WO2013064062A1 - Method and device for transmitting data packet - Google Patents

Method and device for transmitting data packet Download PDF

Info

Publication number
WO2013064062A1
WO2013064062A1 PCT/CN2012/083804 CN2012083804W WO2013064062A1 WO 2013064062 A1 WO2013064062 A1 WO 2013064062A1 CN 2012083804 W CN2012083804 W CN 2012083804W WO 2013064062 A1 WO2013064062 A1 WO 2013064062A1
Authority
WO
WIPO (PCT)
Prior art keywords
correspondence
data packet
encryption algorithm
information element
negotiation
Prior art date
Application number
PCT/CN2012/083804
Other languages
French (fr)
Chinese (zh)
Inventor
姚宗明
夏林峰
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2013064062A1 publication Critical patent/WO2013064062A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • H04W12/033Protecting confidentiality, e.g. by encryption of the user plane, e.g. user's traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/67Risk-dependent, e.g. selecting a security level depending on risk profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/10Small scale networks; Flat hierarchical networks
    • H04W84/12WLAN [Wireless Local Area Networks]

Definitions

  • Embodiments of the present invention relate to the field of communications, and more particularly, to a method and apparatus for transmitting data packets. Background technique
  • IEEE Institute of Electrical and Electronics Engineers, IEEE 802.11 technology develops a common MAC (Medium Access Control) for multiple PHYs (Physical Layers) to build standard WLANs.
  • the main task of the MAC is to establish addressing and channel access control mechanisms for multiple sites in the same network, making communication between multiple sites possible.
  • BSS Basic Service Set
  • AP Access Point
  • ESS Extended Service Set
  • STAs can also communicate directly with each other by self-organizing the network.
  • This network is an independent BSS or IBSS (Alternate Basic Service Set).
  • IEEE 802. Hi is a wireless security protocol and is a general principle.
  • TKIP Temporal Key Integrity Protocol
  • CCMP Counter Mode/CBC-MAC Protocol
  • AES Advanced Encryption Standard
  • CCMP is based on a "chain" mode, which requires processing 16-byte blocks in order, because the chain-encrypted mode requires the output of the previous stage as the source for the input of the next stage.
  • IEEE 802.11ac and IEEE 802.11ad have higher data rates and have had a significant impact on network protocols in other related fields.
  • CCMP may not meet the requirements.
  • a new protocol GCMP Galois/Counter Mode Protocol
  • EDCA Enhanced Distributed Channel Access
  • DCF Distributed Coordinator Function
  • QoS priority quality of service
  • the EDCA mechanism defines four access categories (AC) based on data priority from low to high: AC_BK (background), AC_BE (best effort), AC_VI (video) and AC_VO (voice).
  • AC-BK and AC-BE do not require much real-time data communication.
  • AC-VI and AC-VO the amount of data is large and the real-time requirements are quite high.
  • the existing IEEE 802.11ac protocol specifies the encryption algorithm as follows: In an ESS, if the AP informs the relevant VHT (very High Throughput) STA that it supports CCMP encryption or beacon transmission by the AP.
  • the detection feedback includes HT (High Throughput) capability information or VHT capability information. Therefore, the VHT STA can only use the CCMP encryption algorithm as the only choice of its encryption algorithm, which may result in delay in data packet transmission and result in data packets. The contradiction between security and real-time transmission. Summary of the invention
  • the embodiments of the present invention provide a method and a device for transmitting a data packet, which can resolve the contradiction between the security and real-time performance of the data packet transmission, and improve the transmission efficiency of the data packet.
  • a method for transmitting a data packet including: determining an access category of a data packet; determining an encryption algorithm of the data packet according to a correspondence between an access category of the data packet determined by the negotiation with the receiving end and an encryption algorithm. Encrypting the data packet using the encryption algorithm of the data packet; transmitting the encrypted data packet to the receiving end.
  • a method for transmitting a data packet including: receiving an encrypted data packet from a transmitting end; determining an access category of the data packet; and determining an access category and encryption of the data packet according to the negotiation with the transmitting end Corresponding relationship of the algorithm, determining an encryption algorithm of the data packet; using the encryption algorithm of the data packet to decrypt the data packet.
  • an apparatus for transmitting a data packet including: a first determining unit, configured to determine an access category of the data packet; and a second determining unit, configured to determine, according to the data packet determined by the receiving end, Corresponding relationship between the access category and the encryption algorithm, determining an encryption algorithm of the data packet; an encryption unit for encrypting the data packet using an encryption algorithm of the data packet; and a sending unit, configured to send the encrypted data to the receiving end package.
  • an apparatus for transmitting a data packet including: a receiving unit, configured to receive an encrypted data packet from a transmitting end; a category determining unit, configured to determine an access category of the data packet; and an algorithm determining unit And determining, according to a correspondence between an access category and an encryption algorithm of the data packet determined by the sending end, determining an encryption algorithm of the data packet; and a decryption unit, configured to decrypt the data packet by using an encryption algorithm of the data packet .
  • the embodiment of the present invention can solve the contradiction between the security and the real-time performance of the data packet transmission by configuring the corresponding encryption algorithm for the data packets of different access categories, and improve the transmission efficiency of the data packet.
  • FIG. 1 is a schematic flow chart of a method of transmitting a data packet according to an embodiment of the present invention.
  • 2 is a schematic flow chart of a method of transmitting a data packet according to another embodiment of the present invention.
  • FIG. 3 is a schematic flowchart of a process of transmitting a data packet according to another embodiment of the present invention.
  • 4 is a schematic diagram of a format of a negotiating information element according to an embodiment of the present invention.
  • FIG. 5 is a block diagram of an apparatus for transmitting data packets in accordance with one embodiment of the present invention.
  • FIG. 6 is a block diagram of an apparatus for transmitting a data packet in accordance with another embodiment of the present invention. detailed description
  • FIG. 1 is a schematic flow chart of a method of transmitting a data packet according to an embodiment of the present invention.
  • the method of Figure 1 is performed by a transmitting end, for example, the transmitting end may be a station in a wireless local area network, such as a STA defined in a WLAN.
  • the access category can be four access categories in the EDCA mechanism: AC—BK (background),
  • AC BE best effort
  • AC VI video
  • AC VO voice
  • the sending end may negotiate with the receiving end to determine the correspondence between the access category of the data packet and the encryption algorithm, for example, in the process of detecting the request/detecting response and/or the associated request/association response, the sending end and the receiving end may The correspondence is determined by negotiation, or the corresponding relationship is determined by negotiating with the receiving end through newly added dedicated signaling.
  • the sending end may negotiate with the receiving end to determine a correspondence between the access category of the data packet and the encryption algorithm, for example, sending a detection request to the receiving end.
  • the receiver negotiates with the receiving end to determine the correspondence.
  • the sending end may generate a first negotiation information element, where the first negotiation information element indicates the first correspondence, and sends the first negotiation information element to the receiving end.
  • the sender may send the first negotiation information element when sending a detection request or an association request to the receiving end.
  • the sending end may receive a response message returned by the receiving end, where the response message carries a second negotiation information element from the receiving end, where the second negotiation information element indicates a second correspondence, according to the first The corresponding relationship and the second correspondence, the sending end determines the correspondence.
  • the sending end may also receive an acknowledgement message returned by the receiving end for confirming acceptance of the first negotiation information element.
  • the sender may receive a response message or a confirmation message returned by the receiving end when detecting or correlating the detection request or the association request to the sender.
  • the receiving end may not return any response message, and the default is to accept the first negotiation information element of the sending end.
  • the embodiment of the invention is not limited.
  • the sending end determines that the corresponding relationship is the first correspondence or the second correspondence; and if the second correspondence is the first correspondence The sender determines that the correspondence is the second correspondence.
  • the access class with higher real-time performance may correspond to a less complex encryption algorithm.
  • the access category AC-VI or AC-VO has higher real-time requirements.
  • a less complex encryption algorithm such as TKIP or GCMP can be used.
  • Category AC—BK or AC—BE has lower requirements for real-time performance.
  • more complex encryption algorithms such as CCMP can be used.
  • the sender and the receiver can synthesize each other's security configuration and negotiate the encryption algorithm of the data packets of different access categories.
  • embodiments of the present invention are not limited to the specific categories and specific algorithms described above.
  • the sending end may negotiate with the receiving end to determine a key corresponding to the encryption algorithm in the corresponding relationship. For example, for the encryption algorithm in the corresponding relationship, the sending end and the receiving end separately calculate and negotiate to determine the encryption algorithm. Corresponding unicast and multicast keys.
  • the sending end may use a key corresponding to the encryption algorithm determined by the receiving end to negotiate, and encrypt the data packet according to the encryption algorithm of the data packet determined in 120, and update the key. For the next packet encryption.
  • the embodiment of the present invention can solve the contradiction between the security and the real-time performance of the data packet transmission by configuring the corresponding encryption algorithm for the data packets of different access categories, and improve the transmission efficiency of the data packet.
  • FIG. 2 is a schematic flow chart of a method of transmitting a data packet according to another embodiment of the present invention.
  • the method of Figure 2 is performed by the receiving end.
  • the receiving end can be an access point in a wireless local area network, such as an AP defined in a WLAN.
  • the access category can be four access categories in the EDCA mechanism: AC—BK (background), AC_BE (best effort), AC_VI (video), and AC_VO (voice).
  • AC—BK background
  • AC_BE best effort
  • AC_VI video
  • AC_VO voice
  • embodiments of the present invention are not limited to the specific access categories described above.
  • the receiving end may negotiate with the sending end to determine the correspondence between the access category of the data packet and the encryption algorithm, for example, in the process of detecting the request/detecting response and/or the associated request/association response, the receiving end and the transmitting end may The correspondence is determined by negotiation, or the corresponding relationship is determined by negotiating with the sender through the newly added dedicated signaling.
  • the receiving end may negotiate with the transmitting end to determine a correspondence between the access category of the data packet and the encryption algorithm. For example, in the process of making a detection response or an association response at the receiving end, the correspondence is determined by negotiating with the transmitting end.
  • the receiving end may receive the first negotiation information element from the sending end, where the first negotiation information element indicates the first correspondence relationship; according to the first correspondence, the receiving end generates the second negotiation information element, where The negotiation information element indicates the second correspondence relationship; the receiving end returns a response message carrying the second negotiation information element to the sending end.
  • the receiving end can also return to the sender for confirmation. Accept the confirmation message of the first negotiation information element.
  • the receiving end may send a response message carrying the second negotiation information element or an acknowledgement message for confirming acceptance of the first negotiation information element to the transmitting end when the detection response or the association response is sent to the sending end. .
  • the receiving end may not return any response message, and the default is to accept the first negotiation information element of the sending end.
  • the embodiments of the present invention are not limited.
  • the second corresponding relationship is the same as the first corresponding relationship; if the receiving end does not accept the first corresponding relationship, the second corresponding relationship corresponds to the first correspondence
  • the relationship is different. For example, if the receiving end does not support the encryption algorithm or the non-correlation configuration in the correspondence indicated by the first negotiation information element of the transmitting end, the receiving end configures a corresponding encryption algorithm for the data packets of different access categories according to the situation of the receiving end, thereby A second correspondence is established, and a second negotiation information element is generated to indicate the second correspondence.
  • the access class with higher real-time performance may correspond to a lower complexity encryption algorithm.
  • the access category AC-VI or AC-VO has higher real-time requirements.
  • a less complex encryption algorithm such as TKIP or GCMP can be used.
  • Category AC—BK or AC—BE has lower requirements for real-time performance.
  • more complex encryption algorithms such as CCMP can be used. The sender and the receiver can synthesize each other's security configuration and negotiate the encryption algorithm of the data packets of different access categories.
  • the receiving end may negotiate with the sending end to determine a key corresponding to the encryption algorithm in the corresponding relationship, for example, for the encryption algorithm in the corresponding relationship, the receiving end and the sending end separately calculate and negotiate to determine the encryption algorithm. Corresponding unicast and multicast keys.
  • the receiving end may use the key corresponding to the encryption algorithm in the correspondence determined by the sending end to negotiate, according to the encryption algorithm of the data packet determined in 230, decrypt the data packet, and update the key, so as to perform the next time. Packet decryption.
  • the embodiment of the present invention can solve the contradiction between the security and the real-time performance of the data packet transmission by configuring the corresponding encryption algorithm for the data packets of different access categories, and improve the transmission efficiency of the data packet.
  • FIG. 3 is a schematic flowchart of a process of transmitting a data packet according to another embodiment of the present invention.
  • the sending end of the data packet is the STA defined in the WLAN
  • the receiving end is the AP defined in the WLAN as an example.
  • STAs and APs in a BSS work in two modes of operation, MU-MIM0 (Multiple User MIMO) mode and SU-MIMO (Single User MIMO) mode.
  • MU-MIMO mode the AP simultaneously transmits data to multiple STAs or simultaneously receives data from multiple STAs.
  • SU-MIMO mode the AP transmits and receives data to and from only one STA at a time. Embodiments of the invention are applicable to either mode.
  • the STA generates a first negotiation information element, where the first negotiation information element indicates a first correspondence between the access category of the data packet and the encryption algorithm.
  • the STA sends a first negotiation information element to the AP.
  • the STA may send the first negotiation information element to the AP when sending a detection request or an association request to the AP.
  • the AP generates, according to the received first negotiation information element from the STA, a second negotiation information element, where the second negotiation information element indicates a second correspondence between the access category of the data packet and the encryption algorithm.
  • the second correspondence is the same as the first correspondence, and if the AP does not accept the first correspondence from the STA, according to the In the case, the second correspondence is established, and the second negotiation information element is generated to indicate the second correspondence.
  • the AP returns a response message carrying the second negotiation information element to the STA.
  • the AP may return a response message carrying the second negotiation information element to the STA when the detection response or the association response is sent to the STA, or the AP may return an acknowledgement to accept the first negotiation information element.
  • the message, or the AP may not return any message, and the default is to accept the first negotiation information element of the STA.
  • the embodiments of the present invention are not limited.
  • the STA determines, according to the response message that the second negotiation information element is returned by the AP, the correspondence between the access category of the data packet and the encryption algorithm.
  • the STA determines that the correspondence relationship is the first correspondence relationship or the second correspondence relationship; Different from the first correspondence, the STA determines that the correspondence is the second correspondence.
  • the access class with higher real-time performance may correspond to a less complex encryption algorithm.
  • the access category AC-VI or AC-VO has higher real-time requirements.
  • a less complex encryption algorithm such as TKIP or GCMP can be used.
  • Category AC—BK or AC—BE for real-time Lower requirements in order to achieve higher security, you can use more complex encryption algorithms, such as CCMP.
  • the sender and the receiver can synthesize each other's security configuration and negotiate encryption algorithms for different access category data packets.
  • the STA and the AP negotiate to determine a key corresponding to the encryption algorithm in the correspondence.
  • the unicast and multicast keys corresponding to the encryption algorithm are separately calculated and negotiated for the encryption algorithm in the corresponding relationship. Used to encrypt or decrypt packets when sending or receiving data packets between STAs and APs.
  • the STA Before sending a data packet to the AP, the STA determines an access category of the data packet.
  • the STA determines an encryption algorithm of the data packet according to the correspondence determined by the negotiation with the AP.
  • the STA encrypts the data packet by using an encryption algorithm of the data packet.
  • the STA may encrypt the data packet using a key corresponding to the encryption algorithm that has been negotiated with the AP.
  • the STA then updates the key for the next packet encryption.
  • the STA sends an encrypted data packet to the AP.
  • the AP After receiving the encrypted data packet from the STA, the AP determines an access category of the data packet.
  • the AP determines an encryption algorithm of the data packet according to the correspondence determined by the STA.
  • the AP decrypts the data packet by using an encryption algorithm of the data packet.
  • the AP may encrypt the data packet using a key corresponding to the encryption algorithm that has been negotiated with the STA. The AP then updates the key for the next packet decryption.
  • the embodiment of the present invention can solve the contradiction between the security and the real-time performance of the data packet transmission by configuring the corresponding encryption algorithm for the data packets of different access categories, and improve the transmission efficiency of the data packet.
  • FIG. 4 is a schematic diagram of a format of a negotiating information element according to an embodiment of the present invention.
  • the information element ID can help identify that the information element is a negotiation information element; the length represents the information element ID field and the length field in the negotiation information element.
  • the overall length of the other fields; AC-VI encryption algorithm, AC-VO encryption algorithm, AC-BE encryption algorithm and AC-BK encryption algorithm field respectively represent the encryption algorithm corresponding to each access category, for example, 0 means no encryption, 1 for TKIP, 2 for GCMP, 3 for CCMP, 4 ⁇ 255 is reserved and not used temporarily.
  • the negotiation information element in the embodiment of the present invention can solve the contradiction between the security and the real-time performance of the data packet transmission by indicating the encryption algorithm corresponding to different access categories, and improve the transmission efficiency of the data packet.
  • FIG. 5 is a block diagram of an apparatus for transmitting data packets in accordance with one embodiment of the present invention.
  • An example of the device 500 of Figure 5 is a transmitting end, such as a station or access point in a wireless local area network, such as a STA or AP defined in a WLAN.
  • the device 500 includes: a first determining unit 510, a second determining unit 520, an encrypting unit 530, and a transmitting unit 540.
  • the first determining unit 510 determines an access category of the data packet.
  • the second determining unit 520 determines the encryption algorithm of the data packet according to the correspondence between the access category and the encryption algorithm of the data packet determined in agreement with the receiving end.
  • the encryption unit 530 is configured to encrypt the data packet by using an encryption algorithm of the data packet.
  • the sending unit 540 is configured to send the encrypted data packet to the receiving end.
  • the embodiment of the present invention can solve the contradiction between the security and the real-time performance of the data packet transmission by configuring the corresponding encryption algorithm for the data packets of different access categories, and improve the transmission efficiency of the data packet.
  • the device 500 may further include a negotiation determining unit 550, and determine the corresponding relationship by negotiating with the receiving end.
  • the negotiation determining unit 550 may receive a response message returned by the receiving end, where the response message carries a second negotiation information element from the receiving end, where the second negotiation information element indicates the second correspondence, And determining the correspondence according to the first correspondence relationship and the second correspondence relationship.
  • the negotiation determining unit 550 is further configured to determine that the corresponding relationship is the first correspondence relationship or the second correspondence relationship if the second correspondence relationship is the same as the first correspondence relationship, or if the second correspondence relationship is different from the first correspondence relationship, Then, the correspondence is determined to be the second correspondence.
  • FIG. 6 is a block diagram of an apparatus for transmitting a data packet in accordance with another embodiment of the present invention.
  • An example of the device 600 of Figure 6 is a receiving end, such as a station or access point in a wireless local area network, such as a STA or AP defined in a WLAN.
  • the device 600 includes: a receiving unit 610, a class determining unit 620, an algorithm determining unit 630, and a decrypting unit 640.
  • the receiving unit 610 receives the encrypted data packet from the transmitting end.
  • the category determining unit 620 determines an access category of the data packet.
  • the algorithm determining unit 630 determines an encryption algorithm of the data packet according to the correspondence between the access category and the encryption algorithm of the data packet determined in agreement with the transmitting end.
  • the decryption unit 640 decrypts the data packet using the encryption algorithm of the data packet.
  • the embodiment of the present invention can solve the contradiction between the security and the real-time performance of the data packet transmission by configuring the corresponding encryption algorithm for the data packets of different access categories, and improve the transmission efficiency of the data packet.
  • the device 600 further includes a negotiation determining unit.
  • the negotiation determining unit 650 may receive the first negotiation information element from the sending end, where the first negotiation information element indicates the first correspondence, and generates the second negotiation information according to the first correspondence.
  • the second negotiation information element indicates the second correspondence, and returns a response message carrying the second negotiation information element to the sending end.
  • a communication system may include the above-described device 500 or device 600.
  • the disclosed systems, devices, and methods may be implemented in other ways.
  • the device embodiments described above are merely illustrative.
  • the division of the unit is only a logical function division.
  • there may be another division manner for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored, or not executed.
  • the coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be electrical, mechanical or otherwise.
  • the components displayed for the unit may or may not be physical units, ie may be located in one place, or may be distributed over multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solution of the embodiment.
  • each functional unit in various embodiments of the present invention may be integrated in one processing unit. It is also possible that each unit physically exists alone, or two or more units may be integrated in one unit.
  • the functions, if implemented in the form of software functional units and sold or used as separate products, may be stored in a computer readable storage medium.
  • the technical solution of the present invention which is essential or contributes to the prior art, or a part of the technical solution, may be embodied in the form of a software product, which is stored in a storage medium, including
  • the instructions are used to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present invention.
  • the foregoing storage medium includes: a U disk, a removable hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk or an optical disk, and the like, which can store program codes. .

Abstract

Embodiments of the present invention provide a method and device for transmitting a data packet. The method comprises: determining an access type of a data packet; according to the correlation between the access type and an encryption algorithm of the data packet negotiated with a receiver, determining an encryption algorithm of the data packet; using the encryption algorithm of the data packet to encrypt the data packet; and sending the encrypted data packet to the receiver. In the embodiment of the present invention, data packets of different access types are configured with corresponding encryption algorithms, so as to resolve the conflict between the security and the real-time performance of data packet transmission, thereby improving the data packet transmission efficiency.

Description

传输数据包的方法及设备 技术领域  Method and device for transmitting data packets
本发明实施例涉及通信领域, 并且更具体地, 涉及传输数据包的方法及 设备。 背景技术  Embodiments of the present invention relate to the field of communications, and more particularly, to a method and apparatus for transmitting data packets. Background technique
IEEE ( Institute of Electrical and Electronics Engineers , 电气和电子工程师 协会) 802.11 技术为多个 PHY ( Physical layer, 物理层)制定一个通用的 MAC ( Medium access control, 媒体接入控制层)以建设标准无线局域网。 其 中 MAC 的主要任务就是为同网络中的多个站点建立寻址和信道接入控制机 制, 使得多站点之间的通信成为可能。  IEEE (Institute of Electrical and Electronics Engineers, IEEE) 802.11 technology develops a common MAC (Medium Access Control) for multiple PHYs (Physical Layers) to build standard WLANs. The main task of the MAC is to establish addressing and channel access control mechanisms for multiple sites in the same network, making communication between multiple sites possible.
WLAN ( Wireless Local Area Networks, 无线局域网络) 的基本组成部分 是 BSS ( Basic Service Set, 基本服务集), 由某一特定覆盖区域之内具有某种 关联的 STA ( Station, 站点 )组成, 在 BSS网络中具有专职管理 BSS的中央 站点被称为 AP ( Access point, 接入点), 而在该网络中的其它 STA都与它相 关联。 而多个 BSS网通过 DS ( Distribution System, 分布式系统)相互连接 即可组成 ESS ( Extended Service Set, 扩展服务集)。 在 AP缺失的情况下, STA 也可以自组网络而相互直接通信, 此网络即为独立 BSS 或者 IBSS ( Independent Basic Service Set, 独立基本月良务集 )。  The basic component of WLAN (Wireless Local Area Networks) is BSS (Basic Service Set), which consists of STAs (Stations) with certain associations within a specific coverage area. The central site in the network that has a full-time management BSS is called an AP (Access Point), and other STAs in the network are associated with it. Multiple BSS networks are interconnected by DS (Distribution System) to form an ESS (Extended Service Set). In the absence of an AP, STAs can also communicate directly with each other by self-organizing the network. This network is an independent BSS or IBSS (Alternate Basic Service Set).
IEEE 802. Hi是无线安全协议,是总的原则。 TKIP( Temporal Key Integrity Protocol,临时密钥完整性协议)和 CCMP( Counter Mode/CBC-MAC Protocol, 计数模式协议 )是两种数据加密算法。 CCMP需要对每 16字节数据进行两次 AES ( Advanced Encryption Standard, 高级加密标准)加密操作, 因此加密操 作次数较多。 而且, CCMP基于"链"模式, 需要按顺序处理 16字节块, 因为 链式加密模式需要上阶段输出作为下阶段输入的来源。  IEEE 802. Hi is a wireless security protocol and is a general principle. TKIP (Temporal Key Integrity Protocol) and CCMP (Counter Mode/CBC-MAC Protocol) are two types of data encryption algorithms. CCMP requires two AES (Advanced Encryption Standard) encryption operations for every 16 bytes of data, so the number of encryption operations is high. Moreover, CCMP is based on a "chain" mode, which requires processing 16-byte blocks in order, because the chain-encrypted mode requires the output of the previous stage as the source for the input of the next stage.
IEEE 802.11ac和 IEEE 802.11ad拥有更高数据速率, 已经对其他相关领 域的网络协议产生重要影响, CCMP可能会无法满足要求。 目前, 一种新协 议 GCMP ( Galois/Counter Mode Protocol, 伽罗瓦 /计数模式协议), 釆用与 CCMP相同的 AES加密引擎, 但搭载有一个更加强劲有效的框架, 可以将加 密操作次数减少到一半, 能够应用于整个传输并行帧。 IEEE 802.11ac and IEEE 802.11ad have higher data rates and have had a significant impact on network protocols in other related fields. CCMP may not meet the requirements. At present, a new protocol GCMP (Galois/Counter Mode Protocol) uses the same AES encryption engine as CCMP, but it is equipped with a more powerful and effective framework. The number of dense operations is reduced to half and can be applied to the entire transmission parallel frame.
EDCA ( Enhanced Distributed Channel Access, 增强分布式信道接入)是 IEEE 802. l ie修订中引进的对基本 DCF ( Distributed coordinator function, 分 布协调功能) 的一个扩展, 用以支持带优先级的服务质量(QoS )。 EDCA机 制按照数据优先级从低到高定义了 4种接入类别 (Access Categories, AC ): AC_BK (背景), AC_BE (尽力而为 ), AC_VI (视频)和 AC_VO (话音)。 其中 AC— BK和 AC— BE对数据通信的实时性没有太多要求。但是对于 AC— VI 和 AC— VO来说, 其数据量大而且实时性要求相当高。  EDCA (Enhanced Distributed Channel Access) is an extension of the basic DCF (Distributed Coordinator Function) introduced in the IEEE 802. lie revision to support priority quality of service ( QoS). The EDCA mechanism defines four access categories (AC) based on data priority from low to high: AC_BK (background), AC_BE (best effort), AC_VI (video) and AC_VO (voice). Among them, AC-BK and AC-BE do not require much real-time data communication. However, for AC-VI and AC-VO, the amount of data is large and the real-time requirements are quite high.
现有的 IEEE 802.11ac协议中对加密算法做的相关规定如下:在一个 ESS 中, 如果 AP告知相关 VHT ( Very High Throughput, 非常高的吞吐率) STA 其支持 CCMP 加密或者 AP 发送的信标和侦测反馈包含有 HT ( High Throughput, 高吞吐率) 能力信息或者 VHT能力信息, 那么 VHT STA只能 将 CCMP加密算法作为其加密算法的唯一选择, 因此可能导致数据包的传输 延迟, 造成数据包传输的安全性和实时性之间的矛盾。 发明内容  The existing IEEE 802.11ac protocol specifies the encryption algorithm as follows: In an ESS, if the AP informs the relevant VHT (very High Throughput) STA that it supports CCMP encryption or beacon transmission by the AP. The detection feedback includes HT (High Throughput) capability information or VHT capability information. Therefore, the VHT STA can only use the CCMP encryption algorithm as the only choice of its encryption algorithm, which may result in delay in data packet transmission and result in data packets. The contradiction between security and real-time transmission. Summary of the invention
本发明实施例提供传输数据包的方法和设备, 能够解决数据包传输的安 全性和实时性之间的矛盾, 提高数据包的传输效率。  The embodiments of the present invention provide a method and a device for transmitting a data packet, which can resolve the contradiction between the security and real-time performance of the data packet transmission, and improve the transmission efficiency of the data packet.
一方面, 提供了一种传输数据包的方法, 包括: 确定数据包的接入类别; 根据与接收端协商确定的数据包的接入类别与加密算法的对应关系, 确定该 数据包的加密算法; 使用该数据包的加密算法, 对该数据包加密; 向该接收 端发送加密的数据包。  In one aspect, a method for transmitting a data packet is provided, including: determining an access category of a data packet; determining an encryption algorithm of the data packet according to a correspondence between an access category of the data packet determined by the negotiation with the receiving end and an encryption algorithm. Encrypting the data packet using the encryption algorithm of the data packet; transmitting the encrypted data packet to the receiving end.
另一方面, 提供了一种传输数据包的方法, 包括: 接收来自发送端的加 密的数据包; 确定该数据包的接入类别; 根据与该发送端协商确定的数据包 的接入类别与加密算法的对应关系, 确定该数据包的加密算法; 使用该数据 包的加密算法, 对该数据包解密。  In another aspect, a method for transmitting a data packet is provided, including: receiving an encrypted data packet from a transmitting end; determining an access category of the data packet; and determining an access category and encryption of the data packet according to the negotiation with the transmitting end Corresponding relationship of the algorithm, determining an encryption algorithm of the data packet; using the encryption algorithm of the data packet to decrypt the data packet.
另一方面, 提供了一种用于传输数据包的设备, 包括: 第一确定单元, 用于确定数据包的接入类别; 第二确定单元, 用于根据与接收端协商确定的 数据包的接入类别与加密算法的对应关系, 确定该数据包的加密算法; 加密 单元, 用于使用该数据包的加密算法, 对该数据包加密; 发送单元, 用于向 该接收端发送加密的数据包。 另一方面, 提供了一种用于传输数据包的设备, 包括: 接收单元, 用于 接收来自发送端的加密的数据包; 类别确定单元, 用于确定该数据包的接入 类别; 算法确定单元, 用于根据与该发送端协商确定的数据包的接入类别与 加密算法的对应关系, 确定该数据包的加密算法; 解密单元, 用于使用该数 据包的加密算法, 对该数据包解密。 In another aspect, an apparatus for transmitting a data packet is provided, including: a first determining unit, configured to determine an access category of the data packet; and a second determining unit, configured to determine, according to the data packet determined by the receiving end, Corresponding relationship between the access category and the encryption algorithm, determining an encryption algorithm of the data packet; an encryption unit for encrypting the data packet using an encryption algorithm of the data packet; and a sending unit, configured to send the encrypted data to the receiving end package. In another aspect, an apparatus for transmitting a data packet is provided, including: a receiving unit, configured to receive an encrypted data packet from a transmitting end; a category determining unit, configured to determine an access category of the data packet; and an algorithm determining unit And determining, according to a correspondence between an access category and an encryption algorithm of the data packet determined by the sending end, determining an encryption algorithm of the data packet; and a decryption unit, configured to decrypt the data packet by using an encryption algorithm of the data packet .
本发明实施例通过为不同接入类别的数据包配置相应的加密算法, 因此 能够解决数据包传输的安全性和实时性之间的矛盾,提高数据包的传输效率。 附图说明  The embodiment of the present invention can solve the contradiction between the security and the real-time performance of the data packet transmission by configuring the corresponding encryption algorithm for the data packets of different access categories, and improve the transmission efficiency of the data packet. DRAWINGS
为了更清楚地说明本发明实施例的技术方案, 下面将对实施例或现有技 术描述中所需要使用的附图作简单地介绍, 显而易见地, 下面描述中的附图 仅仅是本发明的一些实施例, 对于本领域普通技术人员来讲, 在不付出创造 性劳动的前提下, 还可以根据这些附图获得其他的附图。  In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings used in the embodiments or the prior art description will be briefly described below. Obviously, the drawings in the following description are only some of the present invention. For the embodiments, those skilled in the art can obtain other drawings according to the drawings without any creative work.
图 1是根据本发明一个实施例的传输数据包的方法的示意性流程图。 图 2是根据本发明另一实施例的传输数据包的方法的示意性流程图。 图 3是根据本发明另一实施例的传输数据包的过程的示意性流程图。 图 4是根据本发明实施例的协商信息元的格式的示意图。  1 is a schematic flow chart of a method of transmitting a data packet according to an embodiment of the present invention. 2 is a schematic flow chart of a method of transmitting a data packet according to another embodiment of the present invention. FIG. 3 is a schematic flowchart of a process of transmitting a data packet according to another embodiment of the present invention. 4 is a schematic diagram of a format of a negotiating information element according to an embodiment of the present invention.
图 5是根据本发明一个实施例的用于传输数据包的设备的框图。  Figure 5 is a block diagram of an apparatus for transmitting data packets in accordance with one embodiment of the present invention.
图 6是根据本发明另一实施例的用于传输数据包的设备的框图。 具体实施方式  6 is a block diagram of an apparatus for transmitting a data packet in accordance with another embodiment of the present invention. detailed description
下面将结合本发明实施例中的附图, 对本发明实施例中的技术方案进行 清楚、 完整地描述, 显然, 所描述的实施例是本发明一部分实施例, 而不是 全部的实施例。 基于本发明中的实施例, 本领域普通技术人员在没有作出创 造性劳动前提下所获得的所有其他实施例, 都属于本发明保护的范围。  The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without making creative labor are within the scope of the present invention.
图 1是根据本发明一个实施例的传输数据包的方法的示意性流程图。 图 1 的方法由发送端执行, 例如, 该发送端可以是无线局域网中的站点, 如 WLAN中定义的 STA。  1 is a schematic flow chart of a method of transmitting a data packet according to an embodiment of the present invention. The method of Figure 1 is performed by a transmitting end, for example, the transmitting end may be a station in a wireless local area network, such as a STA defined in a WLAN.
110, 确定数据包的接入类别。  110. Determine an access category of the data packet.
例如, 接入类别可以是 EDCA机制中的 4种接入类别: AC— BK (背景 ), For example, the access category can be four access categories in the EDCA mechanism: AC—BK (background),
AC BE (尽力而为), AC VI (视频)和 AC VO (话音)。 但本发明实施例并 不限于上述具体的接入类别。 AC BE (best effort), AC VI (video) and AC VO (voice). However, the embodiments of the present invention It is not limited to the specific access categories described above.
120 , 根据与接收端协商确定的数据包的接入类别与加密算法的对应关 系, 确定该数据包的加密算法。  120. Determine, according to a correspondence between an access category of the data packet determined by the negotiation with the receiving end and an encryption algorithm, an encryption algorithm of the data packet.
例如, 发送端可以事先与接收端协商确定数据包的接入类别与加密算法 的对应关系, 例如在侦测请求 /侦测响应和 /或关联请求 /关联响应过程中, 发 送端与接收端可以协商确定该对应关系, 或者通过新增的专用信令与接收端 协商确定该对应关系。 可选地, 在一个实施例中, 发送端在确定数据包的接 入类别之前, 可以与接收端协商确定数据包的接入类别与加密算法的对应关 系, 例如在向接收端发送侦测请求或关联请求的过程中与接收端协商确定该 对应关系。  For example, the sending end may negotiate with the receiving end to determine the correspondence between the access category of the data packet and the encryption algorithm, for example, in the process of detecting the request/detecting response and/or the associated request/association response, the sending end and the receiving end may The correspondence is determined by negotiation, or the corresponding relationship is determined by negotiating with the receiving end through newly added dedicated signaling. Optionally, in an embodiment, before determining the access category of the data packet, the sending end may negotiate with the receiving end to determine a correspondence between the access category of the data packet and the encryption algorithm, for example, sending a detection request to the receiving end. In the process of associating the request, the receiver negotiates with the receiving end to determine the correspondence.
可选地, 作为一个实施例, 发送端可以生成第一协商信息元, 该第一协 商信息元指示第一对应关系, 向接收端发送该第一协商信息元。 例如, 发送 端可以在向接收端发送侦测请求或关联请求时, 发送第一协商信息元。  Optionally, as an embodiment, the sending end may generate a first negotiation information element, where the first negotiation information element indicates the first correspondence, and sends the first negotiation information element to the receiving end. For example, the sender may send the first negotiation information element when sending a detection request or an association request to the receiving end.
可选地, 作为另一实施例, 发送端可以接收接收端返回的响应消息, 该 响应消息携带来自接收端的第二协商信息元, 第二协商信息元指示第二对应 关系, 根据所述第一对应关系和所述第二对应关系, 发送端确定该对应关系。 此外, 发送端也可以接收接收端返回的用于确认接受第一协商信息元的确认 消息。 例如, 发送端可以接收接收端在对发送端的侦测请求或关联请求作出 侦测响应或关联响应时所返回的响应消息或确认消息。 另外, 接收端也可以 不返回任何响应消息, 则默认为接受发送端的第一协商信息元。 本发明实施 例并不作限制。  Optionally, as another embodiment, the sending end may receive a response message returned by the receiving end, where the response message carries a second negotiation information element from the receiving end, where the second negotiation information element indicates a second correspondence, according to the first The corresponding relationship and the second correspondence, the sending end determines the correspondence. In addition, the sending end may also receive an acknowledgement message returned by the receiving end for confirming acceptance of the first negotiation information element. For example, the sender may receive a response message or a confirmation message returned by the receiving end when detecting or correlating the detection request or the association request to the sender. In addition, the receiving end may not return any response message, and the default is to accept the first negotiation information element of the sending end. The embodiment of the invention is not limited.
可选地, 作为另一实施例, 如果第二对应关系与第一对应关系相同, 则 发送端确定该对应关系为第一对应关系或第二对应关系; 如果第二对应关系 与第一对应关系不同, 则发送端确定该对应关系为第二对应关系。  Optionally, as another embodiment, if the second correspondence is the same as the first correspondence, the sending end determines that the corresponding relationship is the first correspondence or the second correspondence; and if the second correspondence is the first correspondence The sender determines that the correspondence is the second correspondence.
可选地, 作为一个实施例, 在对应关系中, 实时性更高的接入类别可以 对应于复杂度更低的加密算法。 例如, 在 EDCA机制中, 接入类别 AC— VI 或 AC— VO对实时性要求较高, 为了获得更高的实时性可以釆用复杂度更低 的加密算法, 如 TKIP或 GCMP; 而接入类别 AC— BK或 AC— BE对实时性要 求较低, 为了获得更高的安全性可以釆用复杂度更高的加密算法, 如 CCMP。 发送端和接收端可以综合彼此的安全配置情况, 对不同接入类别的数据包的 加密算法进行协商。 但本发明实施例不限于上述具体类别和具体算法。 可选地, 作为一个实施例, 发送端还可以与接收端协商确定对应关系中 加密算法对应的密钥, 例如针对该对应关系中的加密算法, 发送端与接收端 分别计算和协商确定加密算法对应的单播和组播密钥。 Optionally, as an embodiment, in the correspondence, the access class with higher real-time performance may correspond to a less complex encryption algorithm. For example, in the EDCA mechanism, the access category AC-VI or AC-VO has higher real-time requirements. In order to obtain higher real-time performance, a less complex encryption algorithm such as TKIP or GCMP can be used. Category AC—BK or AC—BE has lower requirements for real-time performance. For higher security, more complex encryption algorithms such as CCMP can be used. The sender and the receiver can synthesize each other's security configuration and negotiate the encryption algorithm of the data packets of different access categories. However, embodiments of the present invention are not limited to the specific categories and specific algorithms described above. Optionally, as an embodiment, the sending end may negotiate with the receiving end to determine a key corresponding to the encryption algorithm in the corresponding relationship. For example, for the encryption algorithm in the corresponding relationship, the sending end and the receiving end separately calculate and negotiate to determine the encryption algorithm. Corresponding unicast and multicast keys.
130 , 使用该数据包的加密算法, 对该数据包加密。  130. Encrypt the data packet by using an encryption algorithm of the data packet.
可选地, 作为另一实施例, 发送端可以使用与接收端协商确定的加密算 法对应的密钥, 按照 120中确定的数据包的加密算法, 对该数据包加密, 并 更新该密钥, 以便进行下一次数据包加密。  Optionally, as another embodiment, the sending end may use a key corresponding to the encryption algorithm determined by the receiving end to negotiate, and encrypt the data packet according to the encryption algorithm of the data packet determined in 120, and update the key. For the next packet encryption.
140 , 向该接收端发送加密的数据包。  140. Send an encrypted data packet to the receiving end.
本发明实施例通过为不同接入类别的数据包配置相应的加密算法, 因此 能够解决数据包传输的安全性和实时性之间的矛盾,提高数据包的传输效率。  The embodiment of the present invention can solve the contradiction between the security and the real-time performance of the data packet transmission by configuring the corresponding encryption algorithm for the data packets of different access categories, and improve the transmission efficiency of the data packet.
图 2是根据本发明另一实施例的传输数据包的方法的示意性流程图。 图 2 的方法由接收端执行, 例如, 该接收端可以是无线局域网中的接入点, 如 WLAN中定义的 AP。  2 is a schematic flow chart of a method of transmitting a data packet according to another embodiment of the present invention. The method of Figure 2 is performed by the receiving end. For example, the receiving end can be an access point in a wireless local area network, such as an AP defined in a WLAN.
210 , 接收来自发送端的加密的数据包。  210. Receive an encrypted data packet from the sending end.
220 , 确定该数据包的接入类别。  220. Determine an access category of the data packet.
例如, 接入类别可以是 EDCA机制中的 4种接入类别: AC— BK (背景), AC_BE (尽力而为 ), AC_VI (视频)和 AC_VO (话音)。 但本发明实施例并 不限于上述具体的接入类别。  For example, the access category can be four access categories in the EDCA mechanism: AC—BK (background), AC_BE (best effort), AC_VI (video), and AC_VO (voice). However, embodiments of the present invention are not limited to the specific access categories described above.
230 ,根据与该发送端协商确定的数据包的接入类别与加密算法的对应关 系, 确定该数据包的加密算法。  230. Determine, according to a correspondence between an access category of the data packet determined by the sending end and the encryption algorithm, the encryption algorithm of the data packet.
例如, 接收端可以事先与发送端协商确定数据包的接入类别与加密算法 的对应关系, 例如在侦测请求 /侦测响应和 /或关联请求 /关联响应过程中, 接 收端与发送端可以协商确定该对应关系, 或者通过新增的专用信令与发送端 协商确定该对应关系。 可选地, 在一个实施例中, 在接收端接收来自发送端 的加密的数据包之前, 接收端可以与发送端协商确定数据包的接入类别与加 密算法的对应关系。 例如在接收端作出侦测响应或关联响应的过程中, 与发 送端协商确定该对应关系。  For example, the receiving end may negotiate with the sending end to determine the correspondence between the access category of the data packet and the encryption algorithm, for example, in the process of detecting the request/detecting response and/or the associated request/association response, the receiving end and the transmitting end may The correspondence is determined by negotiation, or the corresponding relationship is determined by negotiating with the sender through the newly added dedicated signaling. Optionally, in an embodiment, before the receiving end receives the encrypted data packet from the transmitting end, the receiving end may negotiate with the transmitting end to determine a correspondence between the access category of the data packet and the encryption algorithm. For example, in the process of making a detection response or an association response at the receiving end, the correspondence is determined by negotiating with the transmitting end.
可选地, 作为一个实施例, 接收端可以接收来自发送端的第一协商信息 元, 第一协商信息元指示第一对应关系; 根据第一对应关系, 接收端生成第 二协商信息元, 第二协商信息元指示第二对应关系; 接收端向发送端返回携 带第二协商信息元的响应消息。 此外, 接收端也可以向发送端返回用于确认 接受第一协商信息元的确认消息。 例如, 接收端可以在对发送端的侦测请求 或关联请求作出侦测响应或关联响应时, 向发送端发送携带第二协商信息元 的响应消息或用于确认接受第一协商信息元的确认消息。 另外, 接收端也可 以不返回任何响应消息, 则默认为接受发送端的第一协商信息元。 本发明实 施例并不作限制。 Optionally, as an embodiment, the receiving end may receive the first negotiation information element from the sending end, where the first negotiation information element indicates the first correspondence relationship; according to the first correspondence, the receiving end generates the second negotiation information element, where The negotiation information element indicates the second correspondence relationship; the receiving end returns a response message carrying the second negotiation information element to the sending end. In addition, the receiving end can also return to the sender for confirmation. Accept the confirmation message of the first negotiation information element. For example, the receiving end may send a response message carrying the second negotiation information element or an acknowledgement message for confirming acceptance of the first negotiation information element to the transmitting end when the detection response or the association response is sent to the sending end. . In addition, the receiving end may not return any response message, and the default is to accept the first negotiation information element of the sending end. The embodiments of the present invention are not limited.
可选地, 作为另一实施例, 接收端如果接受第一对应关系, 则第二对应 关系与第一对应关系相同; 接收端如果不接受第一对应关系, 则第二对应关 系与第一对应关系不同。 例如, 如果接收端不支持发送端的第一协商信息元 指示的对应关系中的加密算法或无相关配置, 则接收端根据自身的情况, 为 不同接入类别的数据包配置相应的加密算法, 从而建立第二对应关系, 并生 成第二协商信息元, 用于指示第二对应关系。  Optionally, as another embodiment, if the receiving end accepts the first correspondence, the second corresponding relationship is the same as the first corresponding relationship; if the receiving end does not accept the first corresponding relationship, the second corresponding relationship corresponds to the first correspondence The relationship is different. For example, if the receiving end does not support the encryption algorithm or the non-correlation configuration in the correspondence indicated by the first negotiation information element of the transmitting end, the receiving end configures a corresponding encryption algorithm for the data packets of different access categories according to the situation of the receiving end, thereby A second correspondence is established, and a second negotiation information element is generated to indicate the second correspondence.
可选地, 作为另一实施例, 在对应关系中, 实时性更高的接入类别可以 对应于复杂度更低的加密算法。 例如, 在 EDCA机制中, 接入类别 AC— VI 或 AC— VO对实时性要求较高, 为了获得更高的实时性可以釆用复杂度更低 的加密算法, 如 TKIP或 GCMP; 而接入类别 AC— BK或 AC— BE对实时性要 求较低, 为了获得更高的安全性可以釆用复杂度更高的加密算法, 如 CCMP。 发送端和接收端可以综合彼此的安全配置情况, 对不同接入类别的数据包的 加密算法进行协商。  Optionally, as another embodiment, in the corresponding relationship, the access class with higher real-time performance may correspond to a lower complexity encryption algorithm. For example, in the EDCA mechanism, the access category AC-VI or AC-VO has higher real-time requirements. In order to obtain higher real-time performance, a less complex encryption algorithm such as TKIP or GCMP can be used. Category AC—BK or AC—BE has lower requirements for real-time performance. For higher security, more complex encryption algorithms such as CCMP can be used. The sender and the receiver can synthesize each other's security configuration and negotiate the encryption algorithm of the data packets of different access categories.
可选地, 作为另一实施例, 接收端可以与发送端协商确定对应关系中加 密算法对应的密钥, 例如针对该对应关系中的加密算法, 接收端与发送端分 别计算和协商确定加密算法对应的单播和组播密钥。  Optionally, as another embodiment, the receiving end may negotiate with the sending end to determine a key corresponding to the encryption algorithm in the corresponding relationship, for example, for the encryption algorithm in the corresponding relationship, the receiving end and the sending end separately calculate and negotiate to determine the encryption algorithm. Corresponding unicast and multicast keys.
240, 使用该数据包的加密算法, 对该数据包解密。  240. Decrypt the data packet using the encryption algorithm of the data packet.
可选地, 接收端可以使用与发送端协商确定的对应关系中加密算法对应 的密钥, 按照 230中确定的数据包的加密算法, 对该数据包解密, 并更新密 钥, 以便进行下一次数据包解密。  Optionally, the receiving end may use the key corresponding to the encryption algorithm in the correspondence determined by the sending end to negotiate, according to the encryption algorithm of the data packet determined in 230, decrypt the data packet, and update the key, so as to perform the next time. Packet decryption.
本发明实施例通过为不同接入类别的数据包配置相应的加密算法, 因此 能够解决数据包传输的安全性和实时性之间的矛盾,提高数据包的传输效率。  The embodiment of the present invention can solve the contradiction between the security and the real-time performance of the data packet transmission by configuring the corresponding encryption algorithm for the data packets of different access categories, and improve the transmission efficiency of the data packet.
图 3是根据本发明另一实施例的传输数据包的过程的示意性流程图。 在 图 3的实施例中,以数据包的发送端为 WLAN中定义的 STA,接收端为 WLAN 中定义的 AP为例进行说明。  FIG. 3 is a schematic flowchart of a process of transmitting a data packet according to another embodiment of the present invention. In the embodiment of FIG. 3, the sending end of the data packet is the STA defined in the WLAN, and the receiving end is the AP defined in the WLAN as an example.
为了简洁,图 3中仅示例了一个 STA和一个 AP,但本发明实施例对 STA 和 AP的数目没有限制。 例如, 一个 BSS里的 STA和 AP—般工作在两种工 作模式下, MU-MIM0( Multiple User MIMO,多用户 MIMO )模式和 SU-MIMO ( Single User MIMO, 单用户 MIMO )模式。 MU-MIMO模式时 , AP同时发 送数据给多个 STA或同时从多个 STA接收数据。 SU-MIMO模式时, AP同 时只和一个 STA进行数据的发送与接收。本发明实施例可适用于任一种模式。 For the sake of brevity, only one STA and one AP are illustrated in FIG. 3, but the embodiment of the present invention is for STA. There is no limit to the number of APs. For example, STAs and APs in a BSS work in two modes of operation, MU-MIM0 (Multiple User MIMO) mode and SU-MIMO (Single User MIMO) mode. In the MU-MIMO mode, the AP simultaneously transmits data to multiple STAs or simultaneously receives data from multiple STAs. In the SU-MIMO mode, the AP transmits and receives data to and from only one STA at a time. Embodiments of the invention are applicable to either mode.
301 , STA生成第一协商信息元, 该第一协商信息元指示数据包的接入类 别与加密算法的第一对应关系。  301. The STA generates a first negotiation information element, where the first negotiation information element indicates a first correspondence between the access category of the data packet and the encryption algorithm.
302, STA向 AP发送第一协商信息元。  302. The STA sends a first negotiation information element to the AP.
例如, STA可以在向 AP发送侦测请求或关联请求时, 向 AP发送第一协 商信息元。  For example, the STA may send the first negotiation information element to the AP when sending a detection request or an association request to the AP.
303 , AP根据接收的来自 STA的第一协商信息元,生成第二协商信息元, 该第二协商信息元指示数据包的接入类别与加密算法的第二对应关系。  303. The AP generates, according to the received first negotiation information element from the STA, a second negotiation information element, where the second negotiation information element indicates a second correspondence between the access category of the data packet and the encryption algorithm.
可选地, 作为一个实施例, 如果 AP接受来自 STA的第一对应关系, 则 第二对应关系与第一对应关系是相同的, 如果 AP不接受来自 STA的第一对 应关系, 则根据自身的情况, 建立第二对应关系, 并生成第二协商信息元, 用于指示第二对应关系。  Optionally, as an embodiment, if the AP accepts the first correspondence from the STA, the second correspondence is the same as the first correspondence, and if the AP does not accept the first correspondence from the STA, according to the In the case, the second correspondence is established, and the second negotiation information element is generated to indicate the second correspondence.
304, AP向 STA返回携带第二协商信息元的响应消息。  304. The AP returns a response message carrying the second negotiation information element to the STA.
例如, AP可以在针对 STA的侦测请求或关联请求作出侦测响应或关联 响应时, 向 STA返回携带第二协商信息元的响应消息, 或者 AP也可以返回 确认接受第一协商信息元的确认消息, 或者 AP也可以不返回任何消息, 则 默认为接受 STA的第一协商信息元。 本发明实施例并不作限定。  For example, the AP may return a response message carrying the second negotiation information element to the STA when the detection response or the association response is sent to the STA, or the AP may return an acknowledgement to accept the first negotiation information element. The message, or the AP may not return any message, and the default is to accept the first negotiation information element of the STA. The embodiments of the present invention are not limited.
305, STA根据 AP返回的携带第二协商信息元的响应消息, 确定数据包 的接入类别与加密算法的对应关系。  305. The STA determines, according to the response message that the second negotiation information element is returned by the AP, the correspondence between the access category of the data packet and the encryption algorithm.
可选地, 作为一个实施例, 如果第二协商信息元指示的第二对应关系与 第一对应关系相同,则 STA确定该对应关系为第一对应关系或第二对应关系; 如果第二对应关系与第一对应关系不同, 则 STA确定对应关系为所述第二对 应关系。  Optionally, as an embodiment, if the second correspondence relationship indicated by the second negotiation information element is the same as the first correspondence relationship, the STA determines that the correspondence relationship is the first correspondence relationship or the second correspondence relationship; Different from the first correspondence, the STA determines that the correspondence is the second correspondence.
可选地, 作为另一实施例, 在对应关系中, 实时性更高的接入类别可以 对应于复杂度更低的加密算法。 例如, 在 EDCA机制中, 接入类别 AC— VI 或 AC— VO对实时性要求较高, 为了获得更高的实时性可以釆用复杂度更低 的加密算法, 如 TKIP或 GCMP; 而接入类别 AC— BK或 AC— BE对实时性要 求较低, 为了获得更高的安全性可以釆用复杂度更高的加密算法, 如 CCMP。 发送端和接收端可以综合彼此的安全配置情况, 对不同接入类别数据包的加 密算法进行协商。 Optionally, as another embodiment, in the corresponding relationship, the access class with higher real-time performance may correspond to a less complex encryption algorithm. For example, in the EDCA mechanism, the access category AC-VI or AC-VO has higher real-time requirements. In order to obtain higher real-time performance, a less complex encryption algorithm such as TKIP or GCMP can be used. Category AC—BK or AC—BE for real-time Lower requirements, in order to achieve higher security, you can use more complex encryption algorithms, such as CCMP. The sender and the receiver can synthesize each other's security configuration and negotiate encryption algorithms for different access category data packets.
306 , STA和 AP协商确定对应关系中加密算法对应的密钥。  306. The STA and the AP negotiate to determine a key corresponding to the encryption algorithm in the correspondence.
例如, 在 STA和 AP协商确定数据包的接入类别与加密算法的对应关系 后, 会进一步针对该对应关系中的加密算法, 分别计算和协商确定加密算法 对应的单播和组播密钥, 用于 STA和 AP之间发送或接收数据包时加密或解 密数据包。  For example, after the STA and the AP negotiate to determine the correspondence between the access category of the data packet and the encryption algorithm, the unicast and multicast keys corresponding to the encryption algorithm are separately calculated and negotiated for the encryption algorithm in the corresponding relationship. Used to encrypt or decrypt packets when sending or receiving data packets between STAs and APs.
307, 在向 AP发送数据包之前, STA确定数据包的接入类别。  307. Before sending a data packet to the AP, the STA determines an access category of the data packet.
308, STA根据与 AP协商确定的对应关系, 确定该数据包的加密算法。  308. The STA determines an encryption algorithm of the data packet according to the correspondence determined by the negotiation with the AP.
309, STA使用该数据包的加密算法, 对数据包加密。  309. The STA encrypts the data packet by using an encryption algorithm of the data packet.
例如, STA可以使用已经与 AP协商确定的加密算法对应的密钥, 对数 据包加密。 然后 STA更新密钥, 以便进行下一次数据包加密。  For example, the STA may encrypt the data packet using a key corresponding to the encryption algorithm that has been negotiated with the AP. The STA then updates the key for the next packet encryption.
310, STA向 AP发送加密的数据包。  310. The STA sends an encrypted data packet to the AP.
311 , 在接收到来自 STA的加密的数据包后, AP确定该数据包的接入类 别。  311. After receiving the encrypted data packet from the STA, the AP determines an access category of the data packet.
312, AP根据与 STA协商确定的对应关系, 确定该数据包的加密算法。  312. The AP determines an encryption algorithm of the data packet according to the correspondence determined by the STA.
313 , AP使用该数据包的加密算法, 对数据包解密。  313. The AP decrypts the data packet by using an encryption algorithm of the data packet.
例如, AP可以使用已经与 STA协商确定的加密算法对应的密钥, 对数 据包加密。 然后 AP更新密钥, 以便进行下一次数据包解密。  For example, the AP may encrypt the data packet using a key corresponding to the encryption algorithm that has been negotiated with the STA. The AP then updates the key for the next packet decryption.
应理解, 上述各过程的序号的大小并不意味着执行顺序的先后, 各过程 的执行顺序应以其功能和内在逻辑确定 , 而不应对本发明实施例的实施过程 构成任何限定。  It should be understood that the size of the sequence numbers of the above processes does not imply a sequence of executions, and the order of execution of the processes should be determined by its function and internal logic, and should not be construed as limiting the implementation process of the embodiments of the present invention.
本发明实施例通过为不同接入类别的数据包配置相应的加密算法, 因此 能够解决数据包传输的安全性和实时性之间的矛盾,提高数据包的传输效率。  The embodiment of the present invention can solve the contradiction between the security and the real-time performance of the data packet transmission by configuring the corresponding encryption algorithm for the data packets of different access categories, and improve the transmission efficiency of the data packet.
图 4是根据本发明实施例的协商信息元的格式的示意图。  4 is a schematic diagram of a format of a negotiating information element according to an embodiment of the present invention.
如图 4所示, 该协商信息元中各字段表示的具体意义如下: 信息元 ID可 以帮助识别出该信息元是协商信息元; 长度代表该协商信息元中除了信息元 ID字段和长度字段之外的其他字段的总体长度; AC— VI加密算法, AC— VO 加密算法, AC— BE加密算法以及 AC— BK加密算法字段分别表示各接入类别 对应的加密算法, 例如, 0代表不加密, 1代表 TKIP, 2代表 GCMP, 3代表 CCMP, 4~255为保留值且暂时不用。 As shown in FIG. 4, the specific meanings of the fields in the negotiation information element are as follows: The information element ID can help identify that the information element is a negotiation information element; the length represents the information element ID field and the length field in the negotiation information element. The overall length of the other fields; AC-VI encryption algorithm, AC-VO encryption algorithm, AC-BE encryption algorithm and AC-BK encryption algorithm field respectively represent the encryption algorithm corresponding to each access category, for example, 0 means no encryption, 1 for TKIP, 2 for GCMP, 3 for CCMP, 4~255 is reserved and not used temporarily.
本发明实施例中的协商信息元,通过指示不同接入类别对应的加密算法, 能够解决数据包传输的安全性和实时性之间的矛盾,提高数据包的传输效率。  The negotiation information element in the embodiment of the present invention can solve the contradiction between the security and the real-time performance of the data packet transmission by indicating the encryption algorithm corresponding to different access categories, and improve the transmission efficiency of the data packet.
图 5是根据本发明一个实施例的用于传输数据包的设备的框图。 图 5的 设备 500的一个例子是发送端, 例如可以是无线局域网中的站点或接入点, 如 WLAN中定义的 STA或 AP。 该设备 500包括: 第一确定单元 510、 第二 确定单元 520、 加密单元 530和发送单元 540。  Figure 5 is a block diagram of an apparatus for transmitting data packets in accordance with one embodiment of the present invention. An example of the device 500 of Figure 5 is a transmitting end, such as a station or access point in a wireless local area network, such as a STA or AP defined in a WLAN. The device 500 includes: a first determining unit 510, a second determining unit 520, an encrypting unit 530, and a transmitting unit 540.
第一确定单元 510确定数据包的接入类别。 第二确定单元 520根据与接 收端协商确定的数据包的接入类别与加密算法的对应关系, 确定该数据包的 加密算法。 加密单元 530 , 用于使用该数据包的加密算法, 对该数据包加密。 发送单元 540 , 用于向该接收端发送加密的数据包。  The first determining unit 510 determines an access category of the data packet. The second determining unit 520 determines the encryption algorithm of the data packet according to the correspondence between the access category and the encryption algorithm of the data packet determined in agreement with the receiving end. The encryption unit 530 is configured to encrypt the data packet by using an encryption algorithm of the data packet. The sending unit 540 is configured to send the encrypted data packet to the receiving end.
本发明实施例通过为不同接入类别的数据包配置相应的加密算法, 因此 能够解决数据包传输的安全性和实时性之间的矛盾,提高数据包的传输效率。  The embodiment of the present invention can solve the contradiction between the security and the real-time performance of the data packet transmission by configuring the corresponding encryption algorithm for the data packets of different access categories, and improve the transmission efficiency of the data packet.
设备 500的其他功能和操作可参照上面图 1和图 3的方法实施例中涉及 发送端的过程, 为避免重复, 不再详细描述。  For other functions and operations of the device 500, reference may be made to the process involving the transmitting end in the method embodiments of FIG. 1 and FIG. 3 above, and the detailed description is not repeated in order to avoid repetition.
可选地, 作为一个实施例, 如图 5所示, 设备 500还可以包括协商确定 单元 550, 与接收端协商确定所述对应关系。  Optionally, as an embodiment, as shown in FIG. 5, the device 500 may further include a negotiation determining unit 550, and determine the corresponding relationship by negotiating with the receiving end.
可选地, 作为另一实施例, 协商确定单元 550可接收所述接收端返回的 响应消息, 该响应消息携带来自接收端的第二协商信息元, 该第二协商信息 元指示第二对应关系, 根据第一对应关系和第二对应关系, 确定所述对应关 系。 协商确定单元 550还可以用于如果第二对应关系与第一对应关系相同, 则确定所述对应关系为第一对应关系或第二对应关系, 或者如果第二对应关 系与第一对应关系不同, 则确定对应关系为第二对应关系。  Optionally, in another embodiment, the negotiation determining unit 550 may receive a response message returned by the receiving end, where the response message carries a second negotiation information element from the receiving end, where the second negotiation information element indicates the second correspondence, And determining the correspondence according to the first correspondence relationship and the second correspondence relationship. The negotiation determining unit 550 is further configured to determine that the corresponding relationship is the first correspondence relationship or the second correspondence relationship if the second correspondence relationship is the same as the first correspondence relationship, or if the second correspondence relationship is different from the first correspondence relationship, Then, the correspondence is determined to be the second correspondence.
图 6是根据本发明另一实施例的用于传输数据包的设备的框图。 图 6的 设备 600的一个例子是接收端, 例如可以是无线局域网中的站点或接入点, 如 WLAN中定义的 STA或 AP。 该设备 600包括: 接收单元 610、 类别确定 单元 620、 算法确定单元 630和解密单元 640。  6 is a block diagram of an apparatus for transmitting a data packet in accordance with another embodiment of the present invention. An example of the device 600 of Figure 6 is a receiving end, such as a station or access point in a wireless local area network, such as a STA or AP defined in a WLAN. The device 600 includes: a receiving unit 610, a class determining unit 620, an algorithm determining unit 630, and a decrypting unit 640.
接收单元 610接收来自发送端的加密的数据包。 类别确定单元 620确定 该数据包的接入类别。 算法确定单元 630根据与该发送端协商确定的数据包 的接入类别与加密算法的对应关系,确定该数据包的加密算法。解密单元 640 使用该数据包的加密算法, 对该数据包解密。 本发明实施例通过为不同接入类别的数据包配置相应的加密算法, 因此 能够解决数据包传输的安全性和实时性之间的矛盾,提高数据包的传输效率。 The receiving unit 610 receives the encrypted data packet from the transmitting end. The category determining unit 620 determines an access category of the data packet. The algorithm determining unit 630 determines an encryption algorithm of the data packet according to the correspondence between the access category and the encryption algorithm of the data packet determined in agreement with the transmitting end. The decryption unit 640 decrypts the data packet using the encryption algorithm of the data packet. The embodiment of the present invention can solve the contradiction between the security and the real-time performance of the data packet transmission by configuring the corresponding encryption algorithm for the data packets of different access categories, and improve the transmission efficiency of the data packet.
设备 600的其他功能和操作可参照上面图 2和图 3的方法实施例中涉及 接收端的过程, 为避免重复, 不再详细描述。  For other functions and operations of the device 600, reference may be made to the process involving the receiving end in the method embodiments of FIG. 2 and FIG. 3 above, and the detailed description is not repeated in order to avoid redundancy.
可选地, 作为一个实施例, 如图 6所示, 设备 600还包括协商确定单元 Optionally, as an embodiment, as shown in FIG. 6, the device 600 further includes a negotiation determining unit.
650 , 与发送端协商所述对应关系。 650. Negotiate the correspondence relationship with the sending end.
可选地, 作为另一实施例, 协商确定单元 650可以接收来自所述发送端 的第一协商信息元, 该第一协商信息元指示第一对应关系, 根据第一对应关 系, 生成第二协商信息元, 该第二协商信息元指示第二对应关系, 向发送端 返回携带第二协商信息元的响应消息。  Optionally, as another embodiment, the negotiation determining unit 650 may receive the first negotiation information element from the sending end, where the first negotiation information element indicates the first correspondence, and generates the second negotiation information according to the first correspondence. The second negotiation information element indicates the second correspondence, and returns a response message carrying the second negotiation information element to the sending end.
根据本发明实施例的通信系统可包括上述设备 500或设备 600。  A communication system according to an embodiment of the present invention may include the above-described device 500 or device 600.
本领域普通技术人员可以意识到, 结合本文中所公开的实施例描述的各 示例的单元及算法步骤, 能够以电子硬件、 或者计算机软件和电子硬件的结 合来实现。 这些功能究竟以硬件还是软件方式来执行, 取决于技术方案的特 定应用和设计约束条件。 专业技术人员可以对每个特定的应用来使用不同方 法来实现所描述的功能, 但是这种实现不应认为超出本发明的范围。  Those of ordinary skill in the art will appreciate that the elements and algorithm steps of the various examples described in connection with the embodiments disclosed herein can be implemented in a combination of electronic hardware or computer software and electronic hardware. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the solution. A person skilled in the art can use different methods for implementing the described functions for each particular application, but such implementation should not be considered to be beyond the scope of the present invention.
所属领域的技术人员可以清楚地了解到, 为描述的方便和简洁, 上述描 述的系统、 装置和单元的具体工作过程, 可以参考前述方法实施例中的对应 过程, 在此不再赘述。  A person skilled in the art can clearly understand that the specific working process of the system, the device and the unit described above can be referred to the corresponding process in the foregoing method embodiments for the convenience and brevity of the description, and details are not described herein again.
在本申请所提供的几个实施例中, 应该理解到, 所揭露的系统、 装置和 方法, 可以通过其它的方式实现。 例如, 以上所描述的装置实施例仅仅是示 意性的, 例如, 所述单元的划分, 仅仅为一种逻辑功能划分, 实际实现时可 以有另外的划分方式, 例如多个单元或组件可以结合或者可以集成到另一个 系统, 或一些特征可以忽略, 或不执行。 另一点, 所显示或讨论的相互之间 的耦合或直接耦合或通信连接可以是通过一些接口, 装置或单元的间接耦合 或通信连接, 可以是电性, 机械或其它的形式。 为单元显示的部件可以是或者也可以不是物理单元, 即可以位于一个地方, 或者也可以分布到多个网络单元上。 可以根据实际的需要选择其中的部分或 者全部单元来实现本实施例方案的目的。  In the several embodiments provided herein, it should be understood that the disclosed systems, devices, and methods may be implemented in other ways. For example, the device embodiments described above are merely illustrative. For example, the division of the unit is only a logical function division. In actual implementation, there may be another division manner, for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored, or not executed. In addition, the coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be electrical, mechanical or otherwise. The components displayed for the unit may or may not be physical units, ie may be located in one place, or may be distributed over multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solution of the embodiment.
另外,在本发明各个实施例中的各功能单元可以集成在一个处理单元中, 也可以是各个单元单独物理存在, 也可以两个或两个以上单元集成在一个单 元中。 In addition, each functional unit in various embodiments of the present invention may be integrated in one processing unit. It is also possible that each unit physically exists alone, or two or more units may be integrated in one unit.
所述功能如果以软件功能单元的形式实现并作为独立的产品销售或使用 时, 可以存储在一个计算机可读取存储介质中。 基于这样的理解, 本发明的 技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可 以以软件产品的形式体现出来, 该计算机软件产品存储在一个存储介质中, 包括若干指令用以使得一台计算机设备(可以是个人计算机, 服务器, 或者 网络设备等)执行本发明各个实施例所述方法的全部或部分步骤。 而前述的 存储介质包括: U盘、 移动硬盘、 只读存储器(ROM, Read-Only Memory ), 随机存取存储器 (RAM, Random Access Memory )、 磁碟或者光盘等各种可 以存储程序代码的介质。  The functions, if implemented in the form of software functional units and sold or used as separate products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention, which is essential or contributes to the prior art, or a part of the technical solution, may be embodied in the form of a software product, which is stored in a storage medium, including The instructions are used to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present invention. The foregoing storage medium includes: a U disk, a removable hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk or an optical disk, and the like, which can store program codes. .
以上所述, 仅为本发明的具体实施方式, 但本发明的保护范围并不局限 于此, 任何熟悉本技术领域的技术人员在本发明揭露的技术范围内, 可轻易 想到变化或替换, 都应涵盖在本发明的保护范围之内。 因此, 本发明的保护 范围应所述以权利要求的保护范围为准。  The above is only the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily think of changes or substitutions within the technical scope of the present invention. It should be covered by the scope of the present invention. Therefore, the scope of the invention should be determined by the scope of the claims.

Claims

权 利 要 求 Rights request
1. 一种传输数据包的方法, 其特征在于, 包括:  A method for transmitting a data packet, comprising:
确定数据包的接入类别;  Determine the access category of the data packet;
根据与接收端协商确定的数据包的接入类别与加密算法的对应关系, 确 定所述数据包的加密算法;  Determining an encryption algorithm of the data packet according to a correspondence between an access category of the data packet determined in negotiation with the receiving end and an encryption algorithm;
使用所述数据包的加密算法, 对所述数据包加密;  Encrypting the data packet using an encryption algorithm of the data packet;
向所述接收端发送加密的数据包。  Sending an encrypted data packet to the receiving end.
2. 如权利要求 1所述的方法, 其特征在于, 在确定数据包的接入类别之 前, 还包括:  2. The method according to claim 1, wherein before determining the access category of the data packet, the method further comprises:
与所述接收端协商确定所述对应关系。  Negotiating with the receiving end to determine the correspondence.
3. 如权利要求 2所述的方法, 其特征在于, 所述与所述接收端协商确定 所述对应关系, 包括:  The method according to claim 2, wherein the determining, by the receiving end, the determining the correspondence includes:
生成第一协商信息元, 所述第一协商信息元指示第一对应关系; 向所述接收端发送所述第一协商信息元。  Generating a first negotiation information element, where the first negotiation information element indicates a first correspondence relationship; and sending the first negotiation information element to the receiving end.
4. 如权利要求 3所述的方法, 其特征在于, 所述与所述接收端协商确定 所述对应关系, 还包括:  The method according to claim 3, wherein the determining, by the receiving end, the determining the correspondence, further comprises:
接收所述接收端返回的响应消息, 所述响应消息携带来自所述接收端的 第二协商信息元, 所述第二协商信息元指示第二对应关系;  Receiving a response message returned by the receiving end, where the response message carries a second negotiation information element from the receiving end, where the second negotiation information element indicates a second correspondence relationship;
根据所述第一对应关系和所述第二对应关系, 确定所述对应关系。  And determining the correspondence according to the first correspondence relationship and the second correspondence relationship.
5. 如权利要求 4所述的方法, 其特征在于, 根据所述第一对应关系和所 述第二对应关系, 确定所述对应关系, 包括:  The method according to claim 4, wherein determining the correspondence according to the first correspondence and the second correspondence comprises:
如果所述第二对应关系与所述第一对应关系相同, 则确定所述对应关系 为所述第一对应关系或所述第二对应关系;  If the second correspondence is the same as the first correspondence, determining that the corresponding relationship is the first correspondence or the second correspondence;
如果所述第二对应关系与所述第一对应关系不同, 则确定所述对应关系 为所述第二对应关系。  And if the second correspondence is different from the first correspondence, determining that the correspondence is the second correspondence.
6. 如权利要求 1-5任一项所述的方法, 其特征在于, 所述对应关系中, 实时性更高的接入类别对应于复杂度更低的加密算法。  The method according to any one of claims 1-5, wherein, in the correspondence, an access class with higher real-time performance corresponds to an encryption algorithm with lower complexity.
7. 如权利要求 1-5任一项所述的方法, 其特征在于, 还包括: 与所述接收端协商确定所述对应关系中加密算法对应的密钥。  The method according to any one of claims 1-5, further comprising: negotiating with the receiving end to determine a key corresponding to the encryption algorithm in the correspondence relationship.
8. 如权利要求 7所述的方法, 其特征在于, 所述使用所述数据包的加密 算法, 对所述数据包加密, 包括: 使用所述密钥, 按照所述数据包的加密算法, 对所述数据包加密; 更新所述密钥。 The method according to claim 7, wherein the encrypting the data packet by using an encryption algorithm of the data packet comprises: Using the key, encrypting the data packet according to an encryption algorithm of the data packet; updating the key.
9. 一种传输数据包的方法, 其特征在于, 包括:  A method for transmitting a data packet, comprising:
接收来自发送端的加密的数据包;  Receiving an encrypted data packet from the sender;
确定所述数据包的接入类别;  Determining an access category of the data packet;
根据与所述发送端协商确定的数据包的接入类别与加密算法的对应关 系, 确定所述数据包的加密算法;  Determining an encryption algorithm of the data packet according to a correspondence between an access category of the data packet determined in negotiation with the transmitting end and an encryption algorithm;
使用所述数据包的加密算法, 对所述数据包解密。  The data packet is decrypted using an encryption algorithm of the data packet.
10. 如权利要求 9所述的方法, 其特征在于, 在接收来自发送端的加密 的数据包之前, 还包括:  10. The method according to claim 9, wherein before receiving the encrypted data packet from the transmitting end, the method further comprises:
与所述发送端协商确定所述对应关系。  Negotiating with the sending end to determine the correspondence.
11. 如权利要求 10所述的方法, 其特征在于, 所述与所述发送端协商确 定所述对应关系, 包括:  The method according to claim 10, wherein the negotiating with the sending end to determine the correspondence includes:
接收来自所述发送端的第一协商信息元, 所述第一协商信息元指示第一 对应关系;  Receiving a first negotiation information element from the sending end, where the first negotiation information element indicates a first correspondence relationship;
根据所述第一对应关系, 生成第二协商信息元, 所述第二协商信息元指 示第二对应关系;  Generating, according to the first correspondence, a second negotiation information element, where the second negotiation information element indicates a second correspondence relationship;
向所述发送端返回携带所述第二协商信息元的响应消息。  Returning, to the sending end, a response message carrying the second negotiation information element.
12. 如权利要求 11所述的方法, 其特征在于, 如果接受所述第一对应关 系, 则所述第二对应关系与所述第一对应关系相同;  12. The method according to claim 11, wherein if the first correspondence is accepted, the second correspondence is the same as the first correspondence;
如果不接受所述第一对应关系, 则所述第二对应关系与所述第一对应关 系不同。  If the first correspondence is not accepted, the second correspondence is different from the first correspondence.
13. 如权利要求 8-12任一项所述的方法,其特征在于, 所述对应关系中, 实时性更高的接入类别对应于复杂度更低的加密算法。  The method according to any one of claims 8 to 12, wherein, in the correspondence, an access class with higher real-time performance corresponds to a less complex encryption algorithm.
14. 如权利要求 8-12任一项所述的方法, 其特征在于, 还包括: 与所述发送端协商确定所述对应关系中加密算法对应的密钥。  The method according to any one of claims 8 to 12, further comprising: negotiating with the sender to determine a key corresponding to the encryption algorithm in the correspondence.
15. 如权利要求 14所述的方法, 其特征在于, 所述根据所述数据包的加 密算法, 对所述数据包解密, 包括:  The method according to claim 14, wherein the decrypting the data packet according to the encryption algorithm of the data packet comprises:
使用所述密钥, 按照所述数据包的加密算法, 对所述数据包解密; 更新所述密钥。  Using the key, decrypting the data packet according to an encryption algorithm of the data packet; updating the key.
16. 一种用于传输数据包的设备, 其特征在于, 包括: 第一确定单元, 用于确定数据包的接入类别; 16. An apparatus for transmitting a data packet, comprising: a first determining unit, configured to determine an access category of the data packet;
第二确定单元, 用于根据与接收端协商确定的数据包的接入类别与加密 算法的对应关系, 确定所述数据包的加密算法;  a second determining unit, configured to determine an encryption algorithm of the data packet according to a correspondence between an access category of the data packet determined by the receiving end and the encryption algorithm;
加密单元, 用于使用所述数据包的加密算法, 对所述数据包加密; 发送单元, 用于向所述接收端发送加密的数据包。  An encryption unit, configured to encrypt the data packet by using an encryption algorithm of the data packet, and a sending unit, configured to send the encrypted data packet to the receiving end.
17. 如权利要求 16所述的设备, 其特征在于, 还包括:  17. The device according to claim 16, further comprising:
协商确定单元, 用于与所述接收端协商确定所述对应关系。  And a negotiation determining unit, configured to negotiate with the receiving end to determine the correspondence.
18. 如权利要求 17所述的设备, 其特征在于, 所述协商确定单元具体用 于生成第一协商信息元, 所述第一协商信息元指示第一对应关系, 向所述接 收端发送所述第一协商信息元。  The device according to claim 17, wherein the negotiation determining unit is configured to generate a first negotiation information element, where the first negotiation information element indicates a first correspondence, and sends the first correspondence information to the receiving end. The first negotiation information element is described.
19. 如权利要求 18所述的设备, 其特征在于, 所述协商确定单元还用于 接收所述接收端返回的响应消息, 所述响应消息携带来自所述接收端的第二 协商信息元, 所述第二协商信息元指示第二对应关系, 根据所述第一对应关 系和所述第二对应关系, 确定所述对应关系。  The device according to claim 18, wherein the negotiation determining unit is further configured to receive a response message returned by the receiving end, where the response message carries a second negotiation information element from the receiving end, where The second negotiation information element indicates a second correspondence, and the correspondence is determined according to the first correspondence and the second correspondence.
20. 如权利要求 19所述的设备, 其特征在于, 所述协商确定单元具体用 于如果所述第二对应关系与所述第一对应关系相同, 则确定所述对应关系为 所述第一对应关系或所述第二对应关系;  The device according to claim 19, wherein the negotiation determining unit is configured to determine that the corresponding relationship is the first one if the second correspondence is the same as the first correspondence Correspondence relationship or the second correspondence relationship;
或所述协商确定单元具体用于如果所述第二对应关系与所述第一对应关 系不同, 则确定所述对应关系为所述第二对应关系。  Or the negotiation determining unit is specifically configured to determine that the corresponding relationship is the second corresponding relationship if the second corresponding relationship is different from the first corresponding relationship.
21. 一种用于传输数据包的设备, 其特征在于, 包括:  An apparatus for transmitting a data packet, comprising:
接收单元, 用于接收来自发送端的加密的数据包;  a receiving unit, configured to receive an encrypted data packet from the sending end;
类别确定单元, 用于确定所述数据包的接入类别;  a category determining unit, configured to determine an access category of the data packet;
算法确定单元, 用于根据与所述发送端协商确定的数据包的接入类别与 加密算法的对应关系, 确定所述数据包的加密算法;  An algorithm determining unit, configured to determine an encryption algorithm of the data packet according to a correspondence between an access category and an encryption algorithm of the data packet determined by the sending end;
解密单元, 用于使用所述数据包的加密算法, 对所述数据包解密。  And a decryption unit, configured to decrypt the data packet by using an encryption algorithm of the data packet.
22. 如权利要求 21所述的设备, 其特征在于, 还包括:  22. The device according to claim 21, further comprising:
协商确定单元, 用于与所述发送端协商确定所述对应关系。  And a negotiation determining unit, configured to negotiate with the sending end to determine the correspondence.
23. 如权利要求 22所述的设备, 其特征在于, 所述协商确定单元具体 用于接收来自所述发送端的第一协商信息元, 所述第一协商信息元指示第一 对应关系, 根据所述第一对应关系, 生成第二协商信息元, 所述第二协商信 息元指示第二对应关系, 向所述发送端返回携带所述第二协商信息元的响应 The device according to claim 22, wherein the negotiation determining unit is configured to receive a first negotiation information element from the sending end, where the first negotiation information element indicates a first correspondence, according to the Generating a second negotiation information element, where the second negotiation information element indicates a second correspondence, and returning a response carrying the second negotiation information element to the sending end
l708C80/ZlOZN3/X3d Ζ90^90/εΐΟΖ OAV l708C80/ZlOZN3/X3d Ζ90^90/εΐΟΖ OAV
PCT/CN2012/083804 2011-10-31 2012-10-31 Method and device for transmitting data packet WO2013064062A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201110336753.6 2011-10-31
CN201110336753.6A CN103096303B (en) 2011-10-31 2011-10-31 The method and apparatus of transmission packet

Publications (1)

Publication Number Publication Date
WO2013064062A1 true WO2013064062A1 (en) 2013-05-10

Family

ID=48191330

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2012/083804 WO2013064062A1 (en) 2011-10-31 2012-10-31 Method and device for transmitting data packet

Country Status (2)

Country Link
CN (1) CN103096303B (en)
WO (1) WO2013064062A1 (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104182501B (en) * 2014-08-18 2018-01-02 曾蔚峰 Remote reserved clinic system
CN107438247B (en) * 2016-05-26 2020-04-03 新华三技术有限公司 Wireless relay implementation method and device
CN107040293B (en) * 2017-03-02 2020-12-22 义乌市智享通讯设备有限公司 Multi-user input/output communication system and method
SG11201912337TA (en) 2017-07-25 2020-01-30 Guangdong Oppo Mobile Telecommunications Corp Ltd Switching method, access network device and terminal device
JP7235879B2 (en) 2018-10-15 2023-03-08 オッポ広東移動通信有限公司 Wireless communications and equipment
CN111885637B (en) * 2020-07-21 2021-05-18 广芯微电子(广州)股份有限公司 Method, device and system for testing signal strength of base station and storage medium
CN111859345A (en) * 2020-07-28 2020-10-30 郑州奥腾网络科技有限公司 Computer data safety storage system
CN112468485A (en) * 2020-11-24 2021-03-09 广东电力信息科技有限公司 Internet of things message processing method, device, terminal and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070160210A1 (en) * 2002-01-02 2007-07-12 Candelore Brant L Star pattern partial encryption method
CN101267297A (en) * 2008-04-01 2008-09-17 华为技术有限公司 An encryption implementation method and device in communication system
CN101562813A (en) * 2009-05-12 2009-10-21 中兴通讯股份有限公司 Method for implementing real-time data service, real-time data service system and mobile terminal

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101924905A (en) * 2010-09-01 2010-12-22 新邮通信设备有限公司 Method and system for encrypting and decrypting in video telephone communication

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070160210A1 (en) * 2002-01-02 2007-07-12 Candelore Brant L Star pattern partial encryption method
CN101267297A (en) * 2008-04-01 2008-09-17 华为技术有限公司 An encryption implementation method and device in communication system
CN101562813A (en) * 2009-05-12 2009-10-21 中兴通讯股份有限公司 Method for implementing real-time data service, real-time data service system and mobile terminal

Also Published As

Publication number Publication date
CN103096303A (en) 2013-05-08
CN103096303B (en) 2016-04-20

Similar Documents

Publication Publication Date Title
WO2013064062A1 (en) Method and device for transmitting data packet
EP2080387B1 (en) Configuring and connecting to a media wireless network
JP5780558B2 (en) Wireless multiband security
KR101019300B1 (en) Method and system for secure processing of authentication key material in an ad hoc wireless network
JP6522861B2 (en) Wireless communication system with multiple security levels
CN103581901B (en) A kind of Wi Fi wireless networks access the processing method of configuration information and equipment
WO2016101494A1 (en) Wireless intelligent access method
KR101485279B1 (en) Switch equipment and data processing method for supporting link layer security transmission
WO2012083828A1 (en) Method, base station and system for implementing local routing
US9872175B2 (en) Packet processing method, apparatus, and system
WO2009097789A1 (en) Method and communication system for establishing security association
US20240107313A1 (en) Control frame processing method, control frame generating method, station, access point, and storage medium
CN107801187A (en) Encipher-decipher method, apparatus and system
US11297496B2 (en) Encryption and decryption of management frames
KR101518438B1 (en) Method for establishing secure network architecture, method and system for secure communication
US8094634B2 (en) Sender and/or helper node modifications to enable security features in cooperative wireless communications
WO2010096996A1 (en) Method for realizing integration of wapi and capwap in local mac mode
WO2022237561A1 (en) Communication method and apparatus
WO2010097003A1 (en) Method for realizing integration of wapi and capwap by split mac mode
WO2010097004A1 (en) Method for realizing integration of wapi and capwap by separated mac mode
EP4061038B1 (en) Wireless network switching method and device
KR20050060633A (en) Data security and apply device in wireless local area network system and method thereof
US20230269581A1 (en) Association protection for wireless networks
WO2022198671A1 (en) Communication method and apparatus
CN115037504A (en) Communication method and device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12845181

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12845181

Country of ref document: EP

Kind code of ref document: A1