WO2016184351A1 - Ip address allocation method and system for wireless network - Google Patents
Ip address allocation method and system for wireless network Download PDFInfo
- Publication number
- WO2016184351A1 WO2016184351A1 PCT/CN2016/081952 CN2016081952W WO2016184351A1 WO 2016184351 A1 WO2016184351 A1 WO 2016184351A1 CN 2016081952 W CN2016081952 W CN 2016081952W WO 2016184351 A1 WO2016184351 A1 WO 2016184351A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- client
- random number
- key
- authentication end
- authentication
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5007—Internet protocol [IP] addresses
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5007—Internet protocol [IP] addresses
- H04L61/5014—Internet protocol [IP] addresses using dynamic host configuration protocol [DHCP] or bootstrap protocol [BOOTP]
Definitions
- the present invention relates to the field of wireless communication technologies, and in particular, to a method, a system, an authentication end, and a client for allocating an IP address of a wireless network.
- Wi-Fi Wireless-Fidelity
- WPA Pre-shared key
- Wi-Fi Protected Access Wi-Fi Protected Access
- the authentication end such as a wireless access point AP (Wireless Access Point) and a client, such as a station station, pass EAPOL-key (EAP (Extensible Authentication Protocol)).
- EAPOL-key EAP (Extensible Authentication Protocol)
- Over LAN Local Area Network
- the four-way handshake of the packet is used for authentication and key negotiation.
- the client sets the dynamic IP acquisition mode, it needs to pass DHCP (Dynamic).
- Host Configuration Protocol which obtains or renews the last used IP address.
- a related problem of the related art is that when a client accesses a wireless network or switches a wireless network, IP address acquisition or renewal is started only after the connection of the wireless link layer, and it takes a long time to establish an effective network.
- the present invention aims to solve at least one of the technical problems in the related art to some extent.
- a first object of the present invention is to provide an IP address allocation method for a wireless network. This approach reduces the time it takes for the client to access or switch to the wireless network.
- a second object of the present invention is to provide an IP address allocation system for a wireless network.
- a third object of the present invention is to provide an authentication terminal.
- a fourth object of the present invention is to propose a client.
- a method for allocating an IP address of a wireless network includes: Generating an authentication end random number and sending it to the client; receiving a client random number sent by the client, a message integrity check code MIC, and dynamic host configuration protocol DHCP request information, where the client generates the client a random number, and generating a temporary pairwise key PTK according to the authentication end random number, the client random number, the paired master key PMK, the authentication end attribute information, and the client attribute information; And generating, by the client random number, the paired master key PMK, the authentication end attribute information, and the client attribute information, the temporary pair key PTK, and verifying the MIC, and Determining response information of the DHCP request information, and sending, to the client, whether to install an encryption/global key and the response information, so that the client installs an encryption/global key and according to the response information Determining an IP address; receiving the determination information sent by the client to complete shared key authentication with the client,
- the IP address allocation method of the wireless network in the embodiment of the present invention completes the application or renewal of the client IP address while the client performs the four-way handshake, so that the application can be applied after the shared key authentication of the wireless link connection is established. Or renew the IP address, that is, as long as the shared-key authentication of the wireless link connection is established, the upper-layer application can start to send and receive data, no need to apply or renew the IP address, thereby reducing the client connection.
- the time required to enter or switch the wireless network further reduces the impact time on the application layer when the client accesses or switches the wireless network.
- an IP address allocation system for a wireless network includes: an authentication end and a client, where the authentication end is configured to generate an authentication end random number and send the same to the client.
- the client is configured to generate a client random number, and generate a temporary pair according to the authentication end random number, the client random number, the paired master key PMK, the authentication end attribute information, and the client attribute information.
- the authentication end is further configured to use the authentication terminal random number, Generating the temporary pairwise key PTK by the client random number, the paired master key PMK, the authentication end attribute information, and the client attribute information, and verifying the MIC and determining The response information of the DHCP request information, and sending, to the client, whether to install an encryption/global key and the response information;
- the client is further configured to install an encryption/global key and according to the A determine the IP address information, and transmits the determined information to the verifier to complete the shared key authentication and authentication of the client terminal, and communicate according to the IP address and the terminal authentication.
- the IP address allocation system of the wireless network in the embodiment of the present invention completes the application or renewal of the client IP address while the authentication end and the client perform the four-way handshake, so as long as the shared key authentication of the wireless link connection is established. You can apply for or renew your IP address. That is, as long as the shared-layer authentication of the wireless link connection is established, the upper-layer application can start to send and receive data without having to apply or renew the IP address.
- Client The time required to access or switch the wireless network further reduces the impact time on the application layer when the client accesses or switches the wireless network.
- the authentication end of the third aspect of the present invention includes: a first generation module, configured to generate an authentication end random number; and a first sending module, configured to send the authentication end random number to the client; a first receiving module, configured to receive a client random number, a message integrity check code MIC, and dynamic host configuration protocol DHCP request information sent by the client, where the client generates the client random number, and Generating a temporary pairwise key PTK according to the authentication end random number, the client random number, the paired master key PMK, the authentication end attribute information, and the client attribute message; and the second generating module is configured to perform the authentication according to the authentication a temporary random number, the client random number, the paired master key PMK, the authentication end attribute information, and the client attribute information to generate the temporary pair key PTK; a verification module, configured to The MIC performs verification; the confirmation module is configured to determine response information of the DHCP request information; and the second sending module is configured to send, to the client, whether to install an encryption/global key and the response And
- the authentication end of the embodiment of the present invention receives the DHCP request information while receiving the client random number and the MIC sent by the client, and sends the response information of the DHCP request information while sending the encryption/integration key, so that The authentication end and the client perform the four-way handshake to complete the application or renewal of the client IP address, thereby reducing the time required for the client to access or switch the wireless network, and further reducing the client access or switching. The impact time on the application layer when the wireless network.
- the client of the fourth aspect of the present invention includes: a first receiving module, configured to receive an authentication end random number sent by the authentication end; a first generating module, configured to generate a client random number; a generating module, configured to generate a temporary pairwise key PTK according to the authentication end random number, the client random number, the paired master key PMK, the authentication end attribute information, and the client attribute information; the first sending module uses And sending the client random number, the message integrity check code MIC, and the dynamic host configuration protocol DHCP request information to the authentication end; and the second receiving module is configured to receive whether the encryption end is installed by the authentication end.
- a response information of the DHCP request information to install an encryption/global key and determine an IP address according to the response information
- a second sending module configured to send the determining information to the authentication end to complete the The authentication end and the client share the shared key authentication, and communicate with the authentication end according to the IP address.
- the client in the embodiment of the present invention sends the DHCP request information while transmitting the client random number and the MIC, and receives the response information of the DHCP request information while receiving the encryption/integration key, so that the acknowledgement is made.
- the client and the client perform the four-way handshake to complete the application or renewal of the client IP address, thereby reducing the time required for the client to access or switch the wireless network, and further reducing the client access or switching. The impact time on the application layer when the wireless network.
- FIG. 1 is a flow chart of a method for allocating an IP address of a wireless network according to an embodiment of the present invention
- FIG. 2 is a flow chart of a four-way handshake in accordance with one embodiment of the present invention.
- FIG. 3 is a structural block diagram of an IP address allocation system of a wireless network according to an embodiment of the present invention.
- FIG. 4 is a structural block diagram of an authentication end according to an embodiment of the present invention.
- FIG. 5 is a structural block diagram of a client according to an embodiment of the present invention.
- connection and “connected” are to be understood broadly, and may be, for example, a fixed connection, a detachable connection, or an integral, unless otherwise explicitly defined and defined.
- Ground connection it can be mechanical connection or electrical connection; it can be directly connected or indirectly connected through an intermediate medium.
- the specific meaning of the above terms in the present invention can be understood in a specific case by those skilled in the art. Further, in the description of the present invention, the meaning of "a plurality" is two or more unless otherwise specified.
- the shared key authentication between the authentication end and the client is first performed, and the client re-applies after the shared key authentication. Or renew the IP address, according to the IP address of the application or renewal, the data can be forwarded and received between the authentication end and the client.
- this process causes the wireless link to be connected when the client accesses or switches the wireless network. It takes a long time.
- the shared key authentication between the authentication end and the client is implemented by a four-way handshake. If the IP address can be applied or renewed at the same time as the four-way handshake, the application or renewal of the IP address can be saved.
- the present invention provides a method, a system, an authentication end, and a client for assigning an IP address of a wireless network, and the time required for the wireless link to be connected when the client accesses or switches the wireless network is reduced.
- FIG. 1 is a flow chart of a method for allocating an IP address of a wireless network according to an embodiment of the present invention
- FIG. 2 is a flow chart of a four-way handshake according to an embodiment of the present invention.
- the IP address allocation method of the wireless network according to the embodiment of the present invention will be described below with reference to FIG. 1 and FIG.
- the IP address allocation method of the wireless network includes:
- the authentication end generates an authentication end random number ANonce (Authenticator Nonce) and sends it to the client.
- the authentication end may be a wireless access point (AP, Wireless Access Point), a wireless router, etc.; the client may be a station, a mobile device, a wireless device, or the like. That is to say, the authentication end and the client are devices arranged in the wireless network, and the authentication end is responsible for the identity authentication of the client and communicates with the client.
- the specific device of the authentication end and the client is not limited in the embodiment of the present invention.
- the authentication end random number is a value that is used only once by the authentication end, and the type may include at least one of a timestamp, a large random number, and a serial number.
- the authentication end is the authenticator, and the client is the applicant.
- the authentication end first broadcasts the authentication end random number within the wireless network to enable the client in the wireless network range to receive the authentication end random number.
- the authentication end sends the authentication end random number to the client, that is, the authentication end and the client perform the first handshake. That is, the authentication end sends a message 1 to the client, and the message 1 includes the authentication end generation.
- the authentication end random number is the authentication end random number.
- the authentication end and the client perform data transmission through an EAPOL-KEY (Extensible Authentication Protocol) over LAN (Local Area Network) packet.
- EAPOL-KEY Extensible Authentication Protocol
- LAN Local Area Network
- the authentication end sends an EAPOL-KEY packet carrying the authentication terminal random number to the client.
- the authentication end receives the client random number sent by the client, and the MIC (Message Integrity Code, message) Integrity check code) and DHCP (Dynamic Host Configuration Protocol) request information, wherein the client generates a client random number, and according to the authentication end random number, the client random number, the PMK (Pairwise Master Key, The pairwise master key), the authentication end attribute information, and the client attribute information generate a PTK (Pairwise Transient Key).
- the authentication end attribute information and the client side attribute information may be information uniquely indicating the corresponding device, for example, a device unique identifier, a MAC (Media Access Control) address, and the like.
- the client After obtaining the authentication end random number sent by the authentication end, the client generates a client random number SNoplic (Supplicant Nonce), and the client random number is a value that the client uses only once, and the type may include a timestamp, a large random number, and At least one of a serial number and the like. Then, the client generates a PTK according to the authentication end random number, the client random number, the PMK, the authentication end attribute information, and the client attribute information, thereby implementing the PTK update of the client. Then, as shown in FIG.
- SNoplic Simple Nonce
- the client sends the client random number, MIC, and DHCP request information to the authentication end, that is, the client and the authentication end perform a second handshake, that is, the client sends a message to the authentication terminal.
- the message 2 includes the client-side random number, MIC, and DHCP request information generated by the client, and the authentication terminal receives the message 2.
- the client adds the client random number, MIC, and DHCP request information to the EAPOL-KEY packet and sends it to the authentication terminal.
- the authentication end generates a PTK according to the authentication end random number, the client random number, the PMK, the authentication end attribute information, and the client attribute information, and checks the MIC, determines the response information of the DHCP request information, and sends the response information to the client. Whether to install the encryption/global key and response information so that the client installs the encryption/global key and determines the IP address based on the response information.
- the authentication end After receiving the message 2, the authentication end obtains the client random number generated by the client, and generates a PTK according to the authentication end random number, the client random number, the PMK, the authentication end attribute information, and the client attribute information, thereby authenticating End the PTK update.
- the method for allocating the IP address of the wireless network further includes: the authentication end forwards the DHCP request information to the DHCP server; and the authentication end receives the response information fed back by the DHCP server.
- the client adds the DHCP request information to the message 2 of the second handshake, and the authentication end forwards the received DHCP request information to the DHCP server for processing, and obtains the processing result of the DHCP server.
- this DHCP server is the authentication end itself.
- the authentication end After obtaining the response information, the authentication end sends the response information and the group temporary key GTK (Group Transient Key) to the client. As shown in Figure 2, the authentication end and the client perform a third handshake, that is, sending a message 3 to the client.
- the message 3 includes response information and GTK to cause the client to determine whether to install an encryption/global key.
- the authentication end adds the response information and GTK to the EAPOL-KEY packet and sends it to the client.
- the authentication end receives the determination information sent by the client to complete the shared key authentication of the wireless access point and the client, and communicates with the client according to the IP address.
- the client and the non-authentication end perform the fourth handshake, and after the client sends the information to the authentication end, the client determines that the shared key authentication of the authentication end and the client is completed, to confirm the result of the four-way handshake, and also The IP address of the client is determined based on the response information.
- the IP address allocation method of the wireless network in the embodiment of the present invention completes the application or renewal of the client IP address while the authentication end and the client perform the four-way handshake, so as long as the shared key authentication of the wireless link connection is established. You can apply for or renew your IP address. That is, as long as the shared-layer authentication of the wireless link connection is established, the upper-layer application can start to send and receive data without having to apply or renew the IP address.
- the time required for the client to access or switch the wireless network further reduces the impact on the application layer when the client accesses or switches the wireless network.
- the request information and the reply message are respectively added to the EAPOL-KEY packet as an extension of the key data KEY data in the vendor specific information element VSIE format.
- the four-way handshake and the EAPOL-KEY packet may refer to related protocols such as 802.11, and the VSIE format may also refer to related protocols such as 802.11, and details are not described herein again.
- the request information and the reply message respectively omit the sname and file fields.
- the length of the VSIE formed by the DHCP request information and the DHCP response information is reduced, and the sname and file fields of the DHCP request information are omitted in the transmission process, and the receiving side (ie, the authentication end) processes the two fields as 0 by default. deal with.
- the request information and the response message are respectively encrypted with an EAPOL-KEY Encryption Key KEK (EAPOL-Key Encryption Key). This ensures safety.
- an embodiment of the present invention also proposes an IP address allocation system for a wireless network.
- the IP address allocation system of the wireless network includes an authentication end 10 and a client 20.
- the authentication end 10 is configured to generate an authentication end random number and send it to the client 20.
- the authentication end random number is a value that the authentication end 10 uses only once, and the type may include at least one of a time stamp, a large random number, and a serial number.
- the authentication terminal 10 is an authenticator, the client 20 is an applicant, and the authentication terminal 10 first broadcasts within the wireless network.
- the authentication end random number is such that the client 20 in the wireless network can receive the authentication terminal random number
- the authentication end 10 sends the authentication end random number to the client 20, that is, the authentication end 10 and the client 20 perform the first handshake, that is, the authentication end 10 sends a message 1 to the client 20, and the message is sent.
- 1 includes an authentication end random number generated by the authentication terminal 10.
- the authentication terminal 10 and the client 20 perform data transmission via the EAPOL-KEY packet. That is, at the first handshake, the authentication end 10 sends an EAPOL-KEY packet carrying the authentication terminal random number to the client 20.
- the client 20 is configured to generate a client random number, and generate a PTK according to the authentication end random number, the client random number, the PMK, the authentication end, and the client attribute information, and send the client random number, the MIC, and the DHCP request information to the authentication end. 10.
- the client 20 After obtaining the authentication end random number sent by the authentication end 10, the client 20 generates a client random number, and the client random number is a value used by the client 20 only once, and the type may include a timestamp, a large random number, a serial number, and the like. At least one of them.
- the client 20 generates a PTK according to the authentication end random number, the client random number, the PMK, the authentication end attribute information, and the client attribute information, thereby implementing the PTK update of the client.
- the client 20 sends the client random number, MIC, and DHCP request information to the authentication terminal 10, that is, the client 20 and the authentication terminal 10 perform a second handshake, that is, the client 20
- the authentication terminal 10 sends a message 2, which includes the client random number, MIC and DHCP request information generated by the client 20, and the authentication terminal 10 receives the message 2.
- client 20 adds the client random number, MIC, and DHCP request information to the EAPOL-KEY packet and sends it to the authentication terminal 10.
- the authentication terminal 10 is further configured to generate a PTK according to the authentication end random number, the client random number, the PMK, the authentication end attribute information, and the client attribute information, check the MIC, determine the response information of the DHCP request information, and provide the client with the response information.
- End 20 sends whether to install the encryption/global key and response information. More specifically, after receiving the message 2, the authentication end 10 obtains the client random number generated by the client 20, and generates a PTK according to the authentication end random number, the client random number, the PMK, the authentication end attribute information, and the client attribute information. Thus, the authentication terminal 10 completes the update of the PTK.
- the authentication terminal 10 transmits the response information and the GTK to the client 20 after obtaining the response information. As shown in FIG.
- the authentication end 10 and the client 20 perform a third handshake, that is, send a message 3 to the client 20, and the message 3 includes response information and GTK, so that the client 20 determines whether to install encryption/holisticity. Key.
- the authentication terminal 10 adds the response information and GTK to the EAPOL-KEY packet and sends it to the client 20.
- the client 30 is further configured to install an encryption/integration key and determine an IP address according to the response information, and send the determination information to the authentication terminal 10 to complete the shared key authentication of the authentication terminal 10 and the client 20, and according to the IP address and the authentication. End 10 to communicate. More specifically, the client 20 and the authentication terminal 10 perform a fourth handshake, and after the client 20 sends the determination information to the authentication terminal 10, it is determined that the shared key authentication of the authentication terminal 10 and the client 20 is completed to confirm the fourth time. The result of the secondary handshake, meanwhile, also determines the IP address of the client 20 based on the response information.
- the IP address allocation system of the wireless network in the embodiment of the present invention completes the application or renewal of the client IP address while the authentication end and the client perform the four-way handshake, so as long as the shared key authentication of the wireless link connection is established. You can apply for or renew your IP address. That is, as long as the shared-layer authentication of the wireless link connection is established, the upper-layer application can start to send and receive data without having to apply or renew the IP address.
- the time required for the client to access or switch the wireless network further reduces the impact on the application layer when the client accesses or switches the wireless network.
- the request information and the reply message are respectively added to the EAPOL-KEY packet as an extension of the key data KEY data in the vendor specific information element VSIE format.
- the four-way handshake and the EAPOL-KEY packet may refer to related protocols such as 802.11, and the VSIE format may also refer to related protocols such as 802.11, and details are not described herein again.
- the request information and the reply message respectively omit the sname and file fields. Therefore, the length of the VSIE formed by the DHCP request information and the DHCP response information is reduced, and the sname and file fields of the DHCP request information are omitted in the transmission process, and the receiving party (ie, the authentication terminal 10) treats the two fields by default. 0 processing.
- the request information and the response message are respectively encrypted with an EAPOL-KEY Encryption Key KEK (EAPOL-Key Encryption Key). This ensures safety.
- the IP address allocation system of the wireless network further includes: a DHCP server (not shown), the authentication terminal 10 is further configured to forward the DHCP request information to the DHCP server, and the DHCP server is configured to access the wireless access. Send a response message at 10 o'clock. More specifically, as shown in FIG. 2, after completing the update of the PTK, the authentication terminal 10 forwards the received DHCP request information to the DHCP server for processing, and obtains the processing result of the DHCP server. Generally, if the authentication terminal 10 is a home router, this DHCP server is the authentication terminal 10 itself.
- an embodiment of the present invention also proposes an authentication end.
- the authentication terminal 10 includes: a first generation module 110, a first sending module 120, a first receiving module 130, a second generating module 140, a checking module 150, a confirming module 160, a second sending module 170, and The second receiving module 180.
- the first generation module 110 is configured to generate an authentication end random number.
- the authentication end random number is only 10 for the authentication end.
- the type may include at least one of a time stamp, a large random number, and a serial number.
- the first sending module 120 is configured to send the authentication end random number to the client 20.
- the first sending module 120 sends the authentication end random number to the client 20 through the EAPOL-KEY packet.
- the first receiving module 130 is configured to receive the client random number, the MIC, and the DHCP request information sent by the client 20, where the client 20 generates a client random number, and the client random number is a value used by the client only once, and the type may be
- the method includes: performing at least one of a timestamp, a large random number, and a serial number, and generating a temporary pairwise key PTK according to the authentication end random number, the client random number, the PMK, the authentication end, and the attribute information of the client, thereby implementing the client. 20 PTK updates.
- the client 20 sends the client random number, MIC and DHCP request information to the first receiving module 130.
- the client 20 adds the client random number, MIC and DHCP request information to the EAPOL.
- the -KEY packet is sent to the first receiving module 130.
- the second generation module 140 is configured to generate a temporary pairwise key PTK according to the authentication end random number, the client random number, the PMK, the authentication end attribute information, and the client attribute information, so that the authentication end 10 completes the update of the PTK.
- the verification module 150 is used to verify the MIC.
- the confirmation module 160 is configured to determine response information for the DHCP request information. More specifically, the confirmation module 160 forwards the DHCP request information to the DHCP server; the confirmation module 160 receives the response information fed back by the DHCP server. If the authentication terminal 10 is a home router, the DHCP server is the authentication terminal 10 itself.
- the second sending module 170 is configured to send to the client 20 whether to install the encryption/global key and the response information, so that the client 20 installs the encryption/integration key and determines the IP address according to the response information. In one embodiment of the present invention, the second sending module 170 transmits whether to send the encryption/integration key and response information to the client 20 via the EAPOL-KEY packet.
- the second receiving module 180 is configured to receive the determination information sent by the client 20 to complete the shared key authentication of the authentication terminal 10 and the client 20, and communicate with the client 20 according to the IP address.
- client 20 transmits the determination information to second receiving module 180 via the EAPOL-KEY packet.
- the request information and the reply message are respectively added to the EAPOL-KEY packet as an extension of the key data KEY data in the vendor specific information element VSIE format.
- the four-way handshake and the EAPOL-KEY packet may refer to related protocols such as 802.11, and the VSIE format may also refer to related protocols such as 802.11, and details are not described herein again.
- the request information and the reply message respectively omit the sname and file fields. Therefore, the length of the VSIE formed by the DHCP request information and the DHCP response information is reduced, and the sname and file fields of the DHCP request information are omitted in the transmission process, and the receiving side (ie, the authentication end 10) processes the two fields by default. Treat as 0.
- the request information and the reply message are respectively encrypted with KEK. This ensures safety.
- the authentication end of the embodiment of the present invention receives the DHCP request information while receiving the client random number and the MIC sent by the client, and sends the response information of the DHCP request information while sending the encryption/integration key, so that The authentication end and the client perform the four-way handshake to complete the application or renewal of the client IP address, thereby reducing the time required for the client to access or switch the wireless network, and further reducing the client access or switching. The impact time on the application layer when the wireless network.
- an embodiment of the present invention also proposes a client.
- FIG. 5 is a structural block diagram of a client according to an embodiment of the present invention.
- the client 20 includes: a first receiving module 210, a first generating module 220, a second generating module 230, a first sending module 240, a second receiving module 250, and a second sending module 260.
- the first receiving module 210 is configured to receive the authentication end random number sent by the authentication end 10.
- the authentication end 10 sends the authentication end random number to the first receiving module 210 through the EAPOL-KEY packet.
- the first generation module 220 is configured to generate a client random number.
- the authentication end random number is a value that the authentication end 10 uses only once, and the type may include at least one of a time stamp, a large random number, and a serial number.
- the client random number is a value that is used only once in the terminal 20, and the type may include at least one of a time stamp, a large random number, and a serial number.
- the second generation module 230 is configured to generate a PTK according to the authentication end random number, the client random number, the PMK, the authentication end attribute information, and the client attribute information. Thereby, the PTK update of the client 20 is implemented.
- the first sending module 240 is configured to send the client random number, MIC, and DHCP request information to the authentication terminal 10. In one embodiment of the present invention, the first sending module 240 adds the client random number, MIC, and DHCP request information to the EAPOL-KEY packet and sends it to the authentication terminal 10.
- the second receiving module 250 is configured to receive the response information sent by the authentication terminal 10 whether to install the encryption/integration key and the DHCP request information, to install the encryption/integration key, and determine the IP address according to the response information.
- the authentication terminal 10 adds the response information of whether the encryption/integration key and the DHCP request information are installed to the EAPOL-KEY packet and transmits it to the client 20.
- the second sending module 260 is configured to send the determining information to the authentication end 10 to complete the shared key authentication of the authentication end 10 and the client 20, and communicate with the authentication end according to the IP address.
- the second transmitting module 260 adds the determination information to the EAPOL-KEY packet and sends it to the authentication terminal 10.
- the request information and the reply message are respectively added to the EAPOL-KEY packet as an extension of the key data KEY data in the vendor specific information element VSIE format.
- the four-way handshake and the EAPOL-KEY packet may refer to related protocols such as 802.11, and the VSIE format may also refer to related protocols such as 802.11, and details are not described herein again.
- the request information and the reply message respectively omit the sname and file fields.
- the length of the VSIE formed by the DHCP request information and the DHCP response information is reduced, and the sname and file fields of the DHCP request information are omitted in the transmission process, and the receiving side (ie, the authentication end) processes the two fields as 0 by default. deal with.
- the request information and the reply message are respectively encrypted with KEK. This ensures safety.
- the client in the embodiment of the present invention sends the DHCP request information while transmitting the client random number and the MIC, and receives the response information of the DHCP request information while receiving the encryption/integration key, so that the authentication end is
- the client performs the application or renewal of the client IP address while performing the four-way handshake, thereby reducing the time required for the client to access or switch the wireless network, and further reducing the client access or switching the wireless network. Impact time on the application layer.
- portions of the invention may be implemented in hardware, software, firmware or a combination thereof.
- multiple steps or methods may be implemented in software or firmware stored in a memory and executed by a suitable instruction execution system.
- a suitable instruction execution system For example, if implemented in hardware, as in another embodiment, it can be implemented by any one or combination of the following techniques well known in the art: having logic gates for implementing logic functions on data signals. Discrete logic circuits, application specific integrated circuits with suitable combinational logic gates, programmable gate arrays (PGAs), field programmable gate arrays (FPGAs), etc.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Theoretical Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
Proposed are an IP address allocation method and system for a wireless network. The method comprises: generating an authenticator random number and sending same to a client; receiving a client random number of the client, MIC and DHCP request information which are sent by the client; checking the MIC, determining response information about the DHCP request information, and sending whether to install an encryption/integration key and response information to the client; and receiving determination information sent by the client, so as to complete sharing key authentication with the client, and according to an IP address, conducting communication with the client. By means of the IP address allocation method for a wireless network in the embodiments of the present invention, the time needed for the client to access or switch a wireless network is reduced, further, the time for the client to affect an application layer when the client accesses or switches the wireless networks is reduced.
Description
本申请要求2015年05月21日递交的申请号为201510262722.9、发明名称为“无线网络的IP地址分配方法和系统”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。The present application claims priority to Chinese Patent Application Serial No. No. No. No. No. No. No. No. No. No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No
本发明涉及无线通信技术领域,尤其涉及一种无线网络的IP地址分配方法、系统、认证端和客户端。The present invention relates to the field of wireless communication technologies, and in particular, to a method, a system, an authentication end, and a client for allocating an IP address of a wireless network.
在无线网络如Wi-Fi(Wireless-Fidelity)中,出于安全和便捷性的考虑,通常使用基于PSK(Pre-shared key,预共享密钥)的WPA(Wi-Fi Protected Access,保护无线网络安全系统)。In wireless networks such as Wi-Fi (Wireless-Fidelity), for security and convenience, WPA (Pre-shared key)-based WPA (Wi-Fi Protected Access) is generally used to protect wireless networks. Security system).
然而,在接入这样的无线网络时,认证端,如无线访问接入点AP(Wireless Access Point)和客户端,如站station通过EAPOL-key(EAP(Extensible Authentication Protocol,可扩展身份验证协议)over LAN(Local Area Network,局域网)key)包的四次握手进行认证和密钥的协商,并且,在密钥协商好之后,如果客户端设置的是动态IP获取方式,则需要通过DHCP(Dynamic Host Configuration Protocol,动态主机配置协议)获取或续约上次使用过的IP地址。相关技术存在的问题是,客户端接入无线网络或者切换无线网络时,只有在无线链路层的连接后才开始IP地址获取或续约,建立有效网络的耗时长。However, when accessing such a wireless network, the authentication end, such as a wireless access point AP (Wireless Access Point) and a client, such as a station station, pass EAPOL-key (EAP (Extensible Authentication Protocol)). Over LAN (Local Area Network) key) The four-way handshake of the packet is used for authentication and key negotiation. After the key negotiation is successful, if the client sets the dynamic IP acquisition mode, it needs to pass DHCP (Dynamic). Host Configuration Protocol, which obtains or renews the last used IP address. A related problem of the related art is that when a client accesses a wireless network or switches a wireless network, IP address acquisition or renewal is started only after the connection of the wireless link layer, and it takes a long time to establish an effective network.
发明内容Summary of the invention
本发明旨在至少在一定程度上解决相关技术中的技术问题之一。The present invention aims to solve at least one of the technical problems in the related art to some extent.
为此,本发明的第一个目的在于提出一种无线网络的IP地址分配方法。该方法减少了客户端接入或切换无线网络时所需的时间。To this end, a first object of the present invention is to provide an IP address allocation method for a wireless network. This approach reduces the time it takes for the client to access or switch to the wireless network.
本发明的第二个目的在于提出一种无线网络的IP地址分配系统。A second object of the present invention is to provide an IP address allocation system for a wireless network.
本发明的第三个目的在于提出一种认证端。A third object of the present invention is to provide an authentication terminal.
本发明的第四个目的在于提出一种客户端。A fourth object of the present invention is to propose a client.
为了实现上述目的,本发明第一方面实施例的无线网络的IP地址分配方法,包括:
生成认证端随机数并发送至客户端;接收所述客户端发送的客户端随机数、消息完整性校验码MIC和动态主机配置协议DHCP请求信息,其中,所述客户端生成所述客户端随机数,并根据所述认证端随机数、所述客户端随机数、成对主密钥PMK、认证端属性信息和客户端属性信息生成临时成对密钥PTK;根据所述认证端随机数、所述客户端随机数、所述成对主密钥PMK、所述认证端属性信息和所述客户端属性信息生成所述临时成对密钥PTK,并对所述MIC进行校验,并确定所述DHCP请求信息的应答信息,以及向所述客户端发送是否安装加密/整体性密钥和所述应答信息,以使所述客户端安装加密/整体性密钥并根据所述应答信息确定IP地址;接收到所述客户端发送的确定信息以完成和所述客户端的共享密钥认证,并根据所述IP地址与所述客户端通信。In order to achieve the above object, a method for allocating an IP address of a wireless network according to an embodiment of the present invention includes:
Generating an authentication end random number and sending it to the client; receiving a client random number sent by the client, a message integrity check code MIC, and dynamic host configuration protocol DHCP request information, where the client generates the client a random number, and generating a temporary pairwise key PTK according to the authentication end random number, the client random number, the paired master key PMK, the authentication end attribute information, and the client attribute information; And generating, by the client random number, the paired master key PMK, the authentication end attribute information, and the client attribute information, the temporary pair key PTK, and verifying the MIC, and Determining response information of the DHCP request information, and sending, to the client, whether to install an encryption/global key and the response information, so that the client installs an encryption/global key and according to the response information Determining an IP address; receiving the determination information sent by the client to complete shared key authentication with the client, and communicating with the client according to the IP address.
本发明实施例的无线网络的IP地址分配方法,和客户端进行四次握手的同时完成客户端IP地址的申请或续约,这样只要建立了无线链路连接的共享密钥认证之后即可申请或续约IP地址,也就是说,只要建立了无线链路连接的共享密钥认证之后上层应用即可开始通信发送和接收数据,无需再进行申请或续约IP地址,从而减少了客户端接入或切换无线网络时所需的时间,进一步地,减少了客户端接入或切换无线网络时对应用层的影响时间。The IP address allocation method of the wireless network in the embodiment of the present invention completes the application or renewal of the client IP address while the client performs the four-way handshake, so that the application can be applied after the shared key authentication of the wireless link connection is established. Or renew the IP address, that is, as long as the shared-key authentication of the wireless link connection is established, the upper-layer application can start to send and receive data, no need to apply or renew the IP address, thereby reducing the client connection. The time required to enter or switch the wireless network further reduces the impact time on the application layer when the client accesses or switches the wireless network.
为了实现上述目的,本发明第二方面实施例的无线网络的IP地址分配系统,包括:认证端和客户端,其中,所述认证端,用于生成认证端随机数并发送至所述客户端;所述客户端,用于生成客户端随机数,并根据所述认证端随机数、所述客户端随机数、成对主密钥PMK、认证端属性信息和客户端属性信息生成临时成对密钥PTK,并发送所述客户端随机数、消息完整性校验码MIC和动态主机配置协议DHCP请求信息至所述认证端;所述认证端,还用于根据所述认证端随机数、所述客户端随机数、所述成对主密钥PMK、所述认证端属性信息和所述客户端属性信息生成所述临时成对密钥PTK,并对所述MIC进行校验,并确定所述DHCP请求信息的应答信息,以及向所述客户端发送是否安装加密/整体性密钥和所述应答信息;所述客户端,还用于安装加密/整体性密钥并根据所述应答信息确定IP地址,并发送确定信息至所述认证端以完成所述认证端和所述客户端的共享密钥认证,并根据所述IP地址与所述认证端进行通信。In order to achieve the above object, an IP address allocation system for a wireless network according to an embodiment of the present invention includes: an authentication end and a client, where the authentication end is configured to generate an authentication end random number and send the same to the client. The client is configured to generate a client random number, and generate a temporary pair according to the authentication end random number, the client random number, the paired master key PMK, the authentication end attribute information, and the client attribute information. Key PTK, and sending the client random number, the message integrity check code MIC, and the dynamic host configuration protocol DHCP request information to the authentication end; the authentication end is further configured to use the authentication terminal random number, Generating the temporary pairwise key PTK by the client random number, the paired master key PMK, the authentication end attribute information, and the client attribute information, and verifying the MIC and determining The response information of the DHCP request information, and sending, to the client, whether to install an encryption/global key and the response information; the client is further configured to install an encryption/global key and according to the A determine the IP address information, and transmits the determined information to the verifier to complete the shared key authentication and authentication of the client terminal, and communicate according to the IP address and the terminal authentication.
本发明实施例的无线网络的IP地址分配系统,在认证端和客户端进行四次握手的同时完成客户端IP地址的申请或续约,这样只要建立了无线链路连接的共享密钥认证之后即可申请或续约IP地址,也就是说,只要建立了无线链路连接的共享密钥认证之后上层应用即可开始通信发送和接收数据,无需再进行申请或续约IP地址,从而减少了客户端
接入或切换无线网络时所需的时间,进一步地,减少了客户端接入或切换无线网络时对应用层的影响时间。The IP address allocation system of the wireless network in the embodiment of the present invention completes the application or renewal of the client IP address while the authentication end and the client perform the four-way handshake, so as long as the shared key authentication of the wireless link connection is established. You can apply for or renew your IP address. That is, as long as the shared-layer authentication of the wireless link connection is established, the upper-layer application can start to send and receive data without having to apply or renew the IP address. Client
The time required to access or switch the wireless network further reduces the impact time on the application layer when the client accesses or switches the wireless network.
为了实现上述目的,本发明第三方面实施例的认证端,包括:第一生成模块,用于生成认证端随机数;第一发送模块,用于将所述认证端随机数发送至客户端;第一接收模块,用于接收所述客户端发送的客户端随机数、消息完整性校验码MIC和动态主机配置协议DHCP请求信息,其中,所述客户端生成所述客户端随机数,并根据所述认证端随机数、所述客户端随机数、成对主密钥PMK、认证端属性信息和客户端属性消息生成临时成对密钥PTK;第二生成模块,用于根据所述认证端随机数、所述客户端随机数、所述成对主密钥PMK、所述认证端属性信息和所述客户端属性信息生成所述临时成对密钥PTK;校验模块,用于对所述MIC进行校验;确认模块,用于确定所述DHCP请求信息的应答信息;第二发送模块,用于向所述客户端发送是否安装加密/整体性密钥和所述应答信息,以使所述客户端安装加密/整体性密钥并根据所述应答信息确定IP地址;第二接收模块,用于接收所述客户端发送的确定信息以完成和所述客户端的共享密钥认证,并根据所述IP地址与所述客户端通信。The authentication end of the third aspect of the present invention includes: a first generation module, configured to generate an authentication end random number; and a first sending module, configured to send the authentication end random number to the client; a first receiving module, configured to receive a client random number, a message integrity check code MIC, and dynamic host configuration protocol DHCP request information sent by the client, where the client generates the client random number, and Generating a temporary pairwise key PTK according to the authentication end random number, the client random number, the paired master key PMK, the authentication end attribute information, and the client attribute message; and the second generating module is configured to perform the authentication according to the authentication a temporary random number, the client random number, the paired master key PMK, the authentication end attribute information, and the client attribute information to generate the temporary pair key PTK; a verification module, configured to The MIC performs verification; the confirmation module is configured to determine response information of the DHCP request information; and the second sending module is configured to send, to the client, whether to install an encryption/global key and the response And the second receiving module is configured to receive the determining information sent by the client to complete the sharing with the client. Key authentication and communication with the client based on the IP address.
本发明实施例的认证端,在接收客户端发送的客户端随机数和MIC的同时接收DHCP请求信息,并在发送是否安装加密/整体性密钥的同时发送DHCP请求信息的应答信息,使得在认证端和客户端进行四次握手的同时完成客户端IP地址的申请或续约,从而减少了客户端接入或切换无线网络时所需的时间,进一步地,减少了客户端接入或切换无线网络时对应用层的影响时间。The authentication end of the embodiment of the present invention receives the DHCP request information while receiving the client random number and the MIC sent by the client, and sends the response information of the DHCP request information while sending the encryption/integration key, so that The authentication end and the client perform the four-way handshake to complete the application or renewal of the client IP address, thereby reducing the time required for the client to access or switch the wireless network, and further reducing the client access or switching. The impact time on the application layer when the wireless network.
为了实现上述目的,本发明第四方面实施例的客户端,包括:第一接收模块,用于接收认证端发送的认证端随机数;第一生成模块,用于生成客户端随机数;第二生成模块,用于根据所述认证端随机数、所述客户端随机数、成对主密钥PMK、认证端属性信息和客户端属性信息生成临时成对密钥PTK;第一发送模块,用于将所述客户端随机数、消息完整性校验码MIC和动态主机配置协议DHCP请求信息发送至所述认证端;第二接收模块,用于接收所述认证端发送的是否安装加密/整体性密钥和所述DHCP请求信息的应答信息,以安装加密/整体性密钥并根据所述应答信息确定IP地址;第二发送模块,用于向所述认证端发送确定信息以完成所述认证端和所述客户端的共享密钥认证,并根据所述IP地址与所述认证端通信。In order to achieve the above object, the client of the fourth aspect of the present invention includes: a first receiving module, configured to receive an authentication end random number sent by the authentication end; a first generating module, configured to generate a client random number; a generating module, configured to generate a temporary pairwise key PTK according to the authentication end random number, the client random number, the paired master key PMK, the authentication end attribute information, and the client attribute information; the first sending module uses And sending the client random number, the message integrity check code MIC, and the dynamic host configuration protocol DHCP request information to the authentication end; and the second receiving module is configured to receive whether the encryption end is installed by the authentication end. And a response information of the DHCP request information to install an encryption/global key and determine an IP address according to the response information; a second sending module, configured to send the determining information to the authentication end to complete the The authentication end and the client share the shared key authentication, and communicate with the authentication end according to the IP address.
本发明实施例的客户端,在发送客户端随机数和MIC的同时发送DHCP请求信息,并在接收是否安装加密/整体性密钥的同时接收到DHCP请求信息的应答信息,使得在认
证端和客户端进行四次握手的同时完成客户端IP地址的申请或续约,从而减少了客户端接入或切换无线网络时所需的时间,进一步地,减少了客户端接入或切换无线网络时对应用层的影响时间。The client in the embodiment of the present invention sends the DHCP request information while transmitting the client random number and the MIC, and receives the response information of the DHCP request information while receiving the encryption/integration key, so that the acknowledgement is made.
The client and the client perform the four-way handshake to complete the application or renewal of the client IP address, thereby reducing the time required for the client to access or switch the wireless network, and further reducing the client access or switching. The impact time on the application layer when the wireless network.
本发明附加的方面和优点将在下面的描述中部分给出,部分将从下面的描述中变得明显,或通过本发明的实践了解到。The additional aspects and advantages of the invention will be set forth in part in the description which follows.
本发明上述的和/或附加的方面和优点从下面结合附图对实施例的描述中将变得明显和容易理解,其中,The above and/or additional aspects and advantages of the present invention will become apparent and readily understood from
图1是根据本发明一个实施例的无线网络的IP地址分配方法的流程图;1 is a flow chart of a method for allocating an IP address of a wireless network according to an embodiment of the present invention;
图2是根据本发明一个实施例的四次握手的流程图;2 is a flow chart of a four-way handshake in accordance with one embodiment of the present invention;
图3是根据本发明一个实施例的无线网络的IP地址分配系统的结构框图;3 is a structural block diagram of an IP address allocation system of a wireless network according to an embodiment of the present invention;
图4是根据本发明一个实施例的认证端的结构框图;4 is a structural block diagram of an authentication end according to an embodiment of the present invention;
图5是根据本发明一个实施例的客户端的结构框图。FIG. 5 is a structural block diagram of a client according to an embodiment of the present invention.
下面详细描述本发明的实施例,所述实施例的示例在附图中示出,其中自始至终相同或类似的标号表示相同或类似的元件或具有相同或类似功能的元件。下面通过参考附图描述的实施例是示例性的,仅用于解释本发明,而不能理解为对本发明的限制。相反,本发明的实施例包括落入所附加权利要求书的精神和内涵范围内的所有变化、修改和等同物。The embodiments of the present invention are described in detail below, and the examples of the embodiments are illustrated in the drawings, wherein the same or similar reference numerals are used to refer to the same or similar elements or elements having the same or similar functions. The embodiments described below with reference to the accompanying drawings are intended to be illustrative of the invention and are not to be construed as limiting. Rather, the invention is to cover all modifications, modifications and equivalents within the spirit and scope of the appended claims.
在本发明的描述中,需要说明的是,除非另有明确的规定和限定,术语“相连”、“连接”应做广义理解,例如,可以是固定连接,也可以是可拆卸连接,或一体地连接;可以是机械连接,也可以是电连接;可以是直接相连,也可以通过中间媒介间接相连。对于本领域的普通技术人员而言,可以具体情况理解上述术语在本发明中的具体含义。此外,在本发明的描述中,除非另有说明,“多个”的含义是两个或两个以上。In the description of the present invention, it should be noted that the terms "connected" and "connected" are to be understood broadly, and may be, for example, a fixed connection, a detachable connection, or an integral, unless otherwise explicitly defined and defined. Ground connection; it can be mechanical connection or electrical connection; it can be directly connected or indirectly connected through an intermediate medium. The specific meaning of the above terms in the present invention can be understood in a specific case by those skilled in the art. Further, in the description of the present invention, the meaning of "a plurality" is two or more unless otherwise specified.
流程图中或在此以其他方式描述的任何过程或方法描述可以被理解为,表示包括一个或更多个用于实现特定逻辑功能或过程的步骤的可执行指令的代码的模块、片段或部分,并且本发明的优选实施方式的范围包括另外的实现,其中可以不按所示出或讨论的顺序,包括根据所涉及的功能按基本同时的方式或按相反的顺序,来执行功能,这应被
本发明的实施例所属技术领域的技术人员所理解。Any process or method description in the flowcharts or otherwise described herein may be understood to represent a module, segment or portion of code that includes one or more executable instructions for implementing the steps of a particular logical function or process. And the scope of the preferred embodiments of the invention includes additional implementations, in which the functions may be performed in a substantially simultaneous manner or in an opposite order depending on the functions involved, in the order shown or discussed. Be
It will be understood by those skilled in the art to which the embodiments of the present invention pertain.
相关技术中,为了保证无线通信的安全,认证端和客户端之间建立无线链路连接时,首先进行认证端和客户端之间的共享密钥认证,在共享密钥认证之后客户端再申请或续约IP地址,根据申请或续约的IP地址才能在认证端和客户端之间进行数据的转发和接收,然而,此过程在客户端接入或切换无线网络时导致无线链路连接的耗时较长。其中,认证端和客户端之间进行共享密钥认证时通过四次握手实现,如果能在四次握手的同时实现IP地址的申请或续约,则可以节约申请或续约IP地址所需的时间,从而使得客户端接入或切换无线网络时无线链路连接的耗时减小,基于这样的构想,本发明提供了一种无线网络的IP地址分配方法、系统、认证端和客户端,下面参考附图进行详细描述。In the related art, in order to ensure the security of wireless communication, when establishing a wireless link connection between the authentication end and the client, the shared key authentication between the authentication end and the client is first performed, and the client re-applies after the shared key authentication. Or renew the IP address, according to the IP address of the application or renewal, the data can be forwarded and received between the authentication end and the client. However, this process causes the wireless link to be connected when the client accesses or switches the wireless network. It takes a long time. The shared key authentication between the authentication end and the client is implemented by a four-way handshake. If the IP address can be applied or renewed at the same time as the four-way handshake, the application or renewal of the IP address can be saved. Based on such a concept, the present invention provides a method, a system, an authentication end, and a client for assigning an IP address of a wireless network, and the time required for the wireless link to be connected when the client accesses or switches the wireless network is reduced. A detailed description will be made below with reference to the drawings.
图1是根据本发明一个实施例的无线网络的IP地址分配方法的流程图,图2是根据本发明一个实施例的四次握手的流程图。下面结合图1和图2说明本发明实施例的无线网络的IP地址分配方法。1 is a flow chart of a method for allocating an IP address of a wireless network according to an embodiment of the present invention, and FIG. 2 is a flow chart of a four-way handshake according to an embodiment of the present invention. The IP address allocation method of the wireless network according to the embodiment of the present invention will be described below with reference to FIG. 1 and FIG.
如图1所示,该无线网络的IP地址分配方法包括:As shown in FIG. 1, the IP address allocation method of the wireless network includes:
S101,认证端生成认证端随机数ANonce(Authenticator Nonce)并发送至客户端。其中,认证端可以是无线访问接入点(AP,Wireless Access Point),无线路由器等;客户端可以是站(Station),移动设备,无线设备等。也就是说,认证端和客户端是布置在无线网络中的设备,认证端负责客户端的身份认证并与客户端进行通信,对于认证端和客户端的具体设备本发明的实施例不进行限定。S101. The authentication end generates an authentication end random number ANonce (Authenticator Nonce) and sends it to the client. The authentication end may be a wireless access point (AP, Wireless Access Point), a wireless router, etc.; the client may be a station, a mobile device, a wireless device, or the like. That is to say, the authentication end and the client are devices arranged in the wireless network, and the authentication end is responsible for the identity authentication of the client and communicates with the client. The specific device of the authentication end and the client is not limited in the embodiment of the present invention.
具体地,认证端随机数为认证端只使用一次的数值,类型可以包括时间戳、大随机数和序列号等中的至少一种。认证端为认证方,客户端为申请方,认证端首先在无线网络范围内广播认证端随机数以使得无线网络范围内的客户端能够接收到该认证端随机数。Specifically, the authentication end random number is a value that is used only once by the authentication end, and the type may include at least one of a timestamp, a large random number, and a serial number. The authentication end is the authenticator, and the client is the applicant. The authentication end first broadcasts the authentication end random number within the wireless network to enable the client in the wireless network range to receive the authentication end random number.
如图2所示,认证端发送认证端随机数至客户端,即认证端和客户端进行第一次握手,也就是说,认证端向客户端发送消息1,该消息1中包含认证端生成的认证端随机数。As shown in Figure 2, the authentication end sends the authentication end random number to the client, that is, the authentication end and the client perform the first handshake. That is, the authentication end sends a message 1 to the client, and the message 1 includes the authentication end generation. The authentication end random number.
在本发明的一个实施例中,认证端和客户端通过EAPOL-KEY(EAP(Extensible Authentication Protocol,可扩展身份验证协议)over LAN(Local Area Network,局域网)包进行数据发送。也就是说,在第一握手时,认证端向客户端发送携带认证端随机数的EAPOL-KEY包。In an embodiment of the present invention, the authentication end and the client perform data transmission through an EAPOL-KEY (Extensible Authentication Protocol) over LAN (Local Area Network) packet. During the first handshake, the authentication end sends an EAPOL-KEY packet carrying the authentication terminal random number to the client.
S102,认证端接收客户端发送的客户端随机数、MIC(Message Integrity Code,消息
完整性校验码)和DHCP(Dynamic Host Configuration Protocol,动态主机配置协议)请求信息,其中,客户端生成客户端随机数,并根据认证端随机数、客户端随机数、PMK(Pairwise Master Key,成对主密钥)、认证端属性信息和客户端属性信息生成PTK(Pairwise Transient Key,临时成对密钥)。另外,认证端属性信息和客户端属性信息可以是唯一表示对应的设备的信息,例如,设备唯一标识符、MAC(Media Access Control,介质访问控制)地址等。S102: The authentication end receives the client random number sent by the client, and the MIC (Message Integrity Code, message)
Integrity check code) and DHCP (Dynamic Host Configuration Protocol) request information, wherein the client generates a client random number, and according to the authentication end random number, the client random number, the PMK (Pairwise Master Key, The pairwise master key), the authentication end attribute information, and the client attribute information generate a PTK (Pairwise Transient Key). In addition, the authentication end attribute information and the client side attribute information may be information uniquely indicating the corresponding device, for example, a device unique identifier, a MAC (Media Access Control) address, and the like.
具体地,客户端获得认证端发送的认证端随机数后,生成客户端随机数SNonce(Supplicant Nonce),客户端随机数为客户端只使用一次的数值,类型可以包括时间戳、大随机数和序列号等中的至少一种。然后,客户端根据认证端随机数、客户端随机数、PMK、认证端属性信息和客户端属性信息生成PTK,从而实现客户端的PTK更新。再然后,如图2所示,客户端发送客户端随机数、MIC和DHCP请求信息至认证端,即客户端和认证端进行第二次握手,也就是说,客户端向认证端发送消息2,该消息2中包含客户端生成的客户端随机数、MIC和DHCP请求信息,认证端接收到消息2。Specifically, after obtaining the authentication end random number sent by the authentication end, the client generates a client random number SNoplic (Supplicant Nonce), and the client random number is a value that the client uses only once, and the type may include a timestamp, a large random number, and At least one of a serial number and the like. Then, the client generates a PTK according to the authentication end random number, the client random number, the PMK, the authentication end attribute information, and the client attribute information, thereby implementing the PTK update of the client. Then, as shown in FIG. 2, the client sends the client random number, MIC, and DHCP request information to the authentication end, that is, the client and the authentication end perform a second handshake, that is, the client sends a message to the authentication terminal. The message 2 includes the client-side random number, MIC, and DHCP request information generated by the client, and the authentication terminal receives the message 2.
同样地,在本发明的一个实施例中,客户端将客户端随机数、MIC和DHCP请求信息添加至EAPOL-KEY包并发送至认证端。Similarly, in one embodiment of the invention, the client adds the client random number, MIC, and DHCP request information to the EAPOL-KEY packet and sends it to the authentication terminal.
S103,认证端根据认证端随机数、客户端随机数、PMK、认证端属性信息和客户端属性信息生成PTK,并对MIC进行校验,并确定DHCP请求信息的应答信息,以及向客户端发送是否安装加密/整体性密钥和应答信息,以使客户端安装加密/整体性密钥并根据应答信息确定IP地址。S103. The authentication end generates a PTK according to the authentication end random number, the client random number, the PMK, the authentication end attribute information, and the client attribute information, and checks the MIC, determines the response information of the DHCP request information, and sends the response information to the client. Whether to install the encryption/global key and response information so that the client installs the encryption/global key and determines the IP address based on the response information.
具体地,认证端在接收到消息2之后,获得客户端生成的客户端随机数,并根据认证端随机数、客户端随机数、PMK、认证端属性信息和客户端属性信息生成PTK,从而认证端完成PTK的更新。Specifically, after receiving the message 2, the authentication end obtains the client random number generated by the client, and generates a PTK according to the authentication end random number, the client random number, the PMK, the authentication end attribute information, and the client attribute information, thereby authenticating End the PTK update.
在本发明的一个实施例中,认证端完成PTK的更新后,该无线网络的IP地址分配方法还包括:认证端向DHCP服务器转发DHCP请求信息;认证端接收DHCP服务器反馈的应答信息。具体地,如图2所示,客户端将DHCP请求信息添加至第二次握手的消息2中,认证端将接收到的DHCP请求信息转交给DHCP服务器进行处理,并获得DHCP服务器的处理结果。通常,如果认证端为家用路由器,这个DHCP服务器即是认证端本身。In an embodiment of the present invention, after the authentication end completes the update of the PTK, the method for allocating the IP address of the wireless network further includes: the authentication end forwards the DHCP request information to the DHCP server; and the authentication end receives the response information fed back by the DHCP server. Specifically, as shown in FIG. 2, the client adds the DHCP request information to the message 2 of the second handshake, and the authentication end forwards the received DHCP request information to the DHCP server for processing, and obtains the processing result of the DHCP server. Usually, if the authentication end is a home router, this DHCP server is the authentication end itself.
认证端在获得应答信息之后,将应答信息和组临时密钥GTK(Group Transient Key)发送至客户端。如图2所示,认证端和客户端进行第三次握手,即发送消息3至客户端,
该消息3中包括应答信息和GTK,以使得客户端确定是否安装加密/整体性密钥。同样地,在本发明的一个实施例中,认证端将应答信息和GTK添加至EAPOL-KEY包并发送至客户端。After obtaining the response information, the authentication end sends the response information and the group temporary key GTK (Group Transient Key) to the client. As shown in Figure 2, the authentication end and the client perform a third handshake, that is, sending a message 3 to the client.
The message 3 includes response information and GTK to cause the client to determine whether to install an encryption/global key. Similarly, in one embodiment of the invention, the authentication end adds the response information and GTK to the EAPOL-KEY packet and sends it to the client.
S104,认证端接收到客户端发送的确定信息以完成无线访问接入点和客户端的共享密钥认证,并根据IP地址与客户端通信。S104. The authentication end receives the determination information sent by the client to complete the shared key authentication of the wireless access point and the client, and communicates with the client according to the IP address.
具体地,客户端和无认证端进行第四次握手,客户端将确定信息发送给认证端之后,确定认证端和客户端的共享密钥认证完成,以确认本次四次握手结果,同时,也根据应答信息确定客户端的IP地址。Specifically, the client and the non-authentication end perform the fourth handshake, and after the client sends the information to the authentication end, the client determines that the shared key authentication of the authentication end and the client is completed, to confirm the result of the four-way handshake, and also The IP address of the client is determined based on the response information.
本发明实施例的无线网络的IP地址分配方法,在认证端和客户端进行四次握手的同时完成客户端IP地址的申请或续约,这样只要建立了无线链路连接的共享密钥认证之后即可申请或续约IP地址,也就是说,只要建立了无线链路连接的共享密钥认证之后上层应用即可开始通信发送和接收数据,无需再进行申请或续约IP地址,从而减少了客户端接入或切换无线网络时所需的时间,进一步地,减少了客户端接入或切换无线网络时对应用层的影响时间。The IP address allocation method of the wireless network in the embodiment of the present invention completes the application or renewal of the client IP address while the authentication end and the client perform the four-way handshake, so as long as the shared key authentication of the wireless link connection is established. You can apply for or renew your IP address. That is, as long as the shared-layer authentication of the wireless link connection is established, the upper-layer application can start to send and receive data without having to apply or renew the IP address. The time required for the client to access or switch the wireless network further reduces the impact on the application layer when the client accesses or switches the wireless network.
在本发明的一个实施例中,请求信息和应答消息分别以供应商特定信息元素VSIE格式作为密钥数据KEY data的扩展加入到EAPOL-KEY包中。具体地,四次握手和EAPOL-KEY包可以参考802.11等相关协议,VSIE格式也可以参考802.11等相关协议,在此不再赘述。In one embodiment of the invention, the request information and the reply message are respectively added to the EAPOL-KEY packet as an extension of the key data KEY data in the vendor specific information element VSIE format. Specifically, the four-way handshake and the EAPOL-KEY packet may refer to related protocols such as 802.11, and the VSIE format may also refer to related protocols such as 802.11, and details are not described herein again.
在本发明的一个实施例中,请求信息和应答消息分别省去sname和file字段。由此,减少了DHCP请求信息以及DHCP应答信息构成的VSIE的长度,在传输过程中省去DHCP请求信息的sname和file字段,接收方(即认证端)处理时默认将这两个字段当做0处理。In one embodiment of the invention, the request information and the reply message respectively omit the sname and file fields. Thereby, the length of the VSIE formed by the DHCP request information and the DHCP response information is reduced, and the sname and file fields of the DHCP request information are omitted in the transmission process, and the receiving side (ie, the authentication end) processes the two fields as 0 by default. deal with.
在本发明的一个实施例中,将请求信息和应答消息分别以EAPOL-KEY加密密钥KEK(EAPOL-Key Encryption Key)进行加密。由此,保证了安全性。In one embodiment of the invention, the request information and the response message are respectively encrypted with an EAPOL-KEY Encryption Key KEK (EAPOL-Key Encryption Key). This ensures safety.
为了实现上述实施例,本发明的实施例还提出一种无线网络的IP地址分配系统。In order to implement the above embodiments, an embodiment of the present invention also proposes an IP address allocation system for a wireless network.
图3是根据本发明一个实施例的无线网络的IP地址分配系统的结构框图。如图3所示,无线网络的IP地址分配系统包括:认证端10和客户端20。3 is a structural block diagram of an IP address allocation system of a wireless network according to an embodiment of the present invention. As shown in FIG. 3, the IP address allocation system of the wireless network includes an authentication end 10 and a client 20.
具体地,认证端10用于生成认证端随机数并发送至客户端20。其中,认证端随机数为认证端10只使用一次的数值,类型可以包括时间戳、大随机数和序列号等中的至少一种。认证端10为认证方,客户端20为申请方,认证端10首先在无线网络范围内广播
认证端随机数以使得无线网络范围内的客户端20能够接收到该认证端随机数Specifically, the authentication end 10 is configured to generate an authentication end random number and send it to the client 20. The authentication end random number is a value that the authentication end 10 uses only once, and the type may include at least one of a time stamp, a large random number, and a serial number. The authentication terminal 10 is an authenticator, the client 20 is an applicant, and the authentication terminal 10 first broadcasts within the wireless network.
The authentication end random number is such that the client 20 in the wireless network can receive the authentication terminal random number
如图2所示,认证端10发送认证端随机数至客户端20,即认证端10和客户端20进行第一次握手,也就是说,认证端10向客户端20发送消息1,该消息1中包含认证端10生成的认证端随机数。As shown in FIG. 2, the authentication end 10 sends the authentication end random number to the client 20, that is, the authentication end 10 and the client 20 perform the first handshake, that is, the authentication end 10 sends a message 1 to the client 20, and the message is sent. 1 includes an authentication end random number generated by the authentication terminal 10.
在本发明的一个实施例中,认证端10和客户端20通过EAPOL-KEY包进行数据发送。也就是说,在第一握手时,认证端10向客户端20发送携带认证端随机数的EAPOL-KEY包。In one embodiment of the invention, the authentication terminal 10 and the client 20 perform data transmission via the EAPOL-KEY packet. That is, at the first handshake, the authentication end 10 sends an EAPOL-KEY packet carrying the authentication terminal random number to the client 20.
客户端20用于生成客户端随机数,并根据认证端随机数、客户端随机数、PMK、认证端和客户端的属性信息生成PTK,并发送客户端随机数、MIC和DHCP请求信息至认证端10。首先,客户端20获得认证端10发送的认证端随机数后,生成客户端随机数,客户端随机数为客户端20只使用一次的数值,类型可以包括时间戳、大随机数和序列号等中的至少一种。然后,客户端20根据认证端随机数、客户端随机数、PMK、认证端属性信息和客户端属性信息生成PTK,从而实现客户端的PTK更新。再然后,如图2所示,客户端20发送客户端随机数、MIC和DHCP请求信息至认证端10,即客户端20和认证端10进行第二次握手,也就是说,客户端20向认证端10发送消息2,该消息2中包含客户端20生成的客户端随机数、MIC和DHCP请求信息,认证端10接收到消息2。The client 20 is configured to generate a client random number, and generate a PTK according to the authentication end random number, the client random number, the PMK, the authentication end, and the client attribute information, and send the client random number, the MIC, and the DHCP request information to the authentication end. 10. First, after obtaining the authentication end random number sent by the authentication end 10, the client 20 generates a client random number, and the client random number is a value used by the client 20 only once, and the type may include a timestamp, a large random number, a serial number, and the like. At least one of them. Then, the client 20 generates a PTK according to the authentication end random number, the client random number, the PMK, the authentication end attribute information, and the client attribute information, thereby implementing the PTK update of the client. Then, as shown in FIG. 2, the client 20 sends the client random number, MIC, and DHCP request information to the authentication terminal 10, that is, the client 20 and the authentication terminal 10 perform a second handshake, that is, the client 20 The authentication terminal 10 sends a message 2, which includes the client random number, MIC and DHCP request information generated by the client 20, and the authentication terminal 10 receives the message 2.
同样地,在本发明的一个实施例中,客户端20将客户端随机数、MIC和DHCP请求信息添加至EAPOL-KEY包并发送至认证端10。Likewise, in one embodiment of the invention, client 20 adds the client random number, MIC, and DHCP request information to the EAPOL-KEY packet and sends it to the authentication terminal 10.
认证端10还用于根据认证端随机数、客户端随机数、PMK、认证端属性信息和客户端属性信息生成PTK,并对MIC进行校验,并确定DHCP请求信息的应答信息,以及向客户端20发送是否安装加密/整体性密钥和应答信息。更具体地,认证端10在接收到消息2之后,获得客户端20生成的客户端随机数,并根据认证端随机数、客户端随机数、PMK、认证端属性信息和客户端属性信息生成PTK,从而认证端10完成PTK的更新。认证端10在获得应答信息之后,将应答信息和GTK发送至客户端20。如图2所示,认证端10和客户端20进行第三次握手,即发送消息3至客户端20,该消息3中包括应答信息和GTK,以使得客户端20确定是否安装加密/整体性密钥。同样地,在本发明的一个实施例中,认证端10将应答信息和GTK添加至EAPOL-KEY包并发送至客户端20。The authentication terminal 10 is further configured to generate a PTK according to the authentication end random number, the client random number, the PMK, the authentication end attribute information, and the client attribute information, check the MIC, determine the response information of the DHCP request information, and provide the client with the response information. End 20 sends whether to install the encryption/global key and response information. More specifically, after receiving the message 2, the authentication end 10 obtains the client random number generated by the client 20, and generates a PTK according to the authentication end random number, the client random number, the PMK, the authentication end attribute information, and the client attribute information. Thus, the authentication terminal 10 completes the update of the PTK. The authentication terminal 10 transmits the response information and the GTK to the client 20 after obtaining the response information. As shown in FIG. 2, the authentication end 10 and the client 20 perform a third handshake, that is, send a message 3 to the client 20, and the message 3 includes response information and GTK, so that the client 20 determines whether to install encryption/holisticity. Key. Likewise, in one embodiment of the invention, the authentication terminal 10 adds the response information and GTK to the EAPOL-KEY packet and sends it to the client 20.
客户端30还用于安装加密/整体性密钥并根据应答信息确定IP地址,并发送确定信息至认证端10以完成认证端10和客户端20的共享密钥认证,并根据IP地址与认证端
10进行通信。更具体地,客户端20和认证端10进行第四次握手,客户端20将确定信息发送给认证端10之后,确定认证端10和客户端20的共享密钥认证完成,以确认本次四次握手结果,同时,也根据应答信息确定客户端20的IP地址。The client 30 is further configured to install an encryption/integration key and determine an IP address according to the response information, and send the determination information to the authentication terminal 10 to complete the shared key authentication of the authentication terminal 10 and the client 20, and according to the IP address and the authentication. End
10 to communicate. More specifically, the client 20 and the authentication terminal 10 perform a fourth handshake, and after the client 20 sends the determination information to the authentication terminal 10, it is determined that the shared key authentication of the authentication terminal 10 and the client 20 is completed to confirm the fourth time. The result of the secondary handshake, meanwhile, also determines the IP address of the client 20 based on the response information.
本发明实施例的无线网络的IP地址分配系统,在认证端和客户端进行四次握手的同时完成客户端IP地址的申请或续约,这样只要建立了无线链路连接的共享密钥认证之后即可申请或续约IP地址,也就是说,只要建立了无线链路连接的共享密钥认证之后上层应用即可开始通信发送和接收数据,无需再进行申请或续约IP地址,从而减少了客户端接入或切换无线网络时所需的时间,进一步地,减少了客户端接入或切换无线网络时对应用层的影响时间。The IP address allocation system of the wireless network in the embodiment of the present invention completes the application or renewal of the client IP address while the authentication end and the client perform the four-way handshake, so as long as the shared key authentication of the wireless link connection is established. You can apply for or renew your IP address. That is, as long as the shared-layer authentication of the wireless link connection is established, the upper-layer application can start to send and receive data without having to apply or renew the IP address. The time required for the client to access or switch the wireless network further reduces the impact on the application layer when the client accesses or switches the wireless network.
在本发明的一个实施例中,请求信息和应答消息分别以供应商特定信息元素VSIE格式作为密钥数据KEY data的扩展加入到EAPOL-KEY包中。具体地,四次握手和EAPOL-KEY包可以参考802.11等相关协议,VSIE格式也可以参考802.11等相关协议,在此不再赘述。In one embodiment of the invention, the request information and the reply message are respectively added to the EAPOL-KEY packet as an extension of the key data KEY data in the vendor specific information element VSIE format. Specifically, the four-way handshake and the EAPOL-KEY packet may refer to related protocols such as 802.11, and the VSIE format may also refer to related protocols such as 802.11, and details are not described herein again.
在本发明的一个实施例中,请求信息和应答消息分别省去sname和file字段。由此,减少了DHCP请求信息以及DHCP应答信息构成的VSIE的长度,在传输过程中省去DHCP请求信息的sname和file字段,接收方(即认证端10)处理时默认将这两个字段当做0处理。In one embodiment of the invention, the request information and the reply message respectively omit the sname and file fields. Therefore, the length of the VSIE formed by the DHCP request information and the DHCP response information is reduced, and the sname and file fields of the DHCP request information are omitted in the transmission process, and the receiving party (ie, the authentication terminal 10) treats the two fields by default. 0 processing.
在本发明的一个实施例中,将请求信息和应答消息分别以EAPOL-KEY加密密钥KEK(EAPOL-Key Encryption Key)进行加密。由此,保证了安全性。In one embodiment of the invention, the request information and the response message are respectively encrypted with an EAPOL-KEY Encryption Key KEK (EAPOL-Key Encryption Key). This ensures safety.
在本发明的一个实施例中,无线网络的IP地址分配系统还包括:DHCP服务器(未示出),认证端10还用于向DHCP服务器转发DHCP请求信息;DHCP服务器,用于向无线访问接入10点发送应答信息。更具体地,如图2所示,认证端10完成PTK的更新后,将接收到的DHCP请求信息转交给DHCP服务器进行处理,并获得DHCP服务器的处理结果。通常,如果认证端10为家用路由器,这个DHCP服务器即是认证端10本身。In an embodiment of the present invention, the IP address allocation system of the wireless network further includes: a DHCP server (not shown), the authentication terminal 10 is further configured to forward the DHCP request information to the DHCP server, and the DHCP server is configured to access the wireless access. Send a response message at 10 o'clock. More specifically, as shown in FIG. 2, after completing the update of the PTK, the authentication terminal 10 forwards the received DHCP request information to the DHCP server for processing, and obtains the processing result of the DHCP server. Generally, if the authentication terminal 10 is a home router, this DHCP server is the authentication terminal 10 itself.
为了实现上述实施例,本发明的实施例还提出一种认证端。In order to implement the above embodiments, an embodiment of the present invention also proposes an authentication end.
图4是根据本发明一个实施例的认证端的结构框图。如图4所示,认证端10包括:第一生成模块110、第一发送模块120、第一接收模块130、第二生成模块140、校验模块150、确认模块160、第二发送模块170和第二接收模块180。4 is a structural block diagram of an authentication end according to an embodiment of the present invention. As shown in FIG. 4, the authentication terminal 10 includes: a first generation module 110, a first sending module 120, a first receiving module 130, a second generating module 140, a checking module 150, a confirming module 160, a second sending module 170, and The second receiving module 180.
具体地,第一生成模块110用于生成认证端随机数。认证端随机数为认证端10只使
用一次的数值,类型可以包括时间戳、大随机数和序列号等中的至少一种。Specifically, the first generation module 110 is configured to generate an authentication end random number. The authentication end random number is only 10 for the authentication end.
With one value, the type may include at least one of a time stamp, a large random number, and a serial number.
第一发送模块120用于将认证端随机数发送至客户端20。在本发明的一个实施例中,第一发送模块120通过EAPOL-KEY包将认证端随机数发送至客户端20。The first sending module 120 is configured to send the authentication end random number to the client 20. In an embodiment of the present invention, the first sending module 120 sends the authentication end random number to the client 20 through the EAPOL-KEY packet.
第一接收模块130用于接收客户端20发送的客户端随机数、MIC和DHCP请求信息,其中,客户端20生成客户端随机数,客户端随机数为客户端只使用一次的数值,类型可以包括时间戳、大随机数和序列号等中的至少一种,并根据认证端随机数、客户端随机数、PMK、认证端和客户端的属性信息生成临时成对密钥PTK,从而实现客户端20的PTK更新。客户端20发送客户端随机数、MIC和DHCP请求信息至第一接收模块130,同样地,在本发明的一个实施例中,客户端20将客户端随机数、MIC和DHCP请求信息添加至EAPOL-KEY包并发送至第一接收模块130。The first receiving module 130 is configured to receive the client random number, the MIC, and the DHCP request information sent by the client 20, where the client 20 generates a client random number, and the client random number is a value used by the client only once, and the type may be The method includes: performing at least one of a timestamp, a large random number, and a serial number, and generating a temporary pairwise key PTK according to the authentication end random number, the client random number, the PMK, the authentication end, and the attribute information of the client, thereby implementing the client. 20 PTK updates. The client 20 sends the client random number, MIC and DHCP request information to the first receiving module 130. Similarly, in one embodiment of the invention, the client 20 adds the client random number, MIC and DHCP request information to the EAPOL. The -KEY packet is sent to the first receiving module 130.
第二生成模块140用于根据认证端随机数、客户端随机数、PMK、认证端属性信息和客户端属性信息生成临时成对密钥PTK,从而认证端10完成PTK的更新。The second generation module 140 is configured to generate a temporary pairwise key PTK according to the authentication end random number, the client random number, the PMK, the authentication end attribute information, and the client attribute information, so that the authentication end 10 completes the update of the PTK.
校验模块150用于对MIC进行校验。The verification module 150 is used to verify the MIC.
确认模块160用于确定DHCP请求信息的应答信息。更具体地,确认模块160向DHCP服务器转发DHCP请求信息;确认模块160接收DHCP服务器反馈的应答信息。如果认证端10为家用路由器,这个DHCP服务器即是认证端10本身。The confirmation module 160 is configured to determine response information for the DHCP request information. More specifically, the confirmation module 160 forwards the DHCP request information to the DHCP server; the confirmation module 160 receives the response information fed back by the DHCP server. If the authentication terminal 10 is a home router, the DHCP server is the authentication terminal 10 itself.
第二发送模块170用于向客户端20发送是否安装加密/整体性密钥和应答信息,以使客户端20安装加密/整体性密钥并根据应答信息确定IP地址。在本发明的一个实施例中,第二发送模块170通过EAPOL-KEY包将发送是否安装加密/整体性密钥和应答信息发送至客户端20。The second sending module 170 is configured to send to the client 20 whether to install the encryption/global key and the response information, so that the client 20 installs the encryption/integration key and determines the IP address according to the response information. In one embodiment of the present invention, the second sending module 170 transmits whether to send the encryption/integration key and response information to the client 20 via the EAPOL-KEY packet.
第二接收模块180用于接收客户端20发送的确定信息以完成认证端10和客户端20的共享密钥认证,并根据IP地址与客户端20通信。在本发明的一个实施例中,客户端20通过EAPOL-KEY包将确定信息发送至第二接收模块180。The second receiving module 180 is configured to receive the determination information sent by the client 20 to complete the shared key authentication of the authentication terminal 10 and the client 20, and communicate with the client 20 according to the IP address. In one embodiment of the invention, client 20 transmits the determination information to second receiving module 180 via the EAPOL-KEY packet.
在本发明的一个实施例中,请求信息和应答消息分别以供应商特定信息元素VSIE格式作为密钥数据KEY data的扩展加入到EAPOL-KEY包中。具体地,四次握手和EAPOL-KEY包可以参考802.11等相关协议,VSIE格式也可以参考802.11等相关协议,在此不再赘述。In one embodiment of the invention, the request information and the reply message are respectively added to the EAPOL-KEY packet as an extension of the key data KEY data in the vendor specific information element VSIE format. Specifically, the four-way handshake and the EAPOL-KEY packet may refer to related protocols such as 802.11, and the VSIE format may also refer to related protocols such as 802.11, and details are not described herein again.
在本发明的一个实施例中,请求信息和应答消息分别省去sname和file字段。由此,减少了DHCP请求信息以及DHCP应答信息构成的VSIE的长度,在传输过程中省去DHCP请求信息的sname和file字段,接收方(即认证端10)处理时默认将这两个字段
当做0处理。In one embodiment of the invention, the request information and the reply message respectively omit the sname and file fields. Therefore, the length of the VSIE formed by the DHCP request information and the DHCP response information is reduced, and the sname and file fields of the DHCP request information are omitted in the transmission process, and the receiving side (ie, the authentication end 10) processes the two fields by default.
Treat as 0.
在本发明的一个实施例中,将请求信息和应答消息分别以KEK进行加密。由此,保证了安全性。In one embodiment of the invention, the request information and the reply message are respectively encrypted with KEK. This ensures safety.
本发明实施例的认证端,在接收客户端发送的客户端随机数和MIC的同时接收DHCP请求信息,并在发送是否安装加密/整体性密钥的同时发送DHCP请求信息的应答信息,使得在认证端和客户端进行四次握手的同时完成客户端IP地址的申请或续约,从而减少了客户端接入或切换无线网络时所需的时间,进一步地,减少了客户端接入或切换无线网络时对应用层的影响时间。The authentication end of the embodiment of the present invention receives the DHCP request information while receiving the client random number and the MIC sent by the client, and sends the response information of the DHCP request information while sending the encryption/integration key, so that The authentication end and the client perform the four-way handshake to complete the application or renewal of the client IP address, thereby reducing the time required for the client to access or switch the wireless network, and further reducing the client access or switching. The impact time on the application layer when the wireless network.
为了实现上述实施例,本发明的实施例还提出一种客户端。In order to implement the above embodiments, an embodiment of the present invention also proposes a client.
图5是根据本发明一个实施例的客户端的结构框图。如图5所示,客户端20包括:第一接收模块210、第一生成模块220、第二生成模块230、第一发送模块240、第二接收模块250和第二发送模块260。FIG. 5 is a structural block diagram of a client according to an embodiment of the present invention. As shown in FIG. 5, the client 20 includes: a first receiving module 210, a first generating module 220, a second generating module 230, a first sending module 240, a second receiving module 250, and a second sending module 260.
第一接收模块210用于接收认证端10发送的认证端随机数。在本发明的一个实施例中,认证端10通过EAPOL-KEY包将认证端随机数发送至第一接收模块210。The first receiving module 210 is configured to receive the authentication end random number sent by the authentication end 10. In an embodiment of the present invention, the authentication end 10 sends the authentication end random number to the first receiving module 210 through the EAPOL-KEY packet.
第一生成模块220用于生成客户端随机数。The first generation module 220 is configured to generate a client random number.
其中,认证端随机数为认证端10只使用一次的数值,类型可以包括时间戳、大随机数和序列号等中的至少一种。客户端随机数为终20端只使用一次的数值,类型可以包括时间戳、大随机数和序列号等中的至少一种。The authentication end random number is a value that the authentication end 10 uses only once, and the type may include at least one of a time stamp, a large random number, and a serial number. The client random number is a value that is used only once in the terminal 20, and the type may include at least one of a time stamp, a large random number, and a serial number.
第二生成模块230用于根据认证端随机数、客户端随机数、PMK、认证端属性信息和客户端属性信息生成PTK。从而实现客户端20的PTK更新。The second generation module 230 is configured to generate a PTK according to the authentication end random number, the client random number, the PMK, the authentication end attribute information, and the client attribute information. Thereby, the PTK update of the client 20 is implemented.
第一发送模块240用于将客户端随机数、MIC和DHCP请求信息发送至认证端10。在本发明的一个实施例中,第一发送模块240将客户端随机数、MIC和DHCP请求信息添加至EAPOL-KEY包并发送至认证端10。The first sending module 240 is configured to send the client random number, MIC, and DHCP request information to the authentication terminal 10. In one embodiment of the present invention, the first sending module 240 adds the client random number, MIC, and DHCP request information to the EAPOL-KEY packet and sends it to the authentication terminal 10.
第二接收模块250用于接收认证端10发送的是否安装加密/整体性密钥和DHCP请求信息的应答信息,以安装加密/整体性密钥并根据应答信息确定IP地址。在本发明的一个实施例中,认证端10将是否安装加密/整体性密钥和DHCP请求信息的应答信息添加至EAPOL-KEY包并发送至客户端20。The second receiving module 250 is configured to receive the response information sent by the authentication terminal 10 whether to install the encryption/integration key and the DHCP request information, to install the encryption/integration key, and determine the IP address according to the response information. In one embodiment of the present invention, the authentication terminal 10 adds the response information of whether the encryption/integration key and the DHCP request information are installed to the EAPOL-KEY packet and transmits it to the client 20.
第二发送模块260用于向认证端10发送确定信息以完成认证端10和客户端20的共享密钥认证,并根据IP地址与认证端通信。在本发明的一个实施例中,第二发送模块260将确定信息添加至EAPOL-KEY包并发送至认证端10。
The second sending module 260 is configured to send the determining information to the authentication end 10 to complete the shared key authentication of the authentication end 10 and the client 20, and communicate with the authentication end according to the IP address. In one embodiment of the invention, the second transmitting module 260 adds the determination information to the EAPOL-KEY packet and sends it to the authentication terminal 10.
在本发明的一个实施例中,请求信息和应答消息分别以供应商特定信息元素VSIE格式作为密钥数据KEY data的扩展加入到EAPOL-KEY包中。具体地,四次握手和EAPOL-KEY包可以参考802.11等相关协议,VSIE格式也可以参考802.11等相关协议,在此不再赘述。In one embodiment of the invention, the request information and the reply message are respectively added to the EAPOL-KEY packet as an extension of the key data KEY data in the vendor specific information element VSIE format. Specifically, the four-way handshake and the EAPOL-KEY packet may refer to related protocols such as 802.11, and the VSIE format may also refer to related protocols such as 802.11, and details are not described herein again.
在本发明的一个实施例中,请求信息和应答消息分别省去sname和file字段。由此,减少了DHCP请求信息以及DHCP应答信息构成的VSIE的长度,在传输过程中省去DHCP请求信息的sname和file字段,接收方(即认证端)处理时默认将这两个字段当做0处理。In one embodiment of the invention, the request information and the reply message respectively omit the sname and file fields. Thereby, the length of the VSIE formed by the DHCP request information and the DHCP response information is reduced, and the sname and file fields of the DHCP request information are omitted in the transmission process, and the receiving side (ie, the authentication end) processes the two fields as 0 by default. deal with.
在本发明的一个实施例中,将请求信息和应答消息分别以KEK进行加密。由此,保证了安全性。In one embodiment of the invention, the request information and the reply message are respectively encrypted with KEK. This ensures safety.
本发明实施例的客户端,在发送客户端随机数和MIC的同时发送DHCP请求信息,并在接收是否安装加密/整体性密钥的同时接收到DHCP请求信息的应答信息,使得在认证端和客户端进行四次握手的同时完成客户端IP地址的申请或续约,从而减少了客户端接入或切换无线网络时所需的时间,进一步地,减少了客户端接入或切换无线网络时对应用层的影响时间。The client in the embodiment of the present invention sends the DHCP request information while transmitting the client random number and the MIC, and receives the response information of the DHCP request information while receiving the encryption/integration key, so that the authentication end is The client performs the application or renewal of the client IP address while performing the four-way handshake, thereby reducing the time required for the client to access or switch the wireless network, and further reducing the client access or switching the wireless network. Impact time on the application layer.
应当理解,本发明的各部分可以用硬件、软件、固件或它们的组合来实现。在上述实施方式中,多个步骤或方法可以用存储在存储器中且由合适的指令执行系统执行的软件或固件来实现。例如,如果用硬件来实现,和在另一实施方式中一样,可用本领域公知的下列技术中的任一项或他们的组合来实现:具有用于对数据信号实现逻辑功能的逻辑门电路的离散逻辑电路,具有合适的组合逻辑门电路的专用集成电路,可编程门阵列(PGA),现场可编程门阵列(FPGA)等。It should be understood that portions of the invention may be implemented in hardware, software, firmware or a combination thereof. In the above-described embodiments, multiple steps or methods may be implemented in software or firmware stored in a memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, it can be implemented by any one or combination of the following techniques well known in the art: having logic gates for implementing logic functions on data signals. Discrete logic circuits, application specific integrated circuits with suitable combinational logic gates, programmable gate arrays (PGAs), field programmable gate arrays (FPGAs), etc.
在本说明书的描述中,参考术语“一个实施例”、“一些实施例”、“示例”、“具体示例”、或“一些示例”等的描述意指结合该实施例或示例描述的具体特征、结构、材料或者特点包含于本发明的至少一个实施例或示例中。在本说明书中,对上述术语的示意性表述不一定指的是相同的实施例或示例。而且,描述的具体特征、结构、材料或者特点可以在任何的一个或多个实施例或示例中以合适的方式结合。In the description of the present specification, the description with reference to the terms "one embodiment", "some embodiments", "example", "specific example", or "some examples" and the like means a specific feature described in connection with the embodiment or example. A structure, material or feature is included in at least one embodiment or example of the invention. In the present specification, the schematic representation of the above terms does not necessarily mean the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in a suitable manner in any one or more embodiments or examples.
尽管已经示出和描述了本发明的实施例,本领域的普通技术人员可以理解:在不脱离本发明的原理和宗旨的情况下可以对这些实施例进行多种变化、修改、替换和变型,本发明的范围由权利要求及其等同物限定。
While the embodiments of the present invention have been shown and described, the embodiments of the invention may The scope of the invention is defined by the claims and their equivalents.
Claims (12)
- 一种无线网络的IP地址分配方法,其特征在于,包括:A method for allocating an IP address of a wireless network, comprising:生成认证端随机数并发送至客户端;Generate an authentication end random number and send it to the client;接收所述客户端发送的客户端随机数、消息完整性校验码MIC和动态主机配置协议DHCP请求信息,其中,所述客户端生成所述客户端随机数,并根据所述认证端随机数、所述客户端随机数、成对主密钥PMK、认证端属性信息和客户端属性信息生成临时成对密钥PTK;Receiving, by the client, a client random number, a message integrity check code MIC, and dynamic host configuration protocol DHCP request information, where the client generates the client random number, and according to the authentication end random number The client random number, the paired master key PMK, the authentication end attribute information, and the client attribute information generate a temporary pair key PTK;根据所述认证端随机数、所述客户端随机数、所述成对主密钥PMK、所述认证端属性信息和所述客户端属性信息生成所述临时成对密钥PTK,并对所述MIC进行校验,并确定所述DHCP请求信息的应答信息,以及向所述客户端发送是否安装加密/整体性密钥和所述应答信息,以使所述客户端安装加密/整体性密钥并根据所述应答信息确定IP地址;Generating the temporary pairwise key PTK according to the authentication end random number, the client random number, the paired master key PMK, the authentication end attribute information, and the client attribute information, and The MIC performs verification, determines response information of the DHCP request information, and sends to the client whether to install an encryption/holistic key and the response information, so that the client installs an encryption/integral secret And determining an IP address according to the response information;接收到所述客户端发送的确定信息以完成和所述客户端的共享密钥认证,并根据所述IP地址与所述客户端通信。Receiving the determination information sent by the client to complete the shared key authentication with the client, and communicating with the client according to the IP address.
- 根据权利要求1所述的无线网络的IP地址分配方法,其特征在于,通过EAPOL-KEY包和所述客户端进行数据发送。The method for allocating an IP address of a wireless network according to claim 1, wherein data transmission is performed by the EAPOL-KEY packet and the client.
- 根据权利要求2所述的无线网络的IP地址分配方法,其特征在于,所述请求信息和所述应答消息分别以供应商特定信息元素VSIE格式作为密钥数据KEY data的扩展加入到所述EAPOL-KEY包中。The method for allocating an IP address of a wireless network according to claim 2, wherein the request information and the response message are respectively added to the EAPOL as an extension of key data KEY data in a vendor specific information element VSIE format. -KEY package.
- 根据权利要求3所述的无线网络的IP地址分配方法,其特征在于,所述请求信息和所述应答消息分别省去sname和file字段,并以EAPOL-KEY加密密钥KEK进行加密。The method for allocating an IP address of a wireless network according to claim 3, wherein the request information and the response message respectively omit the sname and file fields, and are encrypted by the EAPOL-KEY encryption key KEK.
- 根据权利要求1所述的无线网络的IP地址分配方法,其特征在于,还包括:The method for allocating an IP address of a wireless network according to claim 1, further comprising:向DHCP服务器转发所述DHCP请求信息;Forwarding the DHCP request information to a DHCP server;接收所述DHCP服务器反馈的所述应答信息。Receiving the response information fed back by the DHCP server.
- 一种无线网络的IP地址分配系统,其特征在于,包括:认证端和客户端,其中,An IP address allocation system for a wireless network, comprising: an authentication end and a client, wherein所述认证端,用于生成认证端随机数并发送至所述客户端;The authentication end is configured to generate an authentication end random number and send the same to the client;所述客户端,用于生成客户端随机数,并根据所述认证端随机数、所述客户端随机数、成对主密钥PMK、认证端属性信息和客户端属性信息生成临时成对密钥PTK,并发送所述客户端随机数、消息完整性校验码MIC和动态主机配置协议DHCP请求信息 至所述认证端;The client is configured to generate a client random number, and generate a temporary paired secret according to the authentication end random number, the client random number, the paired master key PMK, the authentication end attribute information, and the client attribute information. Key PTK, and send the client random number, message integrity check code MIC and dynamic host configuration protocol DHCP request information To the authentication end;所述认证端,还用于根据所述认证端随机数、所述客户端随机数、所述成对主密钥PMK、所述认证端属性信息和所述客户端属性信息生成所述临时成对密钥PTK,并对所述MIC进行校验,并确定所述DHCP请求信息的应答信息,以及向所述客户端发送是否安装加密/整体性密钥和所述应答信息;The authentication end is further configured to generate the temporary formation according to the authentication end random number, the client random number, the paired master key PMK, the authentication end attribute information, and the client attribute information. And verifying, by the key PTK, the MIC, determining response information of the DHCP request information, and sending, to the client, whether to install an encryption/global key and the response information;所述客户端,还用于安装加密/整体性密钥并根据所述应答信息确定IP地址,并发送确定信息至所述认证端以完成所述认证端和所述客户端的共享密钥认证,并根据所述IP地址与所述认证端进行通信。The client is further configured to install an encryption/integration key and determine an IP address according to the response information, and send the determination information to the authentication end to complete the shared key authentication of the authentication end and the client, And communicating with the authentication end according to the IP address.
- 根据权利要求6所述的无线网络的IP地址分配系统,其特征在于,所述认证端和所述客户端通过EAPOL-KEY包进行数据发送。The IP address allocation system for a wireless network according to claim 6, wherein the authentication end and the client perform data transmission through an EAPOL-KEY packet.
- 根据权利要求7所述的无线网络的IP地址分配系统,其特征在于,所述请求信息和所述应答消息分别以供应商特定信息元素VSIE格式作为密钥数据KEY data的扩展加入到所述EAPOL-KEY包中。The IP address allocation system for a wireless network according to claim 7, wherein said request information and said response message are respectively added to said EAPOL as an extension of key data KEY data in a vendor specific information element VSIE format. -KEY package.
- 根据权利要求8所述的无线网络的IP地址分配系统,其特征在于,所述请求信息和所述应答消息分别省去sname和file字段,并以EAPOL-KEY加密密钥KEK进行加密。The IP address allocation system for a wireless network according to claim 8, wherein said request information and said response message respectively omit the sname and file fields, and are encrypted by an EAPOL-KEY encryption key KEK.
- 根据权利要求6所述的无线网络的IP地址分配系统,其特征在于,还包括:DHCP服务器,其中The IP address allocation system for a wireless network according to claim 6, further comprising: a DHCP server, wherein所述认证端,还用于向所述DHCP服务器转发所述DHCP请求信息;The authentication end is further configured to forward the DHCP request information to the DHCP server.所述DHCP服务器,用于向所述认证端发送所述应答信息。The DHCP server is configured to send the response information to the authentication end.
- 一种认证端,其特征在于,包括:An authentication end, which is characterized by comprising:第一生成模块,用于生成认证端随机数;a first generating module, configured to generate an authentication end random number;第一发送模块,用于将所述认证端随机数发送至客户端;a first sending module, configured to send the authentication end random number to the client;第一接收模块,用于接收所述客户端发送的客户端随机数、消息完整性校验码MIC和动态主机配置协议DHCP请求信息,其中,所述客户端生成所述客户端随机数,并根据所述认证端随机数、所述客户端随机数、成对主密钥PMK、认证端属性信息和客户端属性消息生成临时成对密钥PTK;a first receiving module, configured to receive a client random number, a message integrity check code MIC, and dynamic host configuration protocol DHCP request information sent by the client, where the client generates the client random number, and Generating a temporary pairwise key PTK according to the authentication end random number, the client random number, the paired master key PMK, the authentication end attribute information, and the client attribute message;第二生成模块,用于根据所述认证端随机数、所述客户端随机数、所述成对主密钥PMK、所述认证端属性信息和所述客户端属性信息生成所述临时成对密钥PTK;a second generating module, configured to generate the temporary pair according to the authentication end random number, the client random number, the paired master key PMK, the authentication end attribute information, and the client attribute information Key PTK;校验模块,用于对所述MIC进行校验; a verification module, configured to verify the MIC;确认模块,用于确定所述DHCP请求信息的应答信息;a confirmation module, configured to determine response information of the DHCP request information;第二发送模块,用于向所述客户端发送是否安装加密/整体性密钥和所述应答信息,以使所述客户端安装加密/整体性密钥并根据所述应答信息确定IP地址;a second sending module, configured to send, to the client, whether to install an encryption/global key and the response information, so that the client installs an encryption/global key and determines an IP address according to the response information;第二接收模块,用于接收所述客户端发送的确定信息以完成和所述客户端的共享密钥认证,并根据所述IP地址与所述客户端通信。The second receiving module is configured to receive the determining information sent by the client to complete the shared key authentication with the client, and communicate with the client according to the IP address.
- 一种客户端,其特征在于,包括:A client, comprising:第一接收模块,用于接收认证端发送的认证端随机数;a first receiving module, configured to receive an authentication end random number sent by the authentication end;第一生成模块,用于生成客户端随机数;a first generating module, configured to generate a client random number;第二生成模块,用于根据所述认证端随机数、所述客户端随机数、成对主密钥PMK、认证端属性信息和客户端属性信息生成临时成对密钥PTK;a second generating module, configured to generate a temporary pairwise key PTK according to the authentication end random number, the client random number, the paired master key PMK, the authentication end attribute information, and the client attribute information;第一发送模块,用于将所述客户端随机数、消息完整性校验码MIC和动态主机配置协议DHCP请求信息发送至所述认证端;a first sending module, configured to send the client random number, a message integrity check code MIC, and dynamic host configuration protocol DHCP request information to the authentication end;第二接收模块,用于接收所述认证端发送的是否安装加密/整体性密钥和所述DHCP请求信息的应答信息,以安装加密/整体性密钥并根据所述应答信息确定IP地址;a second receiving module, configured to receive, by the authentication end, whether to install an encryption/global key and response information of the DHCP request information, to install an encryption/global key, and determine an IP address according to the response information;第二发送模块,用于向所述认证端发送确定信息以完成所述认证端和所述客户端的共享密钥认证,并根据所述IP地址与所述认证端通信。 And a second sending module, configured to send the determining information to the authentication end to complete the shared key authentication of the authentication end and the client, and communicate with the authentication end according to the IP address.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510262722.9 | 2015-05-21 | ||
CN201510262722.9A CN106304400B (en) | 2015-05-21 | 2015-05-21 | The IP address distribution method and system of wireless network |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2016184351A1 true WO2016184351A1 (en) | 2016-11-24 |
Family
ID=57319413
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2016/081952 WO2016184351A1 (en) | 2015-05-21 | 2016-05-13 | Ip address allocation method and system for wireless network |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN106304400B (en) |
WO (1) | WO2016184351A1 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114173334A (en) * | 2021-10-26 | 2022-03-11 | 新华三大数据技术有限公司 | Method for accessing AP, AP and storage medium |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108769288A (en) * | 2018-05-31 | 2018-11-06 | 北京橙鑫数据科技有限公司 | Determine the method, apparatus and electronic equipment of wireless device address in a network |
CN109450852B (en) * | 2018-10-09 | 2020-09-29 | 中国科学院信息工程研究所 | Network communication encryption and decryption method and electronic equipment |
CN110087240B (en) * | 2019-03-28 | 2020-09-11 | 中国科学院计算技术研究所 | Wireless network security data transmission method and system based on WPA2-PSK mode |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060047835A1 (en) * | 2004-07-02 | 2006-03-02 | Greaux Jeffrey E | Method and System for LAN and WLAN access to e-commerce sites via Client Server Proxy |
CN101388770A (en) * | 2008-10-20 | 2009-03-18 | 华为技术有限公司 | Method, server and customer apparatus for acquiring dynamic host configuration protocol cipher |
CN101471767A (en) * | 2007-12-26 | 2009-07-01 | 华为技术有限公司 | Method, equipment and system for distributing cipher key |
CN104219217A (en) * | 2013-06-05 | 2014-12-17 | 中国移动通信集团公司 | SA (security association) negotiation method, device and system |
CN105591748A (en) * | 2015-09-21 | 2016-05-18 | 杭州华三通信技术有限公司 | Authentication method and device |
-
2015
- 2015-05-21 CN CN201510262722.9A patent/CN106304400B/en active Active
-
2016
- 2016-05-13 WO PCT/CN2016/081952 patent/WO2016184351A1/en active Application Filing
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060047835A1 (en) * | 2004-07-02 | 2006-03-02 | Greaux Jeffrey E | Method and System for LAN and WLAN access to e-commerce sites via Client Server Proxy |
CN101471767A (en) * | 2007-12-26 | 2009-07-01 | 华为技术有限公司 | Method, equipment and system for distributing cipher key |
CN101388770A (en) * | 2008-10-20 | 2009-03-18 | 华为技术有限公司 | Method, server and customer apparatus for acquiring dynamic host configuration protocol cipher |
CN104219217A (en) * | 2013-06-05 | 2014-12-17 | 中国移动通信集团公司 | SA (security association) negotiation method, device and system |
CN105591748A (en) * | 2015-09-21 | 2016-05-18 | 杭州华三通信技术有限公司 | Authentication method and device |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114173334A (en) * | 2021-10-26 | 2022-03-11 | 新华三大数据技术有限公司 | Method for accessing AP, AP and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN106304400B (en) | 2019-05-07 |
CN106304400A (en) | 2017-01-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP4649513B2 (en) | Authentication method for wireless portable internet system and related key generation method | |
CN110474875B (en) | Discovery method and device based on service architecture | |
EP2272271B1 (en) | Method and system for mutual authentication of nodes in a wireless communication network | |
US7793103B2 (en) | Ad-hoc network key management | |
US9392453B2 (en) | Authentication | |
JP6086987B2 (en) | Restricted certificate enrollment for unknown devices in hotspot networks | |
TWI445371B (en) | Methods and devices for establishing security associations and performing handoff authentication in wireless communications systems | |
US8423772B2 (en) | Multi-hop wireless network system and authentication method thereof | |
JP3955025B2 (en) | Mobile radio terminal device, virtual private network relay device, and connection authentication server | |
WO2022057736A1 (en) | Authorization method and device | |
KR20170076773A (en) | End-to-end service layer authentication | |
WO2006003859A1 (en) | Communication handover method, communication message processing method, and communication control method | |
JP2021528935A (en) | Decentralized authentication method | |
WO2011142353A1 (en) | Communication device and communication method | |
KR20170037270A (en) | Method for registering device and setting secret key using two factor communacation channel | |
WO2016184351A1 (en) | Ip address allocation method and system for wireless network | |
WO2015058378A1 (en) | Method and device for secure communication between user equipment | |
EP3413508A1 (en) | Devices and methods for client device authentication | |
CN103139770B (en) | The method and system of pairwise master key is transmitted in WLAN access network | |
US20140331303A1 (en) | Apparatus and method for authenticating access of a mobile station in a wireless communication system | |
WO2013104301A1 (en) | Method for transmitting message, method for establishing secure connection, access point and workstation | |
JP5472977B2 (en) | Wireless communication device | |
WO2021236078A1 (en) | Simplified method for onboarding and authentication of identities for network access | |
KR102345093B1 (en) | Security session establishment system and security session establishment method for wireless internet | |
JP2013530650A (en) | Remote verification of attributes in communication networks |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 16795838 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 16795838 Country of ref document: EP Kind code of ref document: A1 |