WO2011082529A1 - 一种组临时密钥更新方法、装置和系统 - Google Patents

一种组临时密钥更新方法、装置和系统 Download PDF

Info

Publication number
WO2011082529A1
WO2011082529A1 PCT/CN2010/070062 CN2010070062W WO2011082529A1 WO 2011082529 A1 WO2011082529 A1 WO 2011082529A1 CN 2010070062 W CN2010070062 W CN 2010070062W WO 2011082529 A1 WO2011082529 A1 WO 2011082529A1
Authority
WO
WIPO (PCT)
Prior art keywords
access point
temporary key
update
key
group temporary
Prior art date
Application number
PCT/CN2010/070062
Other languages
English (en)
French (fr)
Inventor
胡建如
刘国平
颜林志
唐建文
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to CN201080003437.0A priority Critical patent/CN102217239B/zh
Priority to PCT/CN2010/070062 priority patent/WO2011082529A1/zh
Publication of WO2011082529A1 publication Critical patent/WO2011082529A1/zh

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/065Network architectures or network communication protocols for network security for supporting key management in a packet data network for group communications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • H04L9/0833Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key

Definitions

  • the present invention relates to a wireless local area network, and in particular, to a group temporary key update method, apparatus and system. Background technique
  • WLAN Wireless Local Area Network
  • WLAN Wireless Local Area Network
  • 802.11 is a wireless local area network standard established by the IEEE. Its architecture consists of: wireless station STA (station), wireless access point AP (access point), independent basic service group (IBSS), basic monthly service set Group BSS (basic service set), distributed system DS (distribution system) and extended service set ESS (extended service set).
  • the wireless station STA usually consists of a PC or a notebook computer plus a wireless network card, or an embedded device on a non-computer terminal that provides a wireless connection, such as an 802.11-enabled mobile phone.
  • a wireless access point AP can be thought of as a wireless hub. Its role is to provide a bridge between the STA and the existing backbone network (wired or wireless), providing wireless users with access to wired or wireless networks.
  • Group Transient Key In the 802.11 network, for the security of spatial information dissemination technology, Group Transient Key (GTK) is used to encrypt and decrypt broadcast and multicast packets. For security reasons, it is also necessary to periodically. And the occasional update group temporary key. In the existing thin AP solution, the group temporary key is updated based on the ESS granularity on the access control point AC (Access Control), and the current trigger group temporary key is updated.
  • GTK Group Transient Key
  • the AC periodically updates the group temporary key of the user (wireless station STA) managed by the ESS;
  • the AC responds to the request for updating the group temporary key triggered by the user in the ESS, and updates the multicast key for all users in the ESS.
  • the above update operations need to be performed on the access control point AC. Due to the characteristics of the WLAN network, each ESS managed on the AC includes many users. The user's online and offline lines are very frequent, so they are often triggered. The update operation of the group temporary key triggers the AC system to process these messages frequently, resulting in inefficient system performance, degraded performance, and even embarrassment. Summary of the invention
  • the embodiment of the invention provides a method, a device and a system for updating a group temporary key, so as to avoid a system performance bottleneck caused by the AC operation of the centralized frequent processing group temporary key update operation by the AC.
  • a group temporary key update method includes: dividing an access point into multiple virtual access points according to a service configuration request delivered by an access control point, each virtual access point having a service group identifier Calculating and saving the group temporary key based on the virtual access point granularity; receiving the group key update proxy request sent by the access control point, and performing group key update on the wireless station within the virtual access point range.
  • An access device where the device is divided into multiple virtual access points, the device includes: a detecting unit, configured to detect whether a specific virtual access point needs to update a group temporary key; Determining, by the detecting unit, that the specific virtual access point needs to update the group temporary key, determining a new group temporary key to be updated by the specific virtual access point; and an updating unit, configured to send the new group temporary key All online wireless stations within the range of the particular virtual access point are given group temporary key updates.
  • a detecting unit configured to detect whether a specific virtual access point needs to update a group temporary key
  • Determining, by the detecting unit, that the specific virtual access point needs to update the group temporary key determining a new group temporary key to be updated by the specific virtual access point
  • an updating unit configured to send the new group temporary key All online wireless stations within the range of the particular virtual access point are given group temporary key updates.
  • a communication system the system includes an access point and a wireless station, the access point is connected to the wireless station, and the access point is divided into multiple virtual access points, and the access point is used for detecting When a specific virtual access point needs to update the group temporary key, determine a new group temporary key to be updated by the specific virtual access point; and send the determined new group temporary key to all of the specific virtual access point range Online wireless sites for group temporary key updates.
  • the method, the device and the system provided by the embodiments of the present invention not only change the management position of the group key, but also transfer from the AC to the AP, and greatly reduce the network model under the centralized management of the thin AP.
  • the burden of the AC also changed the scope of the group key update, from the ESS level to the VAP level, which narrowed the scope of the update, reduced the traffic of the entire system network, and reduced the system oscillation.
  • FIG. 2 is a schematic structural diagram of a thin AC network
  • FIG. 3 is a flowchart of a STA accessing an AC through an AP according to an embodiment of the present invention
  • FIG. 5 is a flowchart of information authentication according to an embodiment of the present invention.
  • FIG. 6 is a flowchart of a GTK update method according to an embodiment of the present invention.
  • FIG. 7 is a flowchart of another GTK update method according to an embodiment of the present invention.
  • FIG. 8 is a flowchart of another GTK update method according to an embodiment of the present invention.
  • FIG. 9 is a flowchart of another GTK update method according to an embodiment of the present invention.
  • FIG. 10 is a flowchart of another GTK update method according to an embodiment of the present invention.
  • FIG. 11 is a block diagram showing the composition of an apparatus according to an embodiment of the present invention.
  • FIG. 12 is a block diagram of a system composition according to an embodiment of the present invention. detailed description
  • FIG. 1 is a flowchart of a method for updating a group temporary key according to an embodiment of the present invention.
  • the method may be applied to an access point AP in a WLAN of a wireless local area network.
  • the method includes: Step 101: The access point AP is divided into multiple virtual access points.
  • FIG. 2 is a thin AP network structure.
  • the network architecture includes an access control point AC, each access point AP connected under AC controlled by the AC, and a wireless station device STA connected under each access point.
  • the VAP processing may be triggered after the AP receives the service configuration request from the AP.
  • the AP is divided into multiple virtual APs, that is, VAPs, according to the service type and service configuration parameters carried in the service configuration request.
  • Each VAP corresponds to a service group identifier (SSID), which is identified by an SSID.
  • SSID service group identifier
  • the AP determines the service type to be configured according to the service configuration request, and adds the service type to one or more existing VAPs.
  • the process of dividing the VAP on the AP may also be that the service support system is configured remotely through the management interface as needed, or may be configured by the operation and maintenance personnel through a configuration command line or a human-machine interface.
  • Each of the multiple VAPs on the AP may include one or more services.
  • the AP is divided into three VAPs, that is, VAP 1, VAP2, and VAP3, where VAP 1 only provides Internet access, VAP 2 The video service is provided only, and the VAP 3 provides both the Internet access and the video service.
  • VAP 1 only provides Internet access
  • VAP 2 The video service is provided only
  • VAP 3 provides both the Internet access and the video service.
  • the embodiment is not limited thereto. Because each VAP is logically independent, multiple VAPs do not affect each other, facilitating service operations, maintenance, and management.
  • the SSID of the VAP is used to identify the VAP, so that the wireless station can conveniently access the VAP corresponding to the SSID in the multiple VAPs of the AP after being scanned by the wireless network card to the SSID, so as to be associated with the AC. In order to enable the STA to access the network.
  • Step 102 Calculate a group temporary key based on VAP granularity on the AP;
  • multiple VAPs on the AP calculate respective group temporary keys, and one group temporary key corresponds to one VAP, and all STAs under the VAP share the temporary key, and the AC can no longer save based on the ESS.
  • the GMK (Group Master Key) and GTK information are calculated and saved on the AP based on the VAP granularity, that is, the AP calculates and saves a GMK and GTK information for each VAP. If there is a user (wireless station) offline or other reasons to update the group temporary key under the VAP, only the group temporary key (GTK) of the VAP needs to be updated, and all online users under the VAP are notified. In this way, the entire update process does not require AC participation, and each update involves only about 100 users.
  • Step 103 The AP sends the calculated group temporary key to all online users under the corresponding VAP to update the group temporary key of the VAP.
  • the AP receives the group key update proxy request sent by the AC, and responds to the group key update proxy request, determines a VAP that needs to update the group temporary key in the multiple VAPs, and groups all the online STAs in the determined VAP range. Key update.
  • detecting whether a temporary VAP update group temporary key needs to be requested by the AP detection AC is performed by the AP detection AC.
  • the AP detects the group key update proxy request sent by the AC, determines the VAP that needs to update the group temporary key, and updates the group temporary key within the determined VAP range.
  • detecting whether a temporary VAP update group temporary key needs to be detected on the AP is performed by the AP detecting the connection status of the STAs in the coverage area.
  • the AP detects that the specific STA in the coverage area changes from the online state to the offline state. If it is determined that the temporary key is required to be updated for the VAP to which the STA belongs, the group temporary key is updated within the VAP range to which the STA belongs.
  • the AC is not required to participate in the entire update process, which reduces the processing load of the AC.
  • the ESS of the original AC management includes all APs connected to it.
  • the scope of the update is lowered from the ESS level managed by the AC to the AP.
  • the VAP level reduces the scope of the update, thus reducing the traffic of the entire system network and reducing the system's oscillation.
  • FIG. 3 is a flowchart of a method according to an embodiment of the present invention when a STA accesses a network through an AP.
  • the access process includes:
  • Step 301 The STA scans the nearby wireless signal through the wireless network card on the STA to obtain a set of wireless access lists, that is, a set of service group identifiers SSIDs provided by the AP in this embodiment after dividing the VAP, the wireless station STA Select one of them to connect;
  • the STA selects an SSID for wireless connection, which can be completed by using the steps shown in FIG. 4, but this embodiment is not limited thereto.
  • the method includes:
  • Step 401 The STA sends an authentication request-open system to the AP.
  • the link verification request may also carry the SSID of the selected VAP and the user identifier of the STA.
  • Step 402 The AP receives the link verification request, performs link verification, and returns a link authentication response to the STA.
  • Step 403 After receiving the link authentication response returned by the AP, the STA sends an association request to the AC via the AP.
  • the association request may carry the SSID of the VAP selected by the STA and the user identifier of the STA.
  • Step 404 When the AC determines that the STA can access, establish an association relationship between the VAP and the STA on the AC, and return an association response to the STA, and allow the STA to access the wireless network, and the AC records the STA.
  • Association information such as the STA's MAC address, VAP, SSID, etc.
  • the association response may carry the association relationship between the STA and the VAP, such as the correspondence between the SSID and the STA.
  • the message of the interaction between the STA and the AC is forwarded by the AP, and the AP can intercept the association response. If the AC is determined to be successful, the association between the STA and the VAP is established on the AP according to the association between the VAP and the STA in the association response. At this point, the AP also stores the STA's MAC and VAP, SSID and other correspondence information, and the wireless link is already connected.
  • Step 302 After the wireless link is connected, the STA performs information authentication by using the AP and the AC.
  • the information authentication process may be implemented by using a four-way handshake process. During the four handshakes, the AC does not use the GTK. The information is sent to the STA. Referring to FIG. 5, the process includes the following steps:
  • Step 501 The AC sends a message 1 to the STA;
  • the message 1 includes a random value A-nonce, which is the first message in the four-way handshake message, which is the same as the existing 4-Way Handshake Message, and is not described here.
  • the STA returns some authentication information to the AC according to the ⁇ -nonce, which is the content of the prior art, and details are not described herein again.
  • nonce is to prevent the random value of the replay attack
  • A-nonce is the random number sent by the AC to the STA.
  • Step 502 The STA sends a message to the AC via the AP 2;
  • the message 2 includes a MAC address of the STA, a message authentication code MIC, and an S-nonce, where the MIC is a message authentication code that protects the message 2 from being tampered with, and the S-nonce represents a random number that the STA sends to the AC.
  • the message 2 is the second of the four-way handshake messages, which is the same as the existing 4-Way Handshake Message, and will not be described here.
  • the AC calculates a PTK (Pairwise Transient Key) based on the MAC address and S-nonce of the STA in the message 2, and the MAC address and A-nonce of the AC, and calculates the PTK according to the PTK.
  • the MIC compares the calculated MIC with the MIC in the message 2 to verify whether the STA is legal.
  • the method can be implemented by the prior art, and details are not described herein.
  • the STA is legal.
  • Step 503 The AC sends a message to the STA via the AP.
  • the message 3 includes the MIC check value of the AC and the encryption state of the AC. Similarly, the message 3 is the third message of the four-way handshake message, and the third message indicates that the AC verifies that the STA knows the PMK and the notification. STAAC prepares to install and use the data encryption key, which is the same as the existing 4-Way Handshake Message, and will not be described here.
  • the STA compares with the MIC of the MIC according to the MIC check value in the message 3 to determine whether the AC is a trusted party, and according to the encryption of the AC in the message 3. State, determine if the AC is ready to install and use a data encryption key.
  • Step 504 The STA sends a message to the AC via the AP 4;
  • the message 4 contains the key verification information. Similarly, the message 4 is the fourth of the four-way handshake messages, which is the same as the existing 4-Way Handshake Message. Let me repeat.
  • the AC determines, based on the message 4, that the key is preparing to be installed and starts encryption, and determines that the handshake process ends based on the message 4.
  • Step 303 After the information is successfully authenticated, after the access control point AC sends the PTK to the VAP, the VAP saves the PKT information, which is used to encrypt and decrypt the unicast message and start the GTK update.
  • the AC sends the calculated temporary temporary key PTK to the VAP, and after receiving the PTK by the VAP, the group temporary key update process is started.
  • the VAP initiates the update of the GTK, which can be implemented by the two-way handshake process. Please continue to refer to FIG. 5, the process includes:
  • Step 505 The AP sends a message to the STA 5;
  • the message 5 includes a group temporary key, which is a group key handshake message 1 (Group Key Handshake Message 1 ).
  • the AP sends a temporary key to the VAP, and the temporary key is sent to all the online STAs in the VAP range.
  • Step 506 The STA sends a message to the AP.
  • the message 6 is a response message of the message 5, which is a group key handshake message 2 (Group Key Handshake Message 2).
  • the STA after receiving the group temporary key, the STA updates the group temporary key, and returns the updated information to the AP through the message 6.
  • the message of the handshake process may be an EAPOL-Key (Extensible Authentication Protocol over LAN-Key) packet format, and the format of the existing EAPOL-Key packet.
  • EAPOL-Key Extensible Authentication Protocol over LAN-Key
  • the same including: description type, secret Key information, key length, repeat timer, Key Nonce, EAPOL-Key lV, key start sequence, key identifier, key MIC (16), key data length (2), key data (0 ...! 1) and other fields, where the description type field is 254, indicating that the message is a WPA1 message, the description type field is 2, and the message is WPA2; the key information field contains several fields.
  • the length of the key length field is expressed in bytes, primarily for pairwise keys, although the actual PTK is not in this Transmitted in the key frame, this is the length of the PTK, which is the target key;
  • the value of the repeating timer field grows with each message to detect any attack attempt to repeat the old message, when the message is an ACK request The exception is the response, in which case the repeated value of the "reply" is inserted into this field;
  • the current value of the Key Nonce field is used to derive the temporary paired key and the group key;
  • the EAPOL-Key IV field is used when For the transmission of the group key, GTK uses the EAPOL-Key encryption word along with the IV value for encryption.
  • the encrypted GTK is placed in the key data area; the key start sequence field is expected to be received after the key is installed.
  • the serial number of a frame This serial number is used to prevent repeated attacks.
  • the key identifier field is not in WPA. In the future it may be used to enable multiple keys to be established in advance; the key MIC field is an integrity check value.
  • the calculation range is from the EAPOL protocol version field to the end of the key material (this field is set to 0 during the calculation); the key data length field defines the length of the key data field in bytes, the key data field It may be different from the actual key itself; the key data field is data that needs to be transmitted secretly, for example, in the case of a group key, this is an encrypted GTK; in the case of some paired key information, this field carries a message Elements.
  • the 13-15 bit flag version and allows for different scheme and key encryption methods to be used in the future.
  • 4 ⁇ 9 bits are as follows
  • FIG. 6 is a flowchart of a method for an AP to perform group key update on all STAs in a VAP range accessed by a STA according to an active request of a STA according to an embodiment of the present invention. Referring to FIG. 6, the method includes:
  • Step 601 The AP receives the group temporary key update request of the STA, and the twelfth bit in the key information field in Table 1 is used to indicate whether it is a group key update message;
  • Step 602 The AP updates a group temporary key of the VAP accessed by the STA.
  • the AP may find the VAP associated with the STA according to the MAC address information in the group temporary key update request packet, and then search for the corresponding group temporary key according to the VAP; the local temporary key corresponding to the VAP identifier is stored locally. It is calculated and saved by the AP before receiving the group temporary key update request.
  • the temporary calculation method of the group is the content of the prior art, and will not be described again.
  • Step 603 The AP sends the packet of the updated group temporary key to all the online STAs in the VAP range accessed by the STA.
  • FIG. 7 is a flowchart of a method for performing group key update on all STAs in a VAP range that the STA originally accesses when the STA is offline when the STA is offline. Referring to FIG. 7, the method includes:
  • Step 701 The AP receives the de-association request of the STA. After the STA leaves the VAP, the AP sends a de-association packet to the AP. After receiving the packet, the AP deletes the information of the STA on the AP, and then notifies the AC to delete the previously saved STA information. , such as STA's MAC, VAP, SSID, etc.
  • Step 702 The AP updates a group temporary key of the VAP that the STA originally accesses.
  • the AP may find the VAP associated with the STA according to the MAC address information in the de-association request packet, and then search for the corresponding group temporary key according to the VAP.
  • the local temporary key corresponding to the VAP identifier is the AP.
  • the temporary calculation method of the group is the content of the prior art, and will not be described again.
  • Step 703 The AP sends the packet of the updated group temporary key to the STA in the VAP range that the STA originally accesses.
  • the AP triggers the update of the group temporary key of the STA within the VAP range.
  • FIG. 8 is a flowchart of a method for performing group key update on all STAs in the VAP range that the STA originally accesses when the STA is abnormally offline, according to FIG. 8 , the method includes:
  • Step 801 The AP detects whether the STA is offline
  • the AP can detect whether the STA is offline according to the packet traffic.
  • Step 802 The AP periodically checks whether the corresponding STA on the AP chip has traffic statistics. According to the MAC statistics of the STA, if the STA detects that the STA has no traffic, the AP considers that the STA is offline, and the AP updates the original access of the STA. Group temporary key of the VAP;
  • Step 803 The AP sends the packet of the updated group temporary key to all the online STAs in the VAP range that the STA originally accesses.
  • the AP triggers the update of the group temporary key of the STA within the VAP range.
  • FIG. 9 is a flowchart of a method for performing group key update on all STAs in a VAP range that the STA originally accesses when the STA roams according to the method provided by the embodiment of the present invention. Referring to FIG. 9, the method includes:
  • Step 901 The AP receives a de-association or de-authentication request of the STA.
  • the STA leaves the old VAP and goes to the new VAP authentication, and sends a de-association or authentication request to the old VAP.
  • Step 902 The AP updates a group temporary key of the VAP that the STA originally accesses;
  • the old VAP triggers the VAP after receiving the de-association or de-authentication request.
  • the STAs in the range perform group key update.
  • the AP may find the VAP associated with the STA according to the MAC address information in the de-association request or the de-authentication request packet, and then search for the corresponding group temporary key according to the VAP; the local temporary secret group corresponding to the VAP identifier is stored locally.
  • the key is calculated and saved by the AP before receiving the group temporary key update request.
  • the temporary calculation method of the group is the content of the prior art, and will not be described again.
  • Step 903 The AP sends a packet of the updated group temporary key to the STA in the VAP range that the STA originally accesses.
  • the AP proxy AC triggers the update of the group temporary key of the STA within the VAP range.
  • 10 is a flowchart of a method for updating a group key of all STAs in a VAP range by using an AP according to an embodiment of the present invention. Referring to FIG. 10, the method includes:
  • Step 1001 periodically update the group temporary key
  • Step 1002 Send the message of the updated group temporary key to the STA in the VAP range.
  • the AP updates the proxy request according to the group key of the AC.
  • the AP temporarily updates the group temporary key in the VAP range, because the AC does not need to participate in the entire update process. This reduces the processing load of the AC, and reduces the scope of the update from the ESS level to the VAP level, thereby reducing the traffic of the entire system network and reducing the system fluctuation.
  • FIG. 11 is a block diagram of an access device according to an embodiment of the present invention. Referring to FIG. 11, the device is divided into multiple virtual access points, and the device includes:
  • the detecting unit 111 is configured to detect whether a specific virtual access point needs to update a group temporary key.
  • the determining unit 112 is configured to determine, when the detecting unit 111 needs to update the group temporary key, that the specific virtual access point is to update the new group temporary key to be updated.
  • the updating unit 113 is configured to send the new group temporary key to the online wireless station in the specific virtual access point range to perform a group temporary key update.
  • the access device further includes a dividing unit 114, configured to divide a plurality of virtual access points on the access device according to a service configuration request of the access control point.
  • the detecting unit 111 may specifically include a first detecting module 1111 and a second detecting module 1112, where:
  • the first detecting module 1111 is configured to determine, when the wireless station goes offline according to the packet traffic, that the virtual access point to which the wireless station belongs needs to update the group temporary key.
  • the second detecting module 1112 is configured to determine that the virtual access point to which the wireless station belongs needs to update the group temporary key when detecting the de-association request or the de-authentication request sent by the wireless station.
  • the update unit 113 can also periodically send the new group temporary key to the wireless station under the virtual access point.
  • the device in this embodiment can be applied to an access point AP, and details are not described herein again.
  • the AP updates the proxy request according to the group key of the AC.
  • the AC temporarily updates the group temporary key in the VAP range, and the AC does not need to participate in the entire update process. This reduces the processing load of the AC, and reduces the scope of the update from the ESS level to the VAP level, thereby reducing the traffic of the entire system network and reducing the system fluctuation.
  • FIG. 12 is a block diagram of a communication system according to an embodiment of the present invention.
  • the system includes an access point (AP) 122 and a wireless station (STA) 123.
  • the AP 122 is divided into multiple virtual access points. , among them:
  • the AP 122 is configured to: when detecting that the specific virtual access point needs to update the group temporary key, determine a new group temporary key to be updated by the specific virtual access point; and send the determined new group temporary key to the specific virtual access All online wireless sites within the range for group temporary key updates.
  • the provided system may further include an access control point (AC) 121, where the AC 121 is configured to send a service configuration request to the AP 122, and the AP 122 may divide the AP 122 into multiple virtual access points according to the service configuration request. .
  • AC access control point
  • the AC 121 is configured to send a service configuration request and a group key update proxy request to the AP 122.
  • the access point 122 is configured to divide the AP 122 into multiple VAPs according to the service configuration request sent by the AC 121, for example, VAP1 VVAPn, where n is a positive integer, where each VAPi ( Ki ⁇ n) has a secret set.
  • the Key Update Agent requests to perform group key updates for wireless sites within the VA range.
  • the wireless station STA is physically connected to the access point 122, but since the access point 122 is divided into multiple virtual access points 12, the wireless station STA connected to the access point 122 is connected. They are also respectively associated with the plurality of virtual access points VAPi, that is, each virtual access point VPAi corresponds to a plurality of wireless stations.
  • the access point 122 may include the access device shown in FIG. 11. Since the communication device has been described in detail in the description of FIG. 11, it will not be described again.
  • the wireless station 123 is configured to receive the updated group temporary key delivered by the access point 122.
  • the wireless station 123 is a wireless station that is connected to the access point 122 and belongs to a range of a virtual access point VA, and may be multiple, depending on the access point 122 to the virtual access point. Divide and update requests. For example, if the access point 122 is divided into n virtual access point VAPs, that is, VAP1 VVAPn, according to the group key update proxy request of the access control point 121, the group key update needs to be performed on the STAs in the VAP1 range. Then, the access point 122 updates the group temporary key of the VAP1 and sends it to the STA in the range of VAP1.
  • the AP updates the proxy request according to the group key of the AC.
  • the AC temporarily updates the group temporary key in the VAP range, because the AC does not need to participate in the entire update process. This reduces the processing load of the AC, and reduces the scope of the update from the ESS level to the VAP level, thereby reducing the traffic of the entire system network and reducing the system fluctuation.
  • the WPA is divided into two standards, WPA1 and WAP2.
  • the technical solution of the embodiment of the present invention also optimizes the group key update process of WPA2.
  • the steps of a method or algorithm described in connection with the embodiments disclosed herein may be implemented directly in hardware, a software module executed by a processor, or a combination of both.
  • the software module can be placed in random access memory (RAM), memory, read only memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, removable disk, CD-ROM, or technical field. Any other form of storage medium known.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Description

一种组临时密钥更新方法、 装置和系统
技术领域
本发明涉及无线局域网,尤其涉及一种组临时密钥更新方法、装置和系统。 背景技术
WLAN (Wireless Local Area Network, 无线局域网) 是 20世纪 90年代 计算机与无线通信技术相结合的产物, 它使用无线信道来接入网络, 为通信 的移动化, 个人化和多媒体应用提供了潜在的手段, 并成为宽带接入的有效 手段之一。
802.11是 IEEE制定的一个无线局域网标准, 其体系结构的组成包括: 无线站点 STA( station) ,无线接入点 AP( access point) ,独立基本服务组 IBSS ( independent basic service set) , 基本月艮务组 BSS (basic service set) , 分布式 系统 DS (distribution system) 禾口扩展月艮务组 ESS (extended service set)。 其 中,无线站点 STA通常由一台 PC机或笔记本计算机加上一块无线网卡构成, 也可以是非计算机终端上的能提供无线连接的嵌入式设备, 例如支持 802.11 的手机。 无线接入点 AP可以看成是一个无线的 Hub, 它的作用是提供 STA 和现有骨干网络(有线或无线的)之间的桥接, 为无线用户提供对有线或无 线网络的访问。
在 802.11网络中, 出于对空间信息传播技术的安全性考虑,会采用组临时 密钥 (Group Transient Key, GTK) 加密和解密广播和组播报文, 同样出于 安全性考虑,还需要定期和不定期的更新组临时密钥,在现有的瘦 AP方案 中, 组临时密钥是在接入控制点 AC (Access Control)上基于 ESS粒度进行更 新, 目前触发组临时密钥的更新有以下几点:
1、 AC定期更新其管理的 ESS内用户 (无线站点 STA) 的组临时密钥;
2、 AC响应 ESS内用户触发的更新组临时密钥的请求, 为该 ESS内所有用 户更新组播密钥。 以上的更新操作, 均需要在接入控制点 AC上完成, 由于 WLAN网络 的特点, 在 AC上管理的每一个 ESS包括很多用户, 用户的上线、 下线是很 频繁的现象, 因此会经常触发组临时密钥的更新操作, 由此触发 AC系统频 繁处理这些报文, 导致系统的效率低下, 性能下降, 甚至瘫痪。 发明内容
本发明实施例提供一种组临时密钥更新方法、 装置和系统, 以避免由 AC进行集中式频繁处理组临时密钥的更新操作带来的系统性能瓶颈问题。
本发明实施例的上述目的是通过如下技术方案实现的:
一种组临时密钥更新方法, 所述方法包括: 根据接入控制点下发的业务 配置请求将接入点划分为多个虚拟接入点, 每一个虚拟接入点具有一个服务 组标识符; 基于虚拟接入点粒度计算并保存组临时密钥; 接收接入控制点下 发的组密钥更新代理请求, 对虚拟接入点范围内的无线站点进行组密钥更新。
一种接入装置, 所述装置上划分有多个虚拟接入点, 所述装置包括: 检 测单元, 用于检测特定虚拟接入点是否需要更新组临时密钥; 确定单元, 用 于在所述检测单元检测到所述特定虚拟接入点需要更新组临时密钥时, 确定 该特定虚拟接入点待更新的新组临时密钥; 更新单元, 用于将所述新组临时 密钥发送给所述特定虚拟接入点范围内的所有在线无线站点以进行组临时 密钥更新。
一种通信系统, 所述系统包括接入点和无线站点, 所述接入点连接所述 无线站点, 所述接入点上划分有多个虚拟接入点, 所述接入点用于检测到特 定虚拟接入点需要更新组临时密钥时, 确定该特定虚拟接入点待更新的新组 临时密钥; 将确定的新组临时密钥发送给该特定虚拟接入点范围内的所有在 线无线站点以进行组临时密钥更新。
通过本发明实施例提供的方法、 装置和系统, 不仅改变了组密钥的管理 的位置, 由 AC转移到 AP, 在瘦 AP集中式管理的网络模型下, 极大的减轻 了 AC的负担, 还改变了组密钥更新的范围, 由 ESS级降到 VAP级, 缩小 了更新的范围, 减少了整个系统网络的流量, 减轻了系统的震荡。 附图说明
此处所说明的附图用来提供对本发明的进一歩理解, 构成本申请的一部 分, 并不构成对本发明的限定。 在附图中:
图 1为本发明实施例的方法流程图;
图 2为瘦 AC网络结构示意图;
图 3为本发明一实施例的 STA通过 AP接入 AC的流程图;
图 4为本发明一实施例的链路建立流程图;
图 5为本发明一实施例的信息认证流程图;
图 6为本发明实施例的一种 GTK更新方法流程图;
图 7为本发明实施例的另外一种 GTK更新方法流程图;
图 8为本发明实施例的另外一种 GTK更新方法流程图;
图 9为本发明实施例的另外一种 GTK更新方法流程图;
图 10为本发明实施例的另外一种 GTK更新方法流程图;
图 11为本发明实施例的装置组成框图;
图 12为本发明实施例的系统组成框图。 具体实施方式
为使本发明实施例的目的、 技术方案和优点更加清楚明白, 下面结合实 施例和附图, 对本发明实施例做进一歩详细说明。 在此, 本发明的示意性实 施例及其说明用于解释本发明, 但并不作为对本发明的限定。
图 1为本发明实施例提供的一种组临时密钥更新方法的流程图, 该方法 可以应用于无线局域网络 WLAN中接入点 AP, 请参照图 1, 该方法包括: 歩骤 101 : 将接入点 AP划分为多个虚拟接入点。
本实施例的方法可以应用于瘦 AP网络架构, 图 2为瘦 AP网络结构示 意图, 请参照图 2, 该网络架构包括接入控制点 AC、 由 AC集中控制的 AC 下连接的各个接入点 AP、 以及各个接入点下连接的无线站点设备 STA。
在本实施例中, 划分 VAP处理可以是 AP接收到接入控制点 AC向 AP 下发业务配置请求后触发。 接入点 AP根据该业务配置请求中携带的业务类 型、 业务配置参数等, 在 AP上划分多个虚拟 AP, 即 VAP, 每一个 VAP对 应一个服务组标识符 SSID, 即用一个 SSID标识。 AP根据业务配置请求确 定需要配置的业务类型, 将该业务类型添加到已有的一个或多个 VAP 中。 AP上划分 VAP的处理也可以是业务支撑系统根据需要通过管理接口远程配 置, 当然也可以是操作维护人员通过配置命令行或人机交互界面配置等。 其 中, AP上划分的多个 VAP中, 每一个 VAP可以包含一个或多个业务, 比如 AP上划分成 3个 VAPs, 即 VAP 1、 VAP2和 VAP3, 其中, VAP 1只提供上 网服务, VAP 2只提供视频服务, VAP 3既提供上网又提供视频服务等, 本 实施例并不以此作为限制。 由于每个 VAP逻辑上独立, 多个 VAP间互不影 响, 便于业务运营、 维护和管理。
在本实施例中, VAP的 SSID用于标识 VAP, 以便无线站点通过无线网 卡扫描到 SSID后, 可以便利地接入到 AP上多个 VAP中与该 SSID对应的 VAP, 以便与 AC进行关联, 以使 STA接入到网络。
歩骤 102: 在 AP上基于 VAP粒度计算组临时密钥;
在本实施例中, AP上多个 VAP计算各自对应的组临时密钥, 一个组 临时密钥对应一个 VAP, 该 VAP下的所有 STA公用该组临时密钥, AC上 可以不再保存基于 ESS 的 GMK (Group Master Key, 组主密钥)、 GTK信 息,而是在 AP上基于 VAP粒度进行计算并保存,也即 AP为每个 VAP计算 并保存一份 GMK、 GTK信息。 若该 VAP下有用户 (无线站点) 下线或者 其它原因需要更新组临时密钥时, 只需要更新该 VAP 的组临时密钥 (GTK) , 同时通告该 VAP下的所有在线用户。 这样整个更新过程就不需 要 AC 参与, 同时每次更新也只涉及最多 100 左右的用户。 歩骤 103: AP将计算得到的组临时密钥发送相应 VAP下的所有在线用 户以更新该 VAP的组临时密钥。
例如, AP接收 AC下发的组密钥更新代理请求, 响应该组密钥更新代 理请求, 确定多个 VAP中需要更新组临时密钥的 VAP, 对确定的 VAP范围 内的所有在线 STA进行组密钥更新。
在本实施例中, 在 AP上检测是否需要为该 AP上特定 VAP更新组临时 密钥, 以便触发更新该特定 VAP的处理。
在本发明的一实施例中,检测是否需要为该 AP上特定 VAP更新组临时 密钥是通过 AP检测 AC发送的组密钥更新代理请求实现的。 AP检测到 AC 发送的组密钥更新代理请求, 确定需要更新组临时密钥的 VAP, 在确定的 VAP范围内进行组临时密钥的更新。
在本发明的另一实施例中,检测是否需要为该 AP上特定 VAP更新组临 时密钥是通过 AP检测其覆盖区域内的 STA的连接状态实现的。 AP检测到 其覆盖区域内特定 STA从在线状态变成下线状态, 如果确定需要为该 STA 所属 VAP更新组临时密钥,在该 STA所属 VAP范围内进行组临时密钥的更新。
由于整个更新过程就不需要 AC 参与, 减轻了 AC的处理负担; 另外, 原 AC管理的 ESS包括其下连接的所有 AP, 本发明实施例中将更新的范围 由 AC管理的 ESS级降到 AP的 VAP级,缩小了更新的范围, 因此减少了整 个系统网络的流量, 减轻了系统的震荡。
图 3为 STA通过 AP接入网络时, AP根据本发明实施例提供的方法的 处理流程图, 请参照图 3, 该接入流程包括:
歩骤 301 : STA通过其上的无线网卡扫描附近的无线信号, 得到一组无 线接入列表, 也即本实施例的 AP在划分 VAP后提供的一组服务组标识符 SSID, 该无线站点 STA选择其中一个进行连接;
在本实施例中, 根据认证方式的不同, 需要输入密码、 提供证书等方式 证明是合法接入, 这些可以通过现有技术的方式实现, 在此不再赘述。 在本实施例中, STA选择一个 SSID进行无线连接可以通过图 4所示的 歩骤完成, 但本实施例并不以此作为限制, 请参照图 4, 该方法包括:
歩骤 401 : STA向 AP发送链路验证请求 (Authentication request-open system);
其中, 该链路验证请求中也可以携带选择的 VAP的 SSID和 STA的用 户标识。
歩骤 402: AP接收所述链路验证请求, 进行链路验证并向 STA返回链 路认证响应;
歩骤 403:接收到 AP返回的链路认证响应后, STA经由 AP向 AC发送 关联请求 ( Association request);
其中, 该关联请求中可以携带 STA选择的 VAP的 SSID和 STA的用户 标识。
歩骤 404: AC 决策该 STA可以接入时,在 AC上建立 VAP和所述 STA 的关联关系, 向所述 STA返回关联响应(Association response),允许该 STA 接入无线网络,同时 AC记录 STA的关联信息,如 STA的 MAC地址、 VAP、 SSID等。
其中, 关联响应中可以携带 STA和 VAP的关联关系, 如 SSID和 STA 的对应关系信息。 由于 STA和 AC间交互的消息都经由 AP转发, AP可以 截取关联响应, 如果确定 AC对 STA认证成功, 根据关联响应中的 VAP和 STA的关联关系在 AP上建立 STA和 VAP的关联。 至此, AP上也保存了 STA的 MAC和 VAP、 SSID等对应关系信息 , 此时无线链路已经接通。
歩骤 302: 无线链路接通后, STA经由 AP与 AC进行信息认证; 在本实施例中, 该信息认证过程可以通过四次握手过程实现, 在这四次 握手过程中, AC不将 GTK信息发送到 STA, 请参照图 5, 该过程包括如下 歩骤:
歩骤 501 : AC向 STA发送消息 1 ; 其中, 该消息 1包含一个随机值 A-nonce, 是四次握手消息中的第一个 消息, 与现有的四次握手消息(4-Way Handshake Message)相同, 在此不再 赘述。
在本实施例中, STA根据该 Α-nonce, 向 AC返回一些认证信息, 这是 现有技术的内容, 在此不再赘述。
其中, nonce 是为了防范重放攻击的随机值, A-nonce表示 AC发送给 STA的随机数。
歩骤 502: STA经由 AP向 AC发送消息 2;
其中,该消息 2包含 STA的 MAC地址、消息验证码 MIC以及 S-nonce, 其中, MIC是一个保护该消息 2不被篡改的消息验证码, S-nonce表示 STA 发送给 AC的随机数。 同样的, 该消息 2是四次握手消息中的第二个消息, 与现有的四次握手消息 (4-Way Handshake Message) 相同, 在此不再赘述。
在本实施例中, AC根据该消息 2中的 STA的 MAC地址和 S-nonce以 及 AC的 MAC地址和 A-nonce计算出 PTK (Pairwise Transient Key, 成对临 时密钥), 根据该 PTK计算出 MIC, 将计算出的 MIC与消息 2中的 MIC进 行比较, 以验证该 STA是否合法, 这里可以通过现有技术的手段实现, 在 此不再赘述。
在本实施例中, 如果验证的结果为计算出的 MIC与消息 2中的 MIC相 同, 则该 STA合法。
歩骤 503: AC经由 AP向 STA发送消息 3;
其中, 该消息 3包含 AC的 MIC校验值以及 AC的加密状态, 同样的, 该消息 3是四次握手消息中的第三个消息,第三个消息表明 AC核实 STA是 否知道 PMK, 以及通知 STAAC准备安装和使用数据加密密钥, 与现有的四 次握手消息 (4-Way Handshake Message) 相同, 在此不再赘述。
在本实施例中, STA根据该消息 3中的 MIC校验值, 与自己的 MIC进 行比较, 以确定 AC是否为可信任一方, 并根据该消息 3中的 AC的加密状 态, 确定该 AC是否已经准备安装和使用数据加密密钥。
歩骤 504: STA经由 AP向 AC发送消息 4;
其中, 该消息 4包含了密钥核实信息, 同样的, 该消息 4是四次握手消 息中的第四个消息, 与现有的四次握手消息(4-Way Handshake Message)相 同, 在此不再赘述。
在本实施例中, AC根据该消息 4, 确定密钥正准备安装和开始加密, 同时根据该消息 4确定握手过程结束。
歩骤 303 : 信息认证成功后, 接入控制点 AC下发 PTK到 VAP后, 由 VAP保存 PKT信息,用来对单播报文进行加密和解密,同时启动 GTK的更新。
在本实施例中, 经过 STA和 AC的四次握手过程, AC将计算获得的成 对临时密钥 PTK发送给 VAP, 由 VAP收到 PTK后,启动组临时密钥更新过程。
在本实施例中, VAP启动 GTK的更新, 可以通过两次握手过程实现, 请继续参照图 5, 该过程包括:
歩骤 505: AP向 STA发送消息 5 ;
其中, 该消息 5包含了组临时密钥, 其为组密钥握手消息 1 (Group Key Handshake Message 1 )。
在本实施例中, AP是以 VAP的粒度下发组临时密钥,也即在 VAP的范 围内, 向 VAP范围的所有在线 STA下发组临时密钥。
歩骤 506: STA向 AP发送消息 6;
其中, 消息 6为消息 5的响应消息, 其为组密钥握手消息 2 (Group Key Handshake Message 2 )。
在本实施例中, STA接收到组临时密钥后, 进行组临时密钥的更新, 并 通过消息 6向 AP返回更新完毕的信息。
在本实施例中, 握手过程的消息可以为 EAPOL-Key ( Extensible Authentication Protocol over LAN-Key, 基于局域网的扩展认证协议密钥)报 文, 格式和现有的 EAPOL-Key报文的报文格式一样, 包括: 描述类型、 密 钥信息、 密钥长度、 重复计时器、 Key Nonce、 EAPOL-Key lV, 密钥起始序 列、 密钥标志符、 密钥 MIC ( 16)、 密钥数据长度 (2)、 密钥数据 (0…! 1) 等字段, 其中, 描述类型字段为 254, 标志这个报文是 WPA1的报文, 描述 类型字段为 2, 标志这个报文是 WPA2的报文; 密钥信息字段包含了几个字 段,提供密钥类型和怎样使用的信息,也包含各种与握手过程相关的控制位; 密钥长度字段用字节表示的密钥长度, 主要对于成对密钥, 尽管实际的 PTK 没有在这个密钥帧中发送, 这是 PTK 的长度, 它是目标密钥; 重复计时器 字段的值随着每个消息而增长来探测任何以重复旧消息的攻击企图, 当这个 消息是一个 ACK请求的回应时例外, 在这个情况下, 那个被 "回复 " 的重 复值插入到此字段; Key Nonce字段的当前值用于派生出临时成对密钥和组 密钥; EAPOL-Key IV字段时用于对于组密钥的传输, GTK使用 EAPOL-Key 加密字连同这个 IV值进行加密, 这个加密过的 GTK放在密钥数据区; 密钥 起始序列字段在密钥安装后, 希望收到的第一个帧的序列号这个序列号用于 防止重复攻击; 密钥标志符字段没有于 WPA, 在将来它可能用于使能事先 建立多个密钥;密钥 MIC字段是一个完整性校验值,计算的范围是从 EAPOL 协议版本字段到密钥材料结束(在计算过程中, 这个字段置 0); 密钥数据长 度字段以字节为单位定义了密钥数据字段的长度, 密钥数据字段可以不同于 实际密钥本身; 密钥数据字段为需要秘密传送的数据, 例如, 在组密钥情况 下, 这是加密的 GTK; 在一些成对密钥信息情况下, 这个字段携带了一个 信息要素。
其中, 密钥信息字段说明如表一所示:
0-3 比特 目前未用置 0
4-9 比特 握手不同阶段的控制位
10-11 比特 密钥指数, 在组密钥的情况下指明密钥的索引。 这允许通过安装新的组密钥稍侯 进行更新。 新的组密钥的索引位置不同于现在的组密钥的索引位置
12 比特 密钥类型: 区分成对密钥和组密钥消息
13-15 比特 标志版本并且允许在将来使用不同的方案和密钥加密方法。 其中, 4~9 比特说明如表
Figure imgf000012_0002
Figure imgf000012_0001
图 6为根据本发明实施例提供的方法, AP根据 STA的主动请求对该 STA 接入的 VAP范围内的所有 STA进行组密钥更新的流程图, 请参照图 6, 该 方法包括:
歩骤 601 : AP接收 STA的组临时密钥更新请求, 表一中的密钥信息字 段中第十二个比特用来表明是否是组密钥更新报文;
歩骤 602: AP更新所述 STA接入的 VAP的组临时密钥;
AP可以根据组临时密钥更新请求报文中的 MAC地址信息,找到该 STA 关联的 VAP,根据 VAP再查找对应的组临时密钥;该存储在本地的与该 VAP 标识对应的组临时密钥是 AP在接收到组临时密钥更新请求之前, 自身计算 并保存的, 组临时的计算方法是现有技术的内容, 不再赘述。
歩骤 603: AP向所述 STA接入的 VAP范围内的所有在线 STA发送更新 后的组临时密钥的报文。
图 7为根据本发明实施例提供的方法, AP在 STA正常下线时对该 STA 原来接入的 VAP范围内的所有 STA进行组密钥更新的流程图, 请参照图 7, 该方法包括:
歩骤 701 : AP接收 STA的去关联请求: STA离开 VAP后, 会向 AP发 送去关联报文, AP收到报文后先删除 AP上该 STA的信息, 再通知 AC删 除之前保存的 STA信息, 如 STA的 MAC、 VAP, SSID等,
歩骤 702: AP更新所述 STA原来接入的 VAP的组临时密钥; AP可以根据去关联请求报文中的 MAC地址信息, 找到该 STA关联的 VAP, 根据 VAP再查找对应的组临时密钥; 该存储在本地的与该 VAP标识 对应的组临时密钥是 AP在接收到组临时密钥更新请求之前, 自身计算并保 存的, 组临时的计算方法是现有技术的内容, 不再赘述。
歩骤 703: AP向所述 STA原来接入的 VAP范围内的 STA发送更新后的 组临时密钥的报文。
由此, AP触发了 VAP范围内的 STA的组临时密钥的更新。
图 8为根据本发明实施例提供的方法, AP在 STA异常下线时对该 STA 原来接入的 VAP范围内的所有 STA进行组密钥更新的流程图, 请参照图 8, 该方法包括:
歩骤 801 : AP检测 STA是否下线;
在本实施例中, AP可以根据报文流量检测 STA是否下线。
歩骤 802: AP定期的检测 AP芯片上对应的 STA是否有流量统计, 芯 片上根据 STA的 MAC统计, 通过如果检测到 STA没有流量, 则认为 STA 下线, 则 AP更新该 STA原来接入的 VAP的组临时密钥;
歩骤 803: AP向所述 STA原来接入的 VAP范围内的所有在线 STA发送 更新后的组临时密钥的报文。
由此, AP触发了 VAP范围内的 STA的组临时密钥的更新。
图 9为根据本发明实施例提供的方法, AP在 STA漫游时对该 STA原来 接入的 VAP范围内的所有 STA进行组密钥更新的流程图, 请参照图 9, 该 方法包括:
歩骤 901 : AP接收 STA的去关联或去认证请求;
在本实施例中, STA离开了老的 VAP,去新的 VAP认证,会向老的 VAP 发出去关联或者去认证请求。
歩骤 902: AP更新所述 STA原来接入的 VAP的组临时密钥;
在本实施例中,老的 VAP收到该去关联或去认证请求后,触发这个 VAP 范围内的 STA进行组密钥更新。
AP可以根据去关联请求或去认证请求报文中的 MAC地址信息, 找到 该 STA关联的 VAP, 根据 VAP再查找对应的组临时密钥; 该存储在本地的 与该 VAP标识对应的组临时密钥是 AP在接收到组临时密钥更新请求之前, 自身计算并保存的, 组临时的计算方法是现有技术的内容, 不再赘述。
歩骤 903: AP向所述 STA原来接入的 VAP范围内的 STA发送更新后的 组临时密钥的报文。
由此, AP代理 AC触发了 VAP范围内的 STA的组临时密钥的更新。 图 10为根据本发明实施例提供的方法, AP定时更新 VAP范围内的所 有 STA的组密钥更新的流程图, 请参照图 10, 该方法包括:
歩骤 1001 : 定时更新组临时密钥;
歩骤 1002: 向 VAP范围内的 STA发送更新后的组临时密钥的报文。 通过本实施例的方法, AP根据 AC的组密钥更新代理请求, 在需要更 新组临时密钥时,代替 AC在 VAP范围内进行组临时密钥的更新, 由于整个 更新过程就不需要 AC 参与,减轻了 AC的处理负担,又由于更新的范围由 ESS级降到 VAP级, 缩小了更新的范围, 因此减少了整个系统网络的流量, 减轻了系统的震荡。
图 11为本发明实施例提供的接入装置组成框图, 请参照图 11, 该装置 上划分有多个虚拟接入点, 所述装置包括:
检测单元 111, 用于检测特定虚拟接入点是否需要更新组临时密匙。 确定单元 112, 用于在检测单元 111检测到特定虚拟接入点需要更新组 临时密匙时, 确定该特定虚拟接入点待更新的新组临时密匙。
更新单元 113, 用于将所述新组临时密匙发送给所述特定虚拟接入点范 围内在线无线站点以进行组临时密匙更新。
所述接入装置还包括划分单元 114, 用于根据接入控制点的业务配置请 求将在所述接入装置上划分多个虚拟接入点。 其中, 所述检测单元 111具体可以包括第一检测模块 1111和第二检测 模块 1112, 其中:
所述第一检测模块 1111 用于根据报文流量检测到无线站点下线时, 判 定所述无线站点所属的虚拟接入点需要更新组临时密匙。
所述第二检测模块 1112用于检测到无线站点发送的去关联请求或去认 证请求时, 确定所述无线站点所属的虚拟接入点需要更新组临时密钥。
所述更新单元 113还可以定时将新组临时密匙向虚拟接入点下的无线站 点发送。
本实施例的装置的各组成部分分别用于实现前述方法实施例的各方法 的歩骤, 由于在方法实施例中, 已经对各歩骤进行了详细说明,在此不再赘述。
本实施例的装置可以应用于接入点 AP, 在此不再赘述。
通过本实施例的装置, AP根据 AC的组密钥更新代理请求, 在需要更 新组临时密钥时,代替 AC在 VAP范围内进行组临时密钥的更新, 由于整个 更新过程就不需要 AC 参与,减轻了 AC的处理负担,又由于更新的范围由 ESS级降到 VAP级, 缩小了更新的范围, 因此减少了整个系统网络的流量, 减轻了系统的震荡。
图 12为本发明实施例提供的一种通信系统组成框图, 请参照图 12, 该 系统包括接入点 (AP ) 122以及无线站点 (STA) 123, AP 122上划分有 多个虚拟接入点, 其中:
AP 122用于检测到特定虚拟接入点需要更新组临时密钥时,确定该特定 虚拟接入点待更新的新组临时密钥; 将确定的新组临时密钥发送给该特定虚 拟接入点范围内的所有在线无线站点以进行组临时密钥更新。
所提供的系统还可以包括接入控制点 (AC) 121, 所述 AC 121用于向 AP 122下发业务配置请求, AP 122可以根据该业务配置请求将 AP 122划分 成多个虚拟接入点。
具体的, AC 121用于向 AP 122下发业务配置请求和组密钥更新代理请求。 接入点 122用于根据 AC 121下发的业务配置请求将 AP 122划分为多个 VAPs, 例如 VAPl〜VAPn, n为正整数, 其中, 每一个 VAPi ( Ki<n) 具 下发的组密钥更新代理请求, 对 VA 范围内的无线站点进行组密钥更新。
在本实施例中, 物理上, 无线站点 STA是与接入点 122相连, 但由于 接入点 122被划分为了多个虚拟接入点 12 , 因此, 连接到接入点 122下的 无线站点 STA也分别隶属于该多个虚拟接入点 VAPi, 也即每一个虚拟接入 点 VPAi对应多个无线站点。
在本实施例中, 接入点 122可以包含图 11所示的接入装置, 由于在图 11的说明中, 已经对该通信装置进行了详细说明, 在此不再赘述。
无线站点 123用于接收所述接入点 122下发的更新后的组临时密钥。 在本实施例中, 该无线站点 123是与接入点 122相连的属于某一虚拟接 入点 VA 的范围的无线站点, 可以是多个, 具体取决于接入点 122对虚拟 接入点的划分及更新请求。 例如, 如果接入点 122被划分为 n个虚拟接入点 VAP, 即 VAPl~VAPn, 根据接入控制点 121 的组密钥更新代理请求, 需要 对 VAP1范围内的 STA进行组密钥更新,则该接入点 122将 VAP1的组临时 密钥更新后下发到 VAP1范围内的 STA。
通过本实施例的系统, AP根据 AC的组密钥更新代理请求, 在需要更 新组临时密钥时,代替 AC在 VAP范围内进行组临时密钥的更新, 由于整个 更新过程就不需要 AC 参与,减轻了 AC的处理负担,又由于更新的范围由 ESS级降到 VAP级, 缩小了更新的范围, 因此减少了整个系统网络的流量, 减轻了系统的震荡。
本发明实施例提供的方法、 装置和系统, 与现有的组临时密钥更新方法 相比, 具有如下优势:
1、 改变了组密钥的管理的位置, 由 AC转移到 AP, 在瘦 AC集中式管 理的网络模型下, 极大的减轻了 AC的负担;
2、 改变了组密钥更新的范围, 由 ESS级降到 VAP级, 缩小了更新的范 围, 减少了整个系统网络的流量, 减轻了系统的震荡;
3、 WPA分为 WPA1和 WAP2两种标准, 本发明实施例的技术方案, 还 对 WPA2的组密钥更新流程做了优化。
结合本文中所公开的实施例描述的方法或算法的歩骤可以直接用硬件、 处理器执行的软件模块, 或者二者的结合来实施。 软件模块可以置于随机存 储器(RAM)、 内存、 只读存储器(ROM)、 电可编程 ROM、 电可擦除可编 程 ROM、 寄存器、 硬盘、 可移动磁盘、 CD-ROM、 或技术领域内所公知的 任意其它形式的存储介质中。
以上所述的具体实施例, 对本发明的目的、 技术方案和有益效果进行了 进一歩详细说明, 所应理解的是, 以上所述仅为本发明的具体实施例而已, 并不用于限定本发明的保护范围, 凡在本发明的精神和原则之内, 所做的任 何修改、 等同替换、 改进等, 均应包含在本发明的保护范围之内。

Claims

权利要求书
1 . 一种无线局域网络组临时密钥更新方法, 其特征在于, 所述方法包 括:
将接入点划分为多个虚拟接入点;
接入点检测到特定虚拟接入点需要更新组临时密钥, 确定该特定虚拟接 入点待更新的新组临时密钥;
接入点将确定的新组临时密钥发送给该特定虚拟接入点范围内的所有 在线无线站点以进行组临时密钥更新。
2. 根据权利要求 1所述的方法, 其特征在于, 确定该特定虚拟接入点 待更新的新组临时密钥的歩骤包括:
接入点根据本地配置的密钥更新策略计算所述特定虚拟接入点待更新 的新组临时密钥。
3. 根据权利要求 1所述的方法, 其特征在于, 所述方法还包括: 接入点接收接入控制点定期下发的虚拟接入点的组临时密钥, 利用该组 临时密钥更新本地数据库中虚拟接入点的服务组标识符和组临时密钥对应 关系表;
所述确定该特定虚拟接入点待更新的新组临时密钥的歩骤包括: 接入点获得特定虚拟接入点的服务组标识符, 从组临时密钥对应关系表 中查询与该特定虚拟接入点的服务组标识符匹配的最近更新的组临时密钥 作为新组临时密钥。
4. 根据权利要求 1至 3任一项所述的方法, 其特征在于,
接入点根据报文流量检测到特定无线站点下线, 确定所述无线站点所属 的虚拟接入点需要更新组临时密钥。
5. 根据权利要求 1至 3任一项所述的方法, 其特征在于,
接入点检测到特定无线站点发送的去关联请求或去认证请求, 确定所述 特定无线站点所属的虚拟接入点需要更新组临时密钥。
6. 一种接入装置, 其特征在于, 所述装置上划分有多个虚拟接入点, 所述装置包括:
检测单元, 用于检测特定虚拟接入点是否需要更新组临时密钥; 确定单元,用于在所述检测单元检测到所述特定虚拟接入点需要更新组 临时密钥时, 确定该特定虚拟接入点待更新的新组临时密钥;
更新单元,用于将所述新组临时密钥发送给所述特定虚拟接入点范围内 的所有在线无线站点以进行组临时密钥更新。
7. 根据权利要求 6所述的装置, 其特征在于, 所述检测单元具体包括: 第一检测模块, 用于根据报文流量检测到无线站点下线时, 判定所述无 线站点所属的虚拟接入点需要更新组临时密匙。
8. 根据权利要求 7所述的装置, 其特征在于, 所述检测单元还包括: 第二检测模块, 用于检测到无线站点发送的去关联请求或去认证请求, 确定所述无线站点所属的虚拟接入点需要更新组临时密钥。
9. 根据权利要求 7所述的装置, 其特征在于, 所述装置还包括划分单 元,所述划分单元用于根据接入控制点的业务配置请求将所述接入装置划分 为多个虚拟接入点。
10. 一种通信系统, 所述系统包括接入点和无线站点, 所述接入点连接 所述无线站点, 所述接入点上划分有多个虚拟接入点, 其特征在于:
所述接入点, 用于检测到特定虚拟接入点需要更新组临时密钥时, 确定 该特定虚拟接入点待更新的新组临时密钥; 将确定的新组临时密钥发送给该 特定虚拟接入点范围内的所有在线无线站点以进行组临时密钥更新。
11. 根据权利要求 10所述的系统, 其特征在于, 所述系统还包括接入 控制点, 用于向所述接入点下发业务配置请求和组密匙更新代理请求。
PCT/CN2010/070062 2010-01-08 2010-01-08 一种组临时密钥更新方法、装置和系统 WO2011082529A1 (zh)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201080003437.0A CN102217239B (zh) 2010-01-08 2010-01-08 一种组临时密钥更新方法、装置和系统
PCT/CN2010/070062 WO2011082529A1 (zh) 2010-01-08 2010-01-08 一种组临时密钥更新方法、装置和系统

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2010/070062 WO2011082529A1 (zh) 2010-01-08 2010-01-08 一种组临时密钥更新方法、装置和系统

Publications (1)

Publication Number Publication Date
WO2011082529A1 true WO2011082529A1 (zh) 2011-07-14

Family

ID=44305171

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2010/070062 WO2011082529A1 (zh) 2010-01-08 2010-01-08 一种组临时密钥更新方法、装置和系统

Country Status (2)

Country Link
CN (1) CN102217239B (zh)
WO (1) WO2011082529A1 (zh)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013034036A1 (zh) * 2011-09-07 2013-03-14 中兴通讯股份有限公司 标识网增量部署的方法和接入点
WO2014040466A1 (zh) * 2012-09-17 2014-03-20 中兴通讯股份有限公司 控制ap的方法和装置
US9788076B2 (en) 2014-02-28 2017-10-10 Alcatel Lucent Internet protocol television via public Wi-Fi network
CN108650673A (zh) * 2018-03-29 2018-10-12 新华三技术有限公司 一种报文处理方法及装置
US20210250760A1 (en) * 2018-12-27 2021-08-12 Panasonic Intellectual Property Corporation Of America Terminal, communication method, and recording medium

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2516284A (en) * 2013-07-18 2015-01-21 Here Global Bv Method and apparatus for classifying access points in a radio map
CN107257558B (zh) * 2017-07-25 2020-07-28 锐捷网络股份有限公司 报文转发方法及装置

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1455556A (zh) * 2003-05-14 2003-11-12 东南大学 无线局域网安全接入控制方法
US20040141617A1 (en) * 2001-12-20 2004-07-22 Volpano Dennis Michael Public access point
CN101222388A (zh) * 2007-01-12 2008-07-16 华为技术有限公司 一种确定接入点存在广播/多播缓存帧的方法和系统
CN101453409A (zh) * 2007-12-07 2009-06-10 中国移动通信集团公司 支持终端混合接入的信息广播方法及其装置和系统

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100023752A1 (en) * 2007-12-27 2010-01-28 Motorola, Inc. Method and device for transmitting groupcast data in a wireless mesh communication network

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040141617A1 (en) * 2001-12-20 2004-07-22 Volpano Dennis Michael Public access point
CN1455556A (zh) * 2003-05-14 2003-11-12 东南大学 无线局域网安全接入控制方法
CN101222388A (zh) * 2007-01-12 2008-07-16 华为技术有限公司 一种确定接入点存在广播/多播缓存帧的方法和系统
CN101453409A (zh) * 2007-12-07 2009-06-10 中国移动通信集团公司 支持终端混合接入的信息广播方法及其装置和系统

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
P. CALHOUN, RFC5416 CONTROL AND PROVISIONING OF WIRELESS ACCESS POINTS (CAPWAP) PROTOCOL BINDING FOR IEEE 802.11, March 2009 (2009-03-01) *

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013034036A1 (zh) * 2011-09-07 2013-03-14 中兴通讯股份有限公司 标识网增量部署的方法和接入点
CN102984701A (zh) * 2011-09-07 2013-03-20 中兴通讯股份有限公司 标识网增量部署的方法和接入点
WO2014040466A1 (zh) * 2012-09-17 2014-03-20 中兴通讯股份有限公司 控制ap的方法和装置
US9788076B2 (en) 2014-02-28 2017-10-10 Alcatel Lucent Internet protocol television via public Wi-Fi network
CN108650673A (zh) * 2018-03-29 2018-10-12 新华三技术有限公司 一种报文处理方法及装置
US20210250760A1 (en) * 2018-12-27 2021-08-12 Panasonic Intellectual Property Corporation Of America Terminal, communication method, and recording medium
US11665534B2 (en) * 2018-12-27 2023-05-30 Panasonic Intellectual Property Corporation Of America Communication method between a terminal and an access point

Also Published As

Publication number Publication date
CN102217239A (zh) 2011-10-12
CN102217239B (zh) 2014-11-05

Similar Documents

Publication Publication Date Title
JP3869392B2 (ja) 公衆無線lanサービスシステムにおけるユーザ認証方法および該方法をコンピュータで実行させるためのプログラムを記録した記録媒体
AU2004244634B2 (en) Facilitating 802.11 roaming by pre-establishing session keys
EP2063567B1 (en) A network access authentication and authorization method and an authorization key updating method
US8037305B2 (en) Securing multiple links and paths in a wireless mesh network including rapid roaming
US7873352B2 (en) Fast roaming in a wireless network using per-STA pairwise master keys shared across participating access points
US8893246B2 (en) Method and system for authenticating a point of access
CA2490131C (en) Key generation in a communication system
US7158777B2 (en) Authentication method for fast handover in a wireless local area network
US8094821B2 (en) Key generation in a communication system
KR100991522B1 (ko) 휴대인터넷 시스템의 핸드오버용 보안 콘텍스트 전달 방법
RU2665064C1 (ru) Беспроводная связь, включающая в себя кадр обнаружения быстрого первоначального установления линии связи, fils, для сетевой сигнализации
US20190014531A1 (en) Network Access Permission Management Method and Related Device
WO2011082529A1 (zh) 一种组临时密钥更新方法、装置和系统
WO2012171184A1 (zh) 基于mac地址的wlan认证方法和装置
JP2002520708A (ja) テレコミュニケーションネットワークにおける認証
WO2007097101A1 (ja) 無線アクセスシステムおよび無線アクセス方法
US20190335331A1 (en) Method, apparatus, and system for performing authentication on terminal in wireless local area network
US7551914B2 (en) Authentication in a communication network
EP1645074B1 (en) Method and network for wlan session control
Chi et al. Fast handoff among ieee 802.11 r mobility domains
KR100654441B1 (ko) 무선 네트워크 접근 제어방법 및 장치
KR101068426B1 (ko) 통신시스템을 위한 상호동작 기능
Sun et al. Accelerated Authentication Utilizing Refined Neighbor Graph for Handoff in WLAN

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 201080003437.0

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10841873

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10841873

Country of ref document: EP

Kind code of ref document: A1