程中的接入成功率, 有效的减少掉线的可能性, 从而提高了 WiMAX终端的稳定性。 附图说明  3) Improve stability. By optimizing the re-authentication process, the re-authentication process does not need to transmit the CA certificate, device certificate, and the like of the AAA server, thereby improving the access success rate of the WiMAX terminal in the re-authentication process, and effectively reducing the dropped line. The possibility to improve the stability of the WiMAX terminal. DRAWINGS
此处所说明的附图用来提供对本发明的进一步理解, 构成本申请的一 部分, 本发明的示意性实施例及其说明用于解释本发明, 并不构成对本发 明的限定。 在附图中:  The drawings are intended to provide a further understanding of the invention, and are intended to be a part of the invention. In the drawing:
图 1是现有 WiMAX终端初始鉴权的流程图;  1 is a flow chart of initial authentication of an existing WiMAX terminal;
图 2是现有 WiMAX终端重鉴权的流程图;  2 is a flow chart of re-authentication rights of an existing WiMAX terminal;
图 3是本发明 WiMAX终端实现快速重鉴权的流程图;  3 is a flow chart of the WiMAX terminal of the present invention implementing fast re-authentication;
图 4是本发明的示例性实施例的 MAC PUD格式。 具体实施方式 为了使本发明的目的、 技术方案及优点更加清楚明白, 以下结合附图 及实施例, 对本发明进行进一步详细说明。 应当理解, 此处所描述的具体 实施例仅仅用以解释本发明, 并不用于限定本发明。 4 is a MAC PUD format of an exemplary embodiment of the present invention. DETAILED DESCRIPTION OF THE INVENTION In order to make the objects, technical solutions and advantages of the present invention more comprehensible, the present invention will be further described in detail below with reference to the accompanying drawings. It is understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
下面结合附图, 通过介绍现有 WiMAX终端的 EAP初始鉴权流程、 现 有 WiMAX终端的 EAP重鉴权流程, 对本发明所述的 WiMAX终端的快速 重鉴权的实现方法进行了详细的描述。  The implementation method of the fast re-authentication right of the WiMAX terminal according to the present invention is described in detail below by referring to the EAP initial authentication process of the existing WiMAX terminal and the EAP re-authentication procedure of the existing WiMAX terminal.
图 3是本发明 WiMAX终端实现快速重鉴权的流程图, 如图 3所示, 包括:  FIG. 3 is a flowchart of implementing fast re-authentication of a WiMAX terminal according to the present invention. As shown in FIG. 3, the method includes:
步骤 301: 固件 Firmware发送鉴权开始 (EAP-Start ) 消息到鉴权客户 端 Supplicant, 发起重鉴权流程。 固件 Firmware可以是一种嵌入终端的 芯片, 例如 , WiMAX芯片。  Step 301: The firmware firmware sends an authentication start (EAP-Start) message to the authentication client Supplicant to initiate a re-authentication process. Firmware Firmware can be a chip embedded in a terminal, such as a WiMAX chip.
步骤 302 ~步骤 305 : 鉴权客户端 Supplicant发送 EAP响应 /标识消息到 AAA服务器。 从 AGW网关至 AAA服务器的消息为 Radius接入请求 /标识。  Step 302 ~ Step 305: The authentication client Supplicant sends an EAP response/identification message to the AAA server. The message from the AGW gateway to the AAA server is the Radius access request/identity.
步骤 306 ~步骤 309: AAA服务器向鉴权客户端 Supplicant发送 MD5 挑战消息。 其中 MD5为预定算法。  Step 306 ~ Step 309: The AAA server sends an MD5 challenge message to the authentication client Supplicant. Where MD5 is the predetermined algorithm.
在固件将鉴权开始消息发送至鉴权客户端的步骤之后, AAA服务器 将预定算法的挑战消息发送至鉴权客户端的步骤之前, 还包括: 固件通知 鉴权客户端所使用的算法为预定算法。  After the step of the firmware sending the authentication start message to the authentication client, before the step of the AAA server sending the challenge message of the predetermined algorithm to the authentication client, the method further includes: firmware notifying that the algorithm used by the authentication client is a predetermined algorithm.
步骤 310 ~步骤 313: 鉴权客户端 Supplicant向 AAA服务器发送 MD5 响应消息。  Step 310 ~ Step 313: The authentication client Supplicant sends an MD5 response message to the AAA server.
步骤 314 ~步骤 317: AAA服务器向鉴权客户端 Supplicant发送 EAP 成功消息, 重鉴权流程结束。 所述鉴权响应消息即 EAP成功消息中携带有 终端的标识信息。 所述鉴权客户端根据所述预定算法的挑战消息、 挑战报文标识符和共 享密钥计算主会话密钥 (MSK, Master Session Key )。 Step 314 ~ Step 317: The AAA server sends an EAP success message to the authentication client Supplicant, and the re-authentication process ends. The authentication response message, that is, the EAP success message carries the identifier information of the terminal. The authentication client calculates a master session key (MSK, Master Session Key) according to the challenge message, the challenge message identifier, and the shared key of the predetermined algorithm.
步骤 318: 鉴权客户端 Supplicant发送 MSK到固件 Firmware, 用于形 成 WiMAX终端安全子层的密钥层次结构。  Step 318: The authentication client Supplicant sends the MSK to the firmware firmware to form a key hierarchy of the WiMAX terminal security sublayer.
所述终端为 WiMAX终端, 包括所述固件和所述鉴权客户端, 其中, 所述固件为 WiMAX芯片。  The terminal is a WiMAX terminal, including the firmware and the authentication client, where the firmware is a WiMAX chip.
与现有的 WiMAX重鉴权技术相比较, 本发明所采用的重鉴权技术, 主要通过更改重鉴权的发起方式, 同时在初始鉴权完成的基站上, 筒化重 鉴权的流程, 通过本发明方法, 解决了现有 WiMAX终端在重鉴权过程中 的速度慢、 运行相对不稳定和 AAA服务器压力大等问题。  Compared with the existing WiMAX re-authentication technology, the re-authentication technology adopted by the present invention mainly changes the initiation mode of the re-authentication right, and simultaneously reorganizes the re-authentication process on the base station where the initial authentication is completed. The method of the invention solves the problems of slow speed, relatively unstable operation and high pressure of the AAA server in the process of re-authentication of the existing WiMAX terminal.
现有的 WiMAX重鉴权技术是从固件 Firmware发送 EAP-Start消息到 AGW 网关以开始重鉴权过程, 而本发明的 WiMAX 重鉴权方法是从固件 Firmware发送 EAP-Start消息到鉴权客户端 Supplicant以开始重鉴权过程, 同时固件 Firmware通知鉴权客户端 Supplicant在重鉴权过程中将选用 MD5 算法来计算 MSK, 而不是选用初始鉴权中用到的 EAM-TTLS/MSCHAPv2 或 EAP-TLS 鉴权方 法来计算 MSK 。 WiMAX 终端发送的 EAP-Response/Identity中携带了用户的网络接入标识( NAI, Network Access Identifier, 例如 NAI格式 MAC_Address@realm )信息, 从而达到了对特定 终端进行鉴权的目的。 WiMAX终端选用一种 WiMAX基站支持的相对筒单 的 MD5算法, 使得终端可以通过基站发送的 MD5挑战、 挑战报文标识符 ( CHAP-ID )和共享密钥计算出 MSK, 在重鉴权成功后将该 MSK封装在 WiMAX API消息发送给固件 Firmware, 完成对 MSK的更新。  The existing WiMAX re-authentication technology is to send an EAP-Start message from the firmware Firmware to the AGW gateway to start the re-authentication process, and the WiMAX re-authentication method of the present invention sends an EAP-Start message from the firmware Firmware to the authentication client. Supplicant starts the re-authentication process, and the firmware Firmware notifies the authentication client Supplicant to use the MD5 algorithm to calculate the MSK in the re-authentication process instead of using EAM-TTLS/MSCHAPv2 or EAP-TLS used in the initial authentication. The authentication method is used to calculate the MSK. The EAP-Response/Identity sent by the WiMAX terminal carries the information of the user's network access identifier (NAI, Network Access Identifier, for example, NAI format MAC_Address@realm), thereby achieving the purpose of authenticating a specific terminal. The WiMAX terminal selects a relatively simple MD5 algorithm supported by the WiMAX base station, so that the terminal can calculate the MSK through the MD5 challenge, the challenge message identifier (CHAP-ID) and the shared key sent by the base station, after the re-authentication succeeds. The MSK encapsulated in the WiMAX API message is sent to the firmware Firmware to complete the update to the MSK.
为了实现上述方法, 本发明还提出了一种对终端进行重鉴权的系统, 包括: 固件、 鉴权客户端、 基站、 AGW网关及 AAA服务器, 其中,  In order to implement the above method, the present invention also provides a system for re-authenticating a terminal, including: a firmware, an authentication client, a base station, an AGW gateway, and an AAA server, where
固件, 用于将鉴权开始消息发送至鉴权客户端; 鉴权客户端,用于生成鉴权响应消息,并经由固件、基站和 AGW网关, 将鉴权响应消息发送至 AAA服务器; 收到挑战消息, 将与预定算法的挑战 消息相对应的预定算法的响应消息, 经由固件、 基站和 AGW 网关发送至 AAA服务器; Firmware, configured to send an authentication start message to the authentication client; An authentication client, configured to generate an authentication response message, and send an authentication response message to the AAA server via the firmware, the base station, and the AGW gateway; and receive the challenge message, and the predetermined algorithm corresponding to the challenge message of the predetermined algorithm The response message is sent to the AAA server via the firmware, the base station, and the AGW gateway;
AAA服务器, 用于将预定算法的挑战消息经由 AGW网关、 基站和固 件发送至鉴权客户端; 收到预定算法的响应消息, 经由 AGW网关、基站和 固件, 将鉴权响应消息从服务器发送至鉴权客户端, 其中, 鉴权响应消息 携带有终端的标识信息。  An AAA server, configured to send a challenge message of the predetermined algorithm to the authentication client via the AGW gateway, the base station, and the firmware; receive a response message of the predetermined algorithm, and send the authentication response message from the server to the AGW gateway, the base station, and the firmware The authentication client, where the authentication response message carries the identification information of the terminal.
本发明的快速重鉴权是建立在成功的初始鉴权基础上的, 并利用初始 鉴权建立起来的安全性, 对重鉴权流程进行了改进, 使得 WiMAX终端能 够更快速、 更稳定的完成重鉴权的过程, 同时也有利于緩解 AAA面临的由 于大量数据交互造成的压力。  The fast re-authentication right of the present invention is based on successful initial authentication, and the security established by the initial authentication is used to improve the re-authentication process, so that the WiMAX terminal can be completed more quickly and stably. The process of re-authentication also helps to alleviate the pressure on AAA due to the large amount of data interaction.
现有 WiMAX终端在初始鉴权中一般选用 EAP-TTLS/MSCHAPv2或 EAP-TLS鉴权方法。如果 WiMAX终端选用 EAP-TLS鉴权方法时, 初始鉴 权完成后,鉴权客户端 Supplicant就建立了传输层安全( TLS , Transport Layer Security ), 如果 WiMAX终端选用 EAP-TTLS/MSCHAPv2鉴权方法时, 初 始鉴权完成后,鉴权客户端 Supplicant就建立了基于隧道的 TLS。所以不论 终端选用的是 EAP-TTLS/MSCHAPv2还是 EAP-TLS , 经过初始鉴权之后, 鉴权客户端 Supplicant都建立了传输层安全, 而在初始鉴权之后, 这个传输 层安全并没有被释放。 而本发明的快速重鉴权正是利用了初始鉴权建立的 传输层安全,通过 NAI来对终端进行鉴权,选用相对筒单的 MD5算法来计 算 MSK, 达到了在保证安全的基础上进行快速、 稳定的重鉴权。  Existing WiMAX terminals generally use EAP-TTLS/MSCHAPv2 or EAP-TLS authentication methods in initial authentication. If the WiMAX terminal selects the EAP-TLS authentication method, the authentication client Supplicant establishes the transport layer security (TLS, Transport Layer Security) after the initial authentication is completed. If the WiMAX terminal selects the EAP-TTLS/MSCHAPv2 authentication method. After the initial authentication is completed, the authentication client Supplicant establishes tunnel-based TLS. Therefore, whether the terminal selects EAP-TTLS/MSCHAPv2 or EAP-TLS, after the initial authentication, the authentication client Supplicant establishes the transport layer security, and after the initial authentication, the transport layer security is not released. The fast re-authentication right of the present invention utilizes the transmission layer security established by the initial authentication, and the terminal is authenticated by the NAI, and the MD5 algorithm of the relative single-single is used to calculate the MSK, which is achieved on the basis of ensuring security. Fast and stable re-authentication.
从安全领域的角度出发, 本发明的快速重鉴权的方法的安全分析如下: From the perspective of the security field, the security analysis of the fast re-authentication method of the present invention is as follows:
1. 完整性保护 ( integrality )。 1. Integrity protection (integrality).
由于初始鉴权的完成, WiMAX终端和 WiMAX基站之间就共享了鉴权 密钥 (AK, Authorization Key ), 根据密钥层次结构, 计算出 WiMAX管理 消息的 CMAC(Cipher-based Message Authentication Code,一种散歹 ll消息认 证码)放置在净荷( Payload )之后,接收方接收到该 WiMAX管理消息之后, 通过共享的 AK计算出该消息的 CMAC, 然后和消息中携带的 CMAC值做 比较, 如果这两个 CMAC值相等, 则 CMAC验证成功, 否则丟弃该消息。 如果攻击者墓改了数据, 由于攻击者无法获得 AK, 所以无法计算出正确的 CMAC值, 接收方一旦发现该 CMAC不匹配, 就说明这个数据包已经被墓 改, 然后就直接丟弃该消息, 从而达到了对该消息的完整性保护。 Due to the completion of the initial authentication, the WiMAX terminal and the WiMAX base station share an authentication key (AK, Authorization Key), and the WiMAX management is calculated according to the key hierarchy. The CMAC (Cipher-based Message Authentication Code) of the message is placed after the Payload. After receiving the WiMAX management message, the receiver calculates the CMAC of the message through the shared AK. Then compare with the CMAC value carried in the message. If the two CMAC values are equal, the CMAC verification succeeds, otherwise the message is discarded. If the attacker changes the data, the attacker cannot obtain the AK, so the correct CMAC value cannot be calculated. Once the receiver finds that the CMAC does not match, it indicates that the data packet has been changed by the tomb, and then the message is directly discarded. , thus achieving the integrity protection of the message.
2. 重放攻击 (Replay Attack )。  2. Replay Attack.
在 MAC PDU 的净荷中, 数据包序号 (PN, Packet Number)放置于 MAC PDU的最高 4个字节。 在安全关联(SA )建立之后, PN在发第一个 包时为 1 , 后续每发一个包增加 1。 当攻击着重放攻击时, 接收方由于可以 不断的校验 PN值, 所以重发的 PN值的消息将被丟弃, 从而达到防止重放 攻击。图 4显示了 MAC PUD格式,其中含有密文净荷(ciphertext payload )。  In the payload of the MAC PDU, the packet number (PN, Packet Number) is placed in the highest 4 bytes of the MAC PDU. After the security association (SA) is established, the PN is 1 when the first packet is sent and 1 for each subsequent packet. When attacking the replay attack, the receiver can continuously check the PN value, so the retransmitted PN value message will be discarded, thus preventing the replay attack. Figure 4 shows the MAC PUD format with a ciphertext payload.
3. 免受 reorder攻击(reorder- attack )。 上面所说的序列号也可以防止攻 击者记录数据包并以不同的次序发送, 从而达到防止 reorder攻击。  3. Protect from reorder-attacks. The serial number mentioned above also prevents attackers from recording packets and sending them in a different order, thus preventing reorder attacks.
4. 中间人攻击 (ΜΙΜΤ λ  4. Man-in-the-middle attack (ΜΙΜΤ λ
顾名思义, 中间人攻击(Man-in-the-Middle Attack )是指攻击者将自己 插入到两个通信对象之间, 以截取他无法访问或没有资格访问的信息。 中 间人攻击被认为是 WiMAX 网络中危害最为严重的攻击。 当攻击者截取了 数据包, 但是由于攻击者无法获取共享密钥, 从而无法伪造转发的数据包, 从而达到防止中间人攻击。  As the name suggests, Man-in-the-Middle Attack means that an attacker inserts himself between two communicating objects to intercept information that he cannot access or is not eligible to access. The middle man attack is considered to be the most dangerous attack on the WiMAX network. When an attacker intercepts a packet, but the attacker cannot obtain the shared key, the forwarded packet cannot be forged, thereby preventing a man-in-the-middle attack.
通过以上分析, 本发明改进的快速重鉴权方法, 已经具备了防范各种 主要的安全威胁。  Through the above analysis, the improved fast re-authentication method of the present invention has been provided to prevent various major security threats.
本发明所用到的 MD5 算法由于是开源实现, 在实现方法上相对于 EAP-TTLS/MSCHAPv2或 EAP-TLS鉴权方法筒单易行。 由于当前 WiMAX 协议中对重鉴权技术并没有详细规定如何去实现,使得当前大部分 WiMAX 厂商都采用和初始鉴权一样的技术。 由于 EAP协议并属于 WiMAX协议范 畴,所以采用 EAP协议进行重鉴权时,可以使用更为筒单、快捷的 EAP-MD5 方法进行重鉴权。 The MD5 algorithm used in the present invention is an open source implementation, and the implementation method is relatively easy to implement with respect to the EAP-TTLS/MSCHAPv2 or EAP-TLS authentication method. Since the current WiMAX protocol does not specify how to implement the re-authentication technology, most of the current WiMAX Vendors use the same technology as initial authentication. Since the EAP protocol belongs to the WiMAX protocol category, when the EAP protocol is used for re-authentication, the re-authentication can be performed using a more compact and fast EAP-MD5 method.
以上所述仅为本发明的优选实施例而已, 并不用于限制本发明, 对于 本领域的技术人员来说, 本发明可以有各种更改和变化。 凡在本发明的精 神和原则之内, 所作的任何修改、 等同替换、 改进等, 均应包含在本发明 的保护范围之内。  The above is only the preferred embodiment of the present invention, and is not intended to limit the present invention, and various modifications and changes can be made to the present invention. Any modifications, equivalent substitutions, improvements, etc. within the spirit and scope of the invention are intended to be included within the scope of the invention.

Claims

权利要求书 Claim
1、 一种对终端进行重鉴权的方法, 其特征在于, 包括以下步骤: 固件将鉴权开始消息发送至鉴权客户端;  A method for re-authenticating a terminal, comprising the steps of: the firmware sending an authentication start message to an authentication client;
鉴权客户端生成鉴权响应消息,并将所述鉴权响应消息发送至 AAA服 务器;  The authentication client generates an authentication response message, and sends the authentication response message to the AAA server;
AAA服务器将预定算法的挑战消息发送至所述鉴权客户端; 鉴权客户端将与所述预定算法的挑战消息相对应的预定算法的响应消 息发送至所述 AAA服务器;  The AAA server sends a challenge message of the predetermined algorithm to the authentication client; the authentication client sends a response message of a predetermined algorithm corresponding to the challenge message of the predetermined algorithm to the AAA server;
AAA服务器将鉴权成功消息发送至所述鉴权客户端;  Sending, by the AAA server, an authentication success message to the authentication client;
其中, 所述鉴权响应消息携带有终端的标识信息。  The authentication response message carries the identifier information of the terminal.
2、 根据权利要求 1所述的方法, 其特征在于, 所述 AAA服务器将鉴 权成功消息发送至鉴权客户端之后, 该方法还包括:  The method according to claim 1, wherein after the AAA server sends the authentication success message to the authentication client, the method further includes:
所述鉴权客户端根据所述预定算法的挑战消息、 挑战报文标识符和共 享密钥计算 MSK密钥, 并将计算得到的密钥发送至所述固件。  The authentication client calculates an MSK key according to the challenge message of the predetermined algorithm, the challenge message identifier, and the shared key, and sends the calculated key to the firmware.
3、 根据权利要求 1所述的方法, 其特征在于, 在固件将鉴权开始消息 发送至鉴权客户端之后,所述 AAA服务器将预定算法的挑战消息发送至鉴 权客户端之前, 该方法还包括:  The method according to claim 1, wherein after the firmware sends the authentication start message to the authentication client, the AAA server sends the challenge message of the predetermined algorithm to the authentication client, the method Also includes:
所述固件通知鉴权客户端所使用的算法为预定算法。  The algorithm used by the firmware to notify the authentication client is a predetermined algorithm.
4、 根据权利要求 1至 3任一项所述的方法, 其特征在于, 将所述鉴权 响应消息发送至 AAA服务器包括:  The method according to any one of claims 1 to 3, wherein the sending the authentication response message to the AAA server comprises:
所述鉴权客户端依次经由所述固件、 基站和网关将所述鉴权响应消息 传输至所述 AAA服务器。  The authentication client transmits the authentication response message to the AAA server via the firmware, the base station, and the gateway in sequence.
5、 根据权利要求 4所述的方法, 其特征在于, 所述 AAA服务器将预 定算法的挑战消息发送至所述鉴权客户端包括: 所述 AAA服务器依次经由所述网关、所述基站和所述固件将所述预定 算法的挑战消息传输至所述鉴权客户端。 The method according to claim 4, wherein the sending, by the AAA server, the challenge message of the predetermined algorithm to the authentication client comprises: The AAA server sequentially transmits a challenge message of the predetermined algorithm to the authentication client via the gateway, the base station, and the firmware.
6、 根据权利要求 5所述的方法, 其特征在于, 所述鉴权客户端将与所 述预定算法的挑战消息相对应的预定算法的响应消息发送至所述 AAA服 务器包括:  The method according to claim 5, wherein the sending, by the authentication client, a response message of a predetermined algorithm corresponding to the challenge message of the predetermined algorithm to the AAA server comprises:
所述鉴权客户端依次经由所述固件、 所述基站和所述网关将所述预定 算法的响应消息传输至所述 AAA服务器。  The authentication client sequentially transmits a response message of the predetermined algorithm to the AAA server via the firmware, the base station, and the gateway.
7、 根据权利要求 6所述的方法, 其特征在于, 所述 AAA服务器将鉴 权成功消息发送至所述鉴权客户端包括:  The method according to claim 6, wherein the sending, by the AAA server, an authentication success message to the authentication client includes:
所述 AAA服务器依次经由所述网关、所述基站和所述固件将所述鉴权 成功消息传输至所述鉴权客户端。  The AAA server sequentially transmits the authentication success message to the authentication client via the gateway, the base station, and the firmware.
8、 根据权利要求 4所述的方法, 其特征在于, 当所述鉴权响应消息从 所述网关传输至所述 AAA服务器时,将所述鉴权响应消息封装为所述 AAA 服务器识别的信息,而当所述鉴权响应消息从所述 AAA服务器传输至所述 网管时, 对所述鉴权响应消息进行解封装。  8. The method according to claim 4, wherein when the authentication response message is transmitted from the gateway to the AAA server, the authentication response message is encapsulated into information identified by the AAA server And when the authentication response message is transmitted from the AAA server to the network management, decapsulating the authentication response message.
9、 根据权利要求 1所述的方法, 其特征在于, 所述终端为 WiMAX终 端, 包括所述固件和所述鉴权客户端, 其中, 所述固件为 WiMAX芯片。  The method according to claim 1, wherein the terminal is a WiMAX terminal, and the firmware and the authentication client are included, wherein the firmware is a WiMAX chip.
10、 一种对终端进行重鉴权的系统, 其特征在于, 包括: 固件、 鉴权 客户端及 AAA服务器, 其中,  A system for re-authenticating a terminal, comprising: a firmware, an authentication client, and an AAA server, where
固件, 用于将鉴权开始消息发送至鉴权客户端;  Firmware, configured to send an authentication start message to the authentication client;
鉴权客户端,用于生成鉴权响应消息,并经由固件、基站和 AGW网关, 将鉴权响应消息发送至 AAA服务器; 收到挑战消息, 将与预定算法的挑战 消息相对应的预定算法的响应消息, 发送至 AAA服务器;  An authentication client, configured to generate an authentication response message, and send an authentication response message to the AAA server via the firmware, the base station, and the AGW gateway; and receive the challenge message, and the predetermined algorithm corresponding to the challenge message of the predetermined algorithm The response message is sent to the AAA server;
AAA服务器, 用于将预定算法的挑战消息经由 AGW网关、 基站和固 件发送至鉴权客户端; 收到预定算法的响应消息, 将鉴权响应消息发送至 鉴权客户端; 其中, 所述鉴权响应消息携带有终端的标识信息。 An AAA server, configured to send the challenge message of the predetermined algorithm to the authentication client via the AGW gateway, the base station, and the firmware; receive the response message of the predetermined algorithm, and send the authentication response message to the authentication client; The authentication response message carries the identifier information of the terminal.
11、根据权利要求 10所述的系统, 其特征在于, 该系统还包括: 基站、 AGW网关,  The system according to claim 10, wherein the system further comprises: a base station, an AGW gateway,
所述鉴权客户端经由基站、 AGW网关, 将与预定算法的挑战消息相对 应的预定算法的响应消息, 发送至 AAA服务器;  The authentication client sends a response message of a predetermined algorithm corresponding to the challenge message of the predetermined algorithm to the AAA server via the base station and the AGW gateway;
所述 AAA服务器经由 AGW网关、 基站, 将鉴权响应消息发送至鉴权 客户端。  The AAA server sends an authentication response message to the authentication client via the AGW gateway and the base station.
12、 根据权利要求 10 或 11 所述的系统, 其特征在于, 所述终端为 WiMAX终端,包括所述固件和所述鉴权客户端;其中,所述固件为 WiMAX 芯片。  The system according to claim 10 or 11, wherein the terminal is a WiMAX terminal, including the firmware and the authentication client; wherein the firmware is a WiMAX chip.
PCT/CN2009/075686 2009-08-12 2009-12-17 Method and system for re-authenticating a terminal WO2011017876A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200910166111.9A CN101626569B (en) 2009-08-12 2009-08-12 Method and device for re-authenticating terminal
CN200910166111.9 2009-08-12

Publications (1)

Publication Number Publication Date
WO2011017876A1 true WO2011017876A1 (en) 2011-02-17

Family

ID=41522193

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2009/075686 WO2011017876A1 (en) 2009-08-12 2009-12-17 Method and system for re-authenticating a terminal

Country Status (2)

Country Link
CN (1) CN101626569B (en)
WO (1) WO2011017876A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101807236B (en) * 2010-02-08 2012-11-28 深圳市同洲电子股份有限公司 Authentication method, authentication system and corresponding terminal and headend equipment
CN105337979B (en) * 2015-11-17 2018-11-02 中国联合网络通信集团有限公司 Determine the method and system of discrimination weight time interval, the method and system of discrimination weight
CN106912045B (en) * 2017-01-03 2020-04-17 青岛海信电器股份有限公司 Smart television wireless fidelity Wi-Fi back connection method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1849003A (en) * 2005-07-21 2006-10-18 华为技术有限公司 Method for right discrimination to user
CN1941695A (en) * 2005-09-29 2007-04-04 华为技术有限公司 Method and system for generating and distributing key during initial access network process
CN101079705A (en) * 2006-05-24 2007-11-28 华为技术有限公司 Generation and distribution method and system of mobile IP secret key after second authentication
CN101136904A (en) * 2006-10-10 2008-03-05 中兴通讯股份有限公司 Method for notifying to initiate access authentication of access network authentication server

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1849003A (en) * 2005-07-21 2006-10-18 华为技术有限公司 Method for right discrimination to user
CN1941695A (en) * 2005-09-29 2007-04-04 华为技术有限公司 Method and system for generating and distributing key during initial access network process
CN101079705A (en) * 2006-05-24 2007-11-28 华为技术有限公司 Generation and distribution method and system of mobile IP secret key after second authentication
CN101136904A (en) * 2006-10-10 2008-03-05 中兴通讯股份有限公司 Method for notifying to initiate access authentication of access network authentication server

Also Published As

Publication number Publication date
CN101626569A (en) 2010-01-13
CN101626569B (en) 2012-12-19

Similar Documents

Publication Publication Date Title
US8285990B2 (en) Method and system for authentication confirmation using extensible authentication protocol
US8560848B2 (en) Galois/counter mode encryption in a wireless network
WO2018137488A1 (en) Security implementation method, device and system
EP1805920B1 (en) System and method for providing security for a wireless network
US8959333B2 (en) Method and system for providing a mesh key
WO2010115326A1 (en) Wireless local area network terminal pre-authentication method and wireless local area network system
EP1972125A2 (en) Apparatus and method for protection of management frames
WO2008034360A1 (en) A network access authentication and authorization method and an authorization key updating method
EP2426873A1 (en) Method for implementing the real time data service and real time data service system
WO2010135890A1 (en) Bidirectional authentication method and system based on symmetrical encryption algorithm
KR20080086127A (en) A method and apparatus of security and authentication for mobile telecommunication system
CN106921965A (en) A kind of method that EAP authentication is realized in wlan network
CN102223634A (en) Method and device for controlling mode of accessing user terminal into Internet
US7715562B2 (en) System and method for access authentication in a mobile wireless network
US8705734B2 (en) Method and system for authenticating a mobile terminal in a wireless communication system
CN103167493A (en) Method and system for wireless access controller concentrating identification under local transmitting mode
WO2011017876A1 (en) Method and system for re-authenticating a terminal
Zhu et al. Research on authentication mechanism of cognitive radio networks based on certification authority
Ma et al. The improvement of wireless LAN security authentication mechanism based on Kerberos
WO2014117524A1 (en) Method and system for transmitting pairwise master key in wlan access network
WO2013104301A1 (en) Method for transmitting message, method for establishing secure connection, access point and workstation
WO2010063190A1 (en) Method, device and system for negotiating authentication mode
WO2021109770A1 (en) Wireless network switching method and device
WO2023213383A1 (en) Establishing secure communications over a network
Song et al. Hardware-software co-design of secure WLAN system for high throughput

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09848206

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09848206

Country of ref document: EP

Kind code of ref document: A1