WO2017185913A1 - Method for improving wireless local area network authentication mechanism - Google Patents

Method for improving wireless local area network authentication mechanism Download PDF

Info

Publication number
WO2017185913A1
WO2017185913A1 PCT/CN2017/077417 CN2017077417W WO2017185913A1 WO 2017185913 A1 WO2017185913 A1 WO 2017185913A1 CN 2017077417 W CN2017077417 W CN 2017077417W WO 2017185913 A1 WO2017185913 A1 WO 2017185913A1
Authority
WO
WIPO (PCT)
Prior art keywords
client
password
access point
wireless access
packet
Prior art date
Application number
PCT/CN2017/077417
Other languages
French (fr)
Chinese (zh)
Inventor
刘军华
Original Assignee
上海斐讯数据通信技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 上海斐讯数据通信技术有限公司 filed Critical 上海斐讯数据通信技术有限公司
Publication of WO2017185913A1 publication Critical patent/WO2017185913A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to an improved method for a wireless local area network authentication mechanism.
  • EAP-TLS authentication provides a two-way authentication based on digital certificates. It needs to be pre-published for authentication on the server side of STA (Station, client) and RADIUS (Remote Authentication Dial In User Service) through a secure connection. Digital certificate. EAP-TLS provides both authentication and dynamic session key distribution. The RADIUS server needs to support EAP-TLS authentication and the management capability of the authentication digital certificate. Only after the two-way authentication is passed, the server sends the AP to the AP. (Wireless Access Point, the wireless access point) sends an EAP-Success message indicating that the client can receive the data stream, and the message triggers the encryption of the data stream. Before the encryption key is established, the client Do not send data.
  • the EAP-TLS authentication is based on the mutual authentication of the STA and the RADIUS server, and the key on the pre-issued digital certificate is used in the authentication process, the selected AP is not fully authenticated, and the AP is defaulted to be reliable. Therefore, a malicious user pretends to be an AP, and spoofs the user by sending unprotected EAP-Success information, so that the user connects to the illegal AP, thereby obtaining all network communication of the user, and even by sending the associated frame. A legitimate user disconnected. The AP does not know that the legitimate user has disconnected and continues to communicate. At this time, the illegal user can access the network through the port of the legitimate user, thereby performing a "communication hijacking" attack.
  • the present application describes an improved method for a wireless local area network authentication mechanism, which is applied to a client to perform mutual authentication based on digital certificates through a wireless access point and an authentication server, wherein the two-way authentication process After the wireless access point sends the authentication success message to the client in plain text, the method further includes the following steps:
  • Step S1 The client encrypts a first encryption parameter by using a preset encryption algorithm to form a first packet and sends the first packet to the wireless access point.
  • Step S2 After receiving the first packet, the wireless access point decrypts the first packet according to the encryption algorithm to obtain the first encryption parameter, and the first encryption parameter and the first packet.
  • the second encryption parameter is respectively encrypted by the encryption algorithm and combined to form a first Sending a second message to the client;
  • Step S3 The client decrypts and receives the second packet according to the encryption algorithm, to obtain a first encryption parameter and the second encryption parameter in the second packet.
  • Step S4 The client determines whether the first encryption parameter is the same as the first encryption parameter obtained in the second packet, and if not, the wireless access point is illegal, and exits;
  • Step S5 The client encrypts the second encryption parameter obtained in the second packet by using the encryption algorithm to form a third packet, and sends the third packet to the wireless access point.
  • Step S6 The wireless access point decrypts and receives the third packet according to the encryption algorithm to obtain a second parameter in the third packet.
  • Step S7 The wireless access point determines whether the second encryption parameter is the same as the second encryption parameter in the third packet, and if not, returns an authentication failure to the client, and exits;
  • Step S8 The wireless access point returns the authentication success to the client.
  • the step S8 comprises the following steps:
  • Step S81 The wireless access point encrypts a security key and the authentication success packet by using the encryption algorithm to form a fourth packet, and sends the fourth packet to the client.
  • Step S82 The client decrypts and receives the fourth packet according to the encryption algorithm to obtain the security key and the authentication success packet.
  • Step S83 The client displays the authentication success message to the user, and communicates with the wireless access point with the security key.
  • the first encryption parameter is randomly generated by the client.
  • the second encryption parameter is randomly generated by the wireless access point.
  • the encryption algorithm is previously agreed by the client and the wireless access point.
  • the security key is generated by the hash algorithm for the wireless access point.
  • the hash algorithm is an MD5 algorithm.
  • the authentication server provides a password rule.
  • the method further includes:
  • Step S01 The authentication server sends an identity request and a request password associated with the password rule to the client.
  • Step S02 After receiving the identity request, the client returns an identity of the client and a response password corresponding to the request password.
  • Step S03 the authentication server determines, according to the password rule, whether the received response password is correct, if step S05 is performed correctly;
  • Step S04 determining whether the number of times the client responds to the incorrect password reaches a preset value, and if not, records the incorrect number of response passwords corresponding to the client, and returns to the step S01. Ignore the request of the client during the time period and exit;
  • Step S05 continuing the authentication process.
  • the password rule is to provide a password table shared with the client.
  • the password table stores at least one request password and a response password corresponding to the request password, and the authentication server sends the request password to determine whether the received response password is in the password table.
  • the response password corresponding to the request password is consistent, such as the consistency judgment response password is correct, if the inconsistency is determined, the response password is incorrect; and/or
  • the method for ignoring the client request in the predetermined time period in the step S04 is to provide a silent list, the client is added to the silent list, and the authentication server ignores all terminals in the silent list. Request to delete the client in the silent list after the predetermined time period; and/or
  • the preset value is 3; and/or
  • the predetermined time period is 3 minutes.
  • the authentication server is a RADIUS server.
  • the present invention can effectively prevent the "man-in-the-middle attack" by the two-way authentication of the client and the wireless access point, that is, the illegal user cannot access the network through the port of the legitimate user, thereby Avoid "communication hijacking" attacks.
  • FIG. 1 is a schematic flowchart 1 of a method for improving a wireless local area network authentication mechanism according to the present invention
  • FIG. 2 is a schematic flow chart of an improved method for a wireless local area network authentication mechanism according to the present invention.
  • Figure II is a schematic flow chart of an improved method for a wireless local area network authentication mechanism according to the present invention.
  • FIG. 3 is a third schematic flowchart of a method for improving a wireless local area network authentication mechanism according to the present invention.
  • An improved method for WLAN authentication mechanism is applied to a client to perform mutual authentication based on digital certificates between a wireless access point and an authentication server, wherein, as shown in FIG. 1, a wireless access point in a two-way authentication process After sending the authentication success message to the client in clear text, the following steps are also included:
  • Step S1 The client encrypts the first encryption algorithm to form a first packet and sends it to the wireless access point by using a preset encryption algorithm.
  • Step S2 After receiving the first packet, the radio access point decrypts the first packet according to the encryption algorithm to obtain a first encryption parameter, and encrypts the first encryption parameter and a second encryption parameter respectively. After the algorithm is encrypted, the combination forms a second message and sends the message to the client.
  • Step S3 The client decrypts the received second packet according to the encryption algorithm to obtain the first encryption parameter and the second encryption parameter in the second packet.
  • Step S4 The client determines whether the first encryption parameter is the same as the first encryption parameter obtained in the second packet, such as differently determining that the wireless access point is illegal, and exiting;
  • Step S5 The client encrypts the second encryption parameter obtained in the second packet by using an encryption algorithm. After being encrypted, a third message is formed and sent to the wireless access point;
  • Step S6 The wireless access point decrypts the received third packet according to the encryption algorithm to obtain the second parameter in the third packet.
  • Step S7 The wireless access point determines whether the second encryption parameter is the same as the second encryption parameter in the third packet, and if not, returns the authentication failure to the client, and exits;
  • Step S8 The wireless access point returns the authentication success to the client.
  • the client first encrypts a first encryption parameter by using a predetermined encryption algorithm to form a first message, and the first report is used.
  • the text is sent to the wireless access point.
  • the wireless access point performs decryption processing on the first packet according to the encryption algorithm to obtain the first encryption parameter.
  • a second encryption parameter is further provided, and the first encryption parameter and the second encryption parameter are respectively encrypted by the encryption algorithm, and the encryption result is combined to form a second message, and the second message is sent to the client.
  • the client After receiving the second packet, the client performs a decryption process to obtain a first encryption parameter and a second encryption parameter in the second packet.
  • the client needs to determine whether the first encryption parameter obtained after decryption in the second packet is the same as the first encryption parameter that is initially provided. If not, it indicates that the wireless access point is illegal and exits the entire operation; , continue with the next steps. Briefly, the client provides a first encryption parameter, which is still not changed after client encryption, wireless access point decryption, wireless access point encryption, and client decryption processing. At this time, it is determined that the wireless access point is legal.
  • the first access parameter is obtained by decrypting the first message at the wireless access point.
  • the second access parameter is encrypted, the client decrypts, the client re-encrypts, and the wireless access point is decrypted, the wireless access point still needs to be changed. Then it is determined that the entire authentication process is completed.
  • the decrypted second encryption parameter is no longer encrypted, that is, when the wireless access point is determined to be illegal, the subsequent authentication process is not performed. Directly determine that the authentication failed.
  • the first encryption parameter and the second encryption parameter are first encrypted by the wireless access point to be combined by the encryption algorithm to form a second message, and the second message is combined.
  • the text is sent to the client.
  • the client parses the first encryption parameter and the second encryption parameter according to the second packet, and when determining that the first encryption parameter parsed from the second packet is the same as the previously provided first encryption parameter And encrypting the second encryption parameter by an encryption algorithm to form a third message and sending the message to the wireless access point.
  • the wireless access point decrypts the received third packet according to the encryption algorithm, and obtains the second encryption parameter in the third packet.
  • the wireless access point determines whether the second encryption parameter in the third message is the same as the previously preset second encryption parameter. If the authentication fails, the authentication failure information is returned to the client and exited. If not, the wireless access point returns the authentication success information to the client.
  • the foregoing preset encryption algorithm may be implemented in the form of a pre-defined secret key by the client and the wireless access input.
  • the first encryption parameter is randomly generated by the client.
  • the second encryption parameter is a wireless access point Machine production.
  • the encryption algorithm is pre-agreed by the client and the wireless access point.
  • step S8 the following steps are specifically included:
  • Step S81 The wireless access point sends a security message and the authentication success message to form a fourth message to the client through the encryption algorithm.
  • Step S82 The client decrypts the received fourth packet according to the encryption algorithm to obtain a security key and a successful authentication packet.
  • Step S83 The client displays the authentication success message to the user, and communicates the security key with the wireless access point.
  • the wireless access point when determining that the wireless access point is successfully authenticated, the wireless access point sends a security key and the authentication success message to form a fourth message to the client through the encryption algorithm, and the client is encrypted according to the encryption.
  • the algorithm decrypts the fourth packet to obtain a security key and an authentication success packet. Finally, the authentication success message is displayed on the client, and the security key is communicated with the wireless access point.
  • the security key is generated by a wireless access point through a hash algorithm.
  • the above hash algorithm may be an MD5 algorithm.
  • the method further includes the steps of:
  • the process returns to the step client to generate a first encryption parameter for the next round of authentication process.
  • the above method is the client's authentication to the wireless access point, and in addition, in the two-way authentication process of the digital certificate, the client needs to be authenticated.
  • the authentication server provides a password rule. As shown in FIG. 3, before the wireless access point sends the authentication success message to the client in the two-way authentication process, the method further includes the following steps:
  • Step S01 The authentication server sends an identity request to the client and a request password associated with the password rule.
  • Step S02 After receiving the identity request, the client returns the identity of the client and the response password corresponding to the request password.
  • Step S03 the authentication server determines whether the received response password is correct according to the password rule, if step S05 is performed correctly;
  • step S04 it is determined whether the number of times the client responds to the incorrect password reaches a preset value; if not, the error number of the response password corresponding to the client is recorded, and then returns to step S01, and if it is reached, the client is ignored in a predetermined time period. Request and quit;
  • Step S05 continuing the authentication process.
  • a password rule is pre-stored in both the reliable client and the authentication server. That is, the authentication server pre-shares a password rule in a secure manner, and the password rule includes a one-to-one corresponding password request and response password. Therefore, in the process of authenticating the client, the authentication server first sends an identity request to the client and a request password associated with the password rule. After receiving the identity request, the client sends the identity of the client and the response password of the corresponding request password. To the authentication server. The authentication server calculates a hash value of the password, and the hash value and the response password corresponding to the request password in the password rule are the same.
  • a password rule is pre-shared in a secure manner to authenticate the server to issue an identity request and a request password - return the identity of the client and the response password corresponding to the request password - the authentication server determines whether the response password is Correct this process, complete the certification of the client.
  • the password is incorrect, it is also necessary to determine whether the number of times the client answers the password incorrectly reaches a preset value. If the password is not reached, the number of the response password corresponding to the client is incorrect, and then returns to step S01; If it is reached, the client's request is ignored and exited within a predetermined time period.
  • the malicious client can be prevented from initiating the denial attack.
  • the password rule proposed above provides: providing a password table shared with the client, the password table storing at least one request password and a response password corresponding to the request password. After the authentication server sends the request password, it is determined whether the received response password is consistent with the response password corresponding to the requested password in the password table. If the response password is consistent, the response password is correct; if not, the response password is incorrect.
  • a silent table may also be provided to add the client to the silent list, and the authentication server ignores the request of all terminals in the silent list, and deletes the client in the silent list after a predetermined time period. Through the silent table, the effect of ignoring the client request within a predetermined time period is achieved.
  • the preset value can be 3.
  • the predetermined time period can be 3 minutes.
  • the invention can effectively prevent "man-in-the-middle attacks" by mutual authentication of the client and the wireless access point.
  • the first time identification of the user's identity is added, and the attackers are determined, thereby preventing their attack behavior.
  • the present invention provides an improved scheme for 802.1X authentication, so that the wireless device can operate more safely and stably, and does not cause normal users to access the network and the Internet experience due to attacks from other malicious and illegal wireless devices. Drop, even equipment crashes, reboots, etc.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Small-Scale Networks (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Provided is a method for improving a wireless local area network authentication mechanism. After a wireless access point sends an authentication success message to a client in clear text during a bidirectional authentication process, the method comprises the steps of: providing a first encryption parameter, and if after the first encryption parameter is encrypted by a client, is decrypted by a wireless access point, is encrypted by the wireless access point and is decrypted by the client, the first encryption parameter still does not change, determining that the wireless access point is legitimate; and providing a second encryption parameter, and if after the wireless access point encrypts the second encryption parameter, the client decrypts same, the client then encrypts same and the wireless access point then decrypts same, the second encryption parameter still does not change, determining that the whole authentication process is completed. The present invention can effectively prevent a "man-in-the-middle attack", i.e. an illegitimate user cannot access a network via a port of a legitimate user, so that a "communication hijack" attack is prevented.

Description

一种无线局域网认证机制的改进方法An improved method of wireless local area network authentication mechanism 技术领域Technical field
本发明涉及通信技术领域,尤其涉及一种无线局域网认证机制的改进方法。The present invention relates to the field of communications technologies, and in particular, to an improved method for a wireless local area network authentication mechanism.
背景技术Background technique
随着无线网络的发展,越来越多的人在使用无线的方式接入网络。由于无线信道的开放性,入侵者很容易通过扫描或监听的方式截取无线数据或者接入无线网络,因此无线网络的安全问题越来越受到人们的重视。为了保护无线网络的安全,人们采用对终端认证的方式,目前人们一般采用IEEE 802.1X协议或EAP-TLS(基于数字证书的双向认证)的方式实现对设备的接入认证。With the development of wireless networks, more and more people are using wireless to access the network. Due to the openness of the wireless channel, intruders can easily intercept wireless data or access wireless networks by scanning or monitoring. Therefore, the security of wireless networks has received more and more attention. In order to protect the security of the wireless network, people adopt the method of terminal authentication. At present, people generally adopt IEEE 802.1X protocol or EAP-TLS (two-way authentication based on digital certificate) to implement access authentication for devices.
IEEE 802.1X协议的主要目的是为了解决无线局域网用户的接入验证问题。EAP-TLS认证提供了一种基于数字证书的双向认证,它需要通过安全连接在STA(Station,客户端)和RADIUS(Remote Authentication Dial In User Service,远程用户拨号认证系统)服务器端事先发布认证使用的数字证书。EAP-TLS既提供认证,又提供动态会话钥匙分发。RADIUS服务器需要支持EAP-TLS认证,和认证数字证书的管理能力,只有在双向认证通过以后,服务器才向AP (Wireless Access Point,无线访问接入点)发送EAP-Success(认证成功)报文,指示客户端可以接收数据流,该报文同时触发了对数据流加密,在加密密钥建立之前,客户端不发送数据。The main purpose of the IEEE 802.1X protocol is to solve the problem of access authentication for wireless LAN users. EAP-TLS authentication provides a two-way authentication based on digital certificates. It needs to be pre-published for authentication on the server side of STA (Station, client) and RADIUS (Remote Authentication Dial In User Service) through a secure connection. Digital certificate. EAP-TLS provides both authentication and dynamic session key distribution. The RADIUS server needs to support EAP-TLS authentication and the management capability of the authentication digital certificate. Only after the two-way authentication is passed, the server sends the AP to the AP. (Wireless Access Point, the wireless access point) sends an EAP-Success message indicating that the client can receive the data stream, and the message triggers the encryption of the data stream. Before the encryption key is established, the client Do not send data.
虽然EAP-TLS认证是基于STA和RADIUS服务器的双向认证,并且在认证过程中采用了预先颁发的数字证书上的密钥,但并没有对选用的AP进行充分的验证,AP被默认为是可靠的,因此就会有恶意的用户冒充AP,通过发送未受保护的EAP-Success等信息欺骗用户,使得用户连接到非法AP上,从而获得用户的所有网络通信,甚至可通过发送去关联帧使合法用户断开连接。而AP不知道合法用户已断开连接,继续进行通信,此时非法用户可以通过该合法用户的端口接入网络,从而进行“通信劫持”攻击。Although the EAP-TLS authentication is based on the mutual authentication of the STA and the RADIUS server, and the key on the pre-issued digital certificate is used in the authentication process, the selected AP is not fully authenticated, and the AP is defaulted to be reliable. Therefore, a malicious user pretends to be an AP, and spoofs the user by sending unprotected EAP-Success information, so that the user connects to the illegal AP, thereby obtaining all network communication of the user, and even by sending the associated frame. A legitimate user disconnected. The AP does not know that the legitimate user has disconnected and continues to communicate. At this time, the illegal user can access the network through the port of the legitimate user, thereby performing a "communication hijacking" attack.
发明内容Summary of the invention
鉴于上述问题,本申请记载了一种无线局域网认证机制的改进方法,应用于客户端通过无线访问接入点与认证服务器之间进行基于数字证书的双向认证,其中,所述双向认证过程中所述无线访问接入点向所述客户端明文发送认证成功报文后,还包括以下步骤:In view of the above problems, the present application describes an improved method for a wireless local area network authentication mechanism, which is applied to a client to perform mutual authentication based on digital certificates through a wireless access point and an authentication server, wherein the two-way authentication process After the wireless access point sends the authentication success message to the client in plain text, the method further includes the following steps:
步骤S1、所述客户端将一第一加密参数以一预设的加密算法加密形成一第一报文发送至所述无线访问接入点;Step S1: The client encrypts a first encryption parameter by using a preset encryption algorithm to form a first packet and sends the first packet to the wireless access point.
步骤S2、所述无线访问接入点收到所述第一报文后根据所述加密算法对所述第一报文解密获得所述第一加密参数,并将所述第一加密参数与一第二加密参数分别以所述加密算法加密后组合形成一第 二报文发送至所述客户端;Step S2: After receiving the first packet, the wireless access point decrypts the first packet according to the encryption algorithm to obtain the first encryption parameter, and the first encryption parameter and the first packet. The second encryption parameter is respectively encrypted by the encryption algorithm and combined to form a first Sending a second message to the client;
步骤S3、所述客户端根据所述加密算法解密收到所述第二报文,以获得所述第二报文中的第一加密参数以及所述第二加密参数;Step S3: The client decrypts and receives the second packet according to the encryption algorithm, to obtain a first encryption parameter and the second encryption parameter in the second packet.
步骤S4、所述客户端判断所述第一加密参数与所述第二报文中获得的第一加密参数是否相同,如不相同判断所述无线访问接入点非法,并退出;Step S4: The client determines whether the first encryption parameter is the same as the first encryption parameter obtained in the second packet, and if not, the wireless access point is illegal, and exits;
步骤S5、所述客户端将所述第二报文中获得的所述第二加密参数以所述加密算法加密后形成一第三报文发送至所述无线访问接入点;Step S5: The client encrypts the second encryption parameter obtained in the second packet by using the encryption algorithm to form a third packet, and sends the third packet to the wireless access point.
步骤S6、所述无线访问接入点根据所述加密算法解密收到所述第三报文,以获得所述第三报文中的第二参数;Step S6: The wireless access point decrypts and receives the third packet according to the encryption algorithm to obtain a second parameter in the third packet.
步骤S7、所述无线访问接入点判断所述第二加密参数与所述第三报文中的第二加密参数是否相同,如不相同则向所述客户端返回认证失败,并退出;Step S7: The wireless access point determines whether the second encryption parameter is the same as the second encryption parameter in the third packet, and if not, returns an authentication failure to the client, and exits;
步骤S8、所述无线访问接入点向所述客户端返回认证成功。Step S8: The wireless access point returns the authentication success to the client.
较佳的,所述步骤S8包括以下步骤:Preferably, the step S8 comprises the following steps:
步骤S81、所述无线访问接入点将一安全密钥及所述认证成功报文通过所述加密算法加密形成一第四报文发送至所述客户端;Step S81: The wireless access point encrypts a security key and the authentication success packet by using the encryption algorithm to form a fourth packet, and sends the fourth packet to the client.
步骤S82、所述客户端根据所述加密算法解密收到所述第四报文,以获得所述安全密钥及所述认证成功报文;Step S82: The client decrypts and receives the fourth packet according to the encryption algorithm to obtain the security key and the authentication success packet.
步骤S83、所述客户端向用户显示所述认证成功报文,并以所述安全密钥与所述无线访问接入点进行通信。 Step S83: The client displays the authentication success message to the user, and communicates with the wireless access point with the security key.
较佳的,所述第一加密参数为所述客户端随机生成。Preferably, the first encryption parameter is randomly generated by the client.
较佳的,所述第二加密参数为所述无线访问接入点随机生成。Preferably, the second encryption parameter is randomly generated by the wireless access point.
较佳的,所述加密算法为所述客户端与所述无线访问接入点事先约定。Preferably, the encryption algorithm is previously agreed by the client and the wireless access point.
较佳的,于所述安全密钥为所述无线访问接入点通过哈希算法生成。Preferably, the security key is generated by the hash algorithm for the wireless access point.
较佳的,所述哈希算法为MD5算法。Preferably, the hash algorithm is an MD5 algorithm.
较佳的,所述认证服务器提供一口令规则,所述双向认证过程中所述无线访问接入点向所述客户端明文发送认证成功报文之前还包括:Preferably, the authentication server provides a password rule. Before the wireless access point sends the authentication success message to the client in the two-way authentication process, the method further includes:
步骤S01、所述认证服务器向所述客户端发送身份请求及关联于所述口令规则的请求口令;Step S01: The authentication server sends an identity request and a request password associated with the password rule to the client.
步骤S02、所述客户端接收所述身份请求后,返回所述客户端的身份以及对应所述请求口令的应答口令;Step S02: After receiving the identity request, the client returns an identity of the client and a response password corresponding to the request password.
步骤S03、所述认证服务器根据所述口令规则判断接收到的所述应答口令是否正确,如正确执行步骤S05;Step S03, the authentication server determines, according to the password rule, whether the received response password is correct, if step S05 is performed correctly;
步骤S04、判断所述客户端应答口令不正确的次数是否达到一预设值,如未达到则记录所述客户端对应的应答口令不正确次数后返回所述步骤S01,如达到则于一预定时间周期内忽略所述客户端的请求,并退出;Step S04: determining whether the number of times the client responds to the incorrect password reaches a preset value, and if not, records the incorrect number of response passwords corresponding to the client, and returns to the step S01. Ignore the request of the client during the time period and exit;
步骤S05、继续认证过程。Step S05, continuing the authentication process.
较佳的,所述口令规则为,提供一与所述客户端共享的口令表, 所述口令表中储存至少一个请求口令,及与所述请求口令一一对应的应答口令,所述认证服务器发送所述请求口令后判断接收到的所述应答口令是否与所述口令表中所述请求口令对应的应答口令一致,如一致判断应答口令正确,如不一致则判断应答口令不正确;和/或Preferably, the password rule is to provide a password table shared with the client. The password table stores at least one request password and a response password corresponding to the request password, and the authentication server sends the request password to determine whether the received response password is in the password table. The response password corresponding to the request password is consistent, such as the consistency judgment response password is correct, if the inconsistency is determined, the response password is incorrect; and/or
所述步骤S04中于所述预定时间周期内忽略所述客户端请求的方法为,提供一静默列表,将所述客户端加入所述静默列表,所述认证服务器忽略所述静默列表中所有终端的请求,于所述预定时间周期后将所述客户端于所述静默列表中删除;和/或The method for ignoring the client request in the predetermined time period in the step S04 is to provide a silent list, the client is added to the silent list, and the authentication server ignores all terminals in the silent list. Request to delete the client in the silent list after the predetermined time period; and/or
所述预设值为3;和/或The preset value is 3; and/or
所述预定时间周期为3分钟。The predetermined time period is 3 minutes.
较佳的,所述认证服务器为RADIUS服务器。Preferably, the authentication server is a RADIUS server.
上述技术方案具有如下优点或有益效果:本发明通过对客户端和无线访问接入点的双向认证,能够有效防止“中间人攻击”,即非法用户不能够通过该合法用户的端口接入网络,从而避免了“通信劫持”攻击。The foregoing technical solution has the following advantages or advantages: the present invention can effectively prevent the "man-in-the-middle attack" by the two-way authentication of the client and the wireless access point, that is, the illegal user cannot access the network through the port of the legitimate user, thereby Avoid "communication hijacking" attacks.
附图说明DRAWINGS
参考所附附图,以更加充分的描述本发明的实施例。然而,所附附图仅用于说明和阐述,并不构成对本发明范围的限制。Embodiments of the present invention are described more fully with reference to the accompanying drawings. However, the attached drawings are for illustration and illustration only and are not intended to limit the scope of the invention.
图1为本发明一种无线局域网认证机制的改进方法的流程示意图一;1 is a schematic flowchart 1 of a method for improving a wireless local area network authentication mechanism according to the present invention;
图2为本发明一种无线局域网认证机制的改进方法的流程示意 图二;2 is a schematic flow chart of an improved method for a wireless local area network authentication mechanism according to the present invention; Figure II;
图3为本发明一种无线局域网认证机制的改进方法的流程示意图三。FIG. 3 is a third schematic flowchart of a method for improving a wireless local area network authentication mechanism according to the present invention.
具体实施方式detailed description
下面结合附图和具体实施例对本发明一种无线局域网认证机制的改进方法进行详细说明。The method for improving the wireless local area network authentication mechanism of the present invention will be described in detail below with reference to the accompanying drawings and specific embodiments.
一种无线局域网认证机制的改进方法,应用于客户端通过无线访问接入点与认证服务器之间进行基于数字证书的双向认证,其中,如图1所示,双向认证过程中无线访问接入点向客户端明文发送认证成功报文后,还包括以下步骤:An improved method for WLAN authentication mechanism is applied to a client to perform mutual authentication based on digital certificates between a wireless access point and an authentication server, wherein, as shown in FIG. 1, a wireless access point in a two-way authentication process After sending the authentication success message to the client in clear text, the following steps are also included:
步骤S1、客户端将一第一加密参数,利用预设的加密算法加密将第一加密算法加密形成一第一报文发送至无线访问接入点;Step S1: The client encrypts the first encryption algorithm to form a first packet and sends it to the wireless access point by using a preset encryption algorithm.
步骤S2、无线访问接入点收到第一报文后根据上述加密算法对该第一报文解密以获得第一加密参数,并将该第一加密参数与一第二加密参数分别以上述加密算法加密后组合形成一第二报文发送至客户端;Step S2: After receiving the first packet, the radio access point decrypts the first packet according to the encryption algorithm to obtain a first encryption parameter, and encrypts the first encryption parameter and a second encryption parameter respectively. After the algorithm is encrypted, the combination forms a second message and sends the message to the client.
步骤S3、客户端根据加密算法解密收到的第二报文,以获得第二报文中的第一加密参数以及第二加密参数;Step S3: The client decrypts the received second packet according to the encryption algorithm to obtain the first encryption parameter and the second encryption parameter in the second packet.
步骤S4、客户端判断第一加密参数与第二报文中获得的第一加密参数是否相同,如不同判断无线访问接入点非法,并退出;Step S4: The client determines whether the first encryption parameter is the same as the first encryption parameter obtained in the second packet, such as differently determining that the wireless access point is illegal, and exiting;
步骤S5、客户端将第二报文中获得的第二加密参数以加密算法 加密后形成一第三报文发送至无线访问接入点;Step S5: The client encrypts the second encryption parameter obtained in the second packet by using an encryption algorithm. After being encrypted, a third message is formed and sent to the wireless access point;
步骤S6、无线访问接入点根据加密算法解密收到的第三报文,以获得第三报文中的第二参数;Step S6: The wireless access point decrypts the received third packet according to the encryption algorithm to obtain the second parameter in the third packet.
步骤S7、无线访问接入点判断第二加密参数与第三报文中的第二加密参数是否相同,如不相同向客户端返回认证失败,并退出;Step S7: The wireless access point determines whether the second encryption parameter is the same as the second encryption parameter in the third packet, and if not, returns the authentication failure to the client, and exits;
步骤S8、无线访问接入点向客户端返回认证成功。Step S8: The wireless access point returns the authentication success to the client.
具体来说,上述提出的无线局域网认证机制的改进方法中,首先利用客户端将一第一加密参数以一预定的加密算法进行加密处理,以形成一第一报文,并将该第一报文发送至无线访问接入点。之后,无线访问接入点根据加密算法对该第一报文进行解密处理,以获取第一加密参数。然后,再提供一第二加密参数,将第一加密参数和第二加密参数分别以上述加密算法进行加密,将加密结果组合后形成一第二报文,将该第二报文发送至客户端。客户端收到该第二报文后,进行解密处理,以获得第二报文中的第一加密参数和第二加密参数。此时,客户端需要判断第二报文中解密后获取的第一加密参数是否与开始提供的第一加密参数相同,若不相同,说明该无线访问接入点非法,退出整个操作;若相同,继续执行后续步骤。简单来说,即客户端提供一第一加密参数,该第一加密参数经客户端加密、无线访问接入点解密、无线访问接入点加密以及客户端解密处理后,仍然没有发生改变,则此时判定该无线访问接入点合法。Specifically, in the improved method of the wireless local area network authentication mechanism, the client first encrypts a first encryption parameter by using a predetermined encryption algorithm to form a first message, and the first report is used. The text is sent to the wireless access point. Then, the wireless access point performs decryption processing on the first packet according to the encryption algorithm to obtain the first encryption parameter. Then, a second encryption parameter is further provided, and the first encryption parameter and the second encryption parameter are respectively encrypted by the encryption algorithm, and the encryption result is combined to form a second message, and the second message is sent to the client. . After receiving the second packet, the client performs a decryption process to obtain a first encryption parameter and a second encryption parameter in the second packet. At this time, the client needs to determine whether the first encryption parameter obtained after decryption in the second packet is the same as the first encryption parameter that is initially provided. If not, it indicates that the wireless access point is illegal and exits the entire operation; , continue with the next steps. Briefly, the client provides a first encryption parameter, which is still not changed after client encryption, wireless access point decryption, wireless access point encryption, and client decryption processing. At this time, it is determined that the wireless access point is legal.
但是,判定无线访问接入点合法还不能够保证认证过程的可靠性,所以在无线访问接入点对第一报文解密获得第一加密参数的同 时,还需要提供一第二加密参数,在无线访问接入点对该第二加密参数进行加密、客户端解密、客户端再加密以及无线访问接入点再解密处理后,仍然没有发生改变,则此时判定整个认证过程完成。However, determining that the wireless access point is legal cannot guarantee the reliability of the authentication process, so the first access parameter is obtained by decrypting the first message at the wireless access point. When the second access parameter is encrypted, the client decrypts, the client re-encrypts, and the wireless access point is decrypted, the wireless access point still needs to be changed. Then it is determined that the entire authentication process is completed.
值得指出的是,在判定无线访问接入点不合法时,不再对解密后的第二加密参数进行加密处理,即在判定无线访问接入点不合法时,不再进行后续的认证过程,直接判定认证失败。It is worth noting that when it is determined that the wireless access point is not legal, the decrypted second encryption parameter is no longer encrypted, that is, when the wireless access point is determined to be illegal, the subsequent authentication process is not performed. Directly determine that the authentication failed.
此外,在通过第二加密参数进行验证时,首先要通过无线访问接入点将第一加密参数和第二加密参数分别以加密算法加密后组合形成一第二报文,并将该第二报文发送至客户端。然后客户端再根据该第二报文,解析出第一加密参数和第二加密参数,当此时判断从第二报文中解析出的第一加密参数与之前提供的第一加密参数相同时,再将该第二加密参数以加密算法加密,形成一第三报文,并发送至无线访问接入点。然后,无线访问接入点根据加密算法解密接收到的第三报文,获取该第三报文中的第二加密参数。最后,无线访问接入点判断第三报文中的第二加密参数是否与之前预设的第二加密参数相同。不相同,则说明认证失败,向客户端返回认证失败信息,并退出;若不相同,则该无线访问接入点向客户端返回认证成功信息。In addition, when performing verification by using the second encryption parameter, the first encryption parameter and the second encryption parameter are first encrypted by the wireless access point to be combined by the encryption algorithm to form a second message, and the second message is combined. The text is sent to the client. The client then parses the first encryption parameter and the second encryption parameter according to the second packet, and when determining that the first encryption parameter parsed from the second packet is the same as the previously provided first encryption parameter And encrypting the second encryption parameter by an encryption algorithm to form a third message and sending the message to the wireless access point. Then, the wireless access point decrypts the received third packet according to the encryption algorithm, and obtains the second encryption parameter in the third packet. Finally, the wireless access point determines whether the second encryption parameter in the third message is the same as the previously preset second encryption parameter. If the authentication fails, the authentication failure information is returned to the client and exited. If not, the wireless access point returns the authentication success information to the client.
于优选的实施例,上述预设的加密算法可通过客户端和无线访问输入端事先约定秘钥的形式实现。In a preferred embodiment, the foregoing preset encryption algorithm may be implemented in the form of a pre-defined secret key by the client and the wireless access input.
进一步优选的实施例中,上述第一加密参数是客户端随机生产的。In a further preferred embodiment, the first encryption parameter is randomly generated by the client.
进一步优选的实施例中,上述第二加密参数是无线访问接入点随 机生产。In a further preferred embodiment, the second encryption parameter is a wireless access point Machine production.
进一步优选的实施例中,加密算法为客户端与无线访问接入点事先约定的。In a further preferred embodiment, the encryption algorithm is pre-agreed by the client and the wireless access point.
进一步优选的实施例中,如图2所示,在步骤S8中,具体包括以下步骤:In a further preferred embodiment, as shown in FIG. 2, in step S8, the following steps are specifically included:
步骤S81、无线访问接入点将一安全密钥及认证成功报文通过加密算法形成一第四报文发送至客户端;Step S81: The wireless access point sends a security message and the authentication success message to form a fourth message to the client through the encryption algorithm.
步骤S82、客户端根据加密算法解密收到的第四报文,以获得安全密钥及认证成功报文;Step S82: The client decrypts the received fourth packet according to the encryption algorithm to obtain a security key and a successful authentication packet.
步骤S83、客户端向用户显示该认证成功报文,并将该安全密钥与该无线访问接入点之间进行通信。Step S83: The client displays the authentication success message to the user, and communicates the security key with the wireless access point.
具体来说,在判定无线访问接入点认证成功的同时,该无线访问接入点将一安全密钥及认证成功报文通过加密算法形成一第四报文发送至客户端,客户端根据加密算法解密该第四报文,以获取安全密钥和认证成功报文。最后,在客户端显示该认证成功报文,并将该安全密钥与该无线访问接入点之间进行通信。Specifically, when determining that the wireless access point is successfully authenticated, the wireless access point sends a security key and the authentication success message to form a fourth message to the client through the encryption algorithm, and the client is encrypted according to the encryption. The algorithm decrypts the fourth packet to obtain a security key and an authentication success packet. Finally, the authentication success message is displayed on the client, and the security key is communicated with the wireless access point.
进一步优选的实施例中,上述安全密钥是无线访问接入点通过哈希算法生成的。In a further preferred embodiment, the security key is generated by a wireless access point through a hash algorithm.
进一步优选的实施例中,上述哈希算法可以为MD5算法。In a further preferred embodiment, the above hash algorithm may be an MD5 algorithm.
进一步优选的实施例中,在本实施例提供的方法中,还包括步骤:In a further preferred embodiment, in the method provided in this embodiment, the method further includes the steps of:
于认证失败后,返回至步骤客户端生成一第一加密参数,以进行下一轮认证过程。 After the authentication fails, the process returns to the step client to generate a first encryption parameter for the next round of authentication process.
通过对AP—STA的双向认证方式,可以防止遭到非法AP的劫持和可能产生的中间人攻击。Through the two-way authentication method of AP-STA, it is possible to prevent hijacking by illegal APs and possible man-in-the-middle attacks.
此外,上述方法是客户端对无线访问接入点的认证,除此之外,在经数字证书的双向认证过程中,还需要对客户端进行认证。具体来说,认证服务器提供一口令规则,如图3所示,双向认证过程中无线访问接入点向客户端明文发送认证成功报文之前还包括步骤:In addition, the above method is the client's authentication to the wireless access point, and in addition, in the two-way authentication process of the digital certificate, the client needs to be authenticated. Specifically, the authentication server provides a password rule. As shown in FIG. 3, before the wireless access point sends the authentication success message to the client in the two-way authentication process, the method further includes the following steps:
步骤S01、认证服务器向客户端发送身份请求及关联于该口令规则的请求口令;Step S01: The authentication server sends an identity request to the client and a request password associated with the password rule.
步骤S02、客户端接收身份请求后,返回客户端的身份以及对应请求口令的应答口令;Step S02: After receiving the identity request, the client returns the identity of the client and the response password corresponding to the request password.
步骤S03、认证服务器根据口令规则判断接收到的应答口令是否正确,如正确执行步骤S05;Step S03, the authentication server determines whether the received response password is correct according to the password rule, if step S05 is performed correctly;
步骤S04、判断客户端应答口令不正确的次数是否达到一预设值;如未达到则记录客户端对应的应答口令不正确次数后返回步骤S01,如达到则于一预定时间周期内忽略客户端的请求,并退出;In step S04, it is determined whether the number of times the client responds to the incorrect password reaches a preset value; if not, the error number of the response password corresponding to the client is recorded, and then returns to step S01, and if it is reached, the client is ignored in a predetermined time period. Request and quit;
步骤S05、继续认证过程。Step S05, continuing the authentication process.
具体来说,为了防止恶意客户端加入无线访问接入点,则在可靠的客户端和认证服务器中都预先存储一口令规则。即在认证服务器通过安全方式预先共享一份口令规则,该口令规则中包括一一对应的口令请求和应答口令。所以在对客户端进行认证过程中,先由认证服务器向客户端发送身份请求以及关联该口令规则的请求口令,客户端接收到该身份请求后,将客户端的身份和对应请求口令的应答口令发送 至认证服务器。认证服务器计算该口令的哈希值,并哈希值和口令规则中该请求口令对应的应答口令是否相同,若相同,则证明该客户端身份合法,则继续执行上述认证过程。简单来说,在认证服务器中通过安全方式预先共享一份口令规则,以认证服务器发出身份请求和请求口令——返回客户端的额身份以及请求口令对应的应答口令——认证服务器判断该应答口令是否正确这一过程,完成对客户端的认证。Specifically, in order to prevent a malicious client from joining a wireless access point, a password rule is pre-stored in both the reliable client and the authentication server. That is, the authentication server pre-shares a password rule in a secure manner, and the password rule includes a one-to-one corresponding password request and response password. Therefore, in the process of authenticating the client, the authentication server first sends an identity request to the client and a request password associated with the password rule. After receiving the identity request, the client sends the identity of the client and the response password of the corresponding request password. To the authentication server. The authentication server calculates a hash value of the password, and the hash value and the response password corresponding to the request password in the password rule are the same. If the identity is the same, the client authentication is continued. Briefly, in the authentication server, a password rule is pre-shared in a secure manner to authenticate the server to issue an identity request and a request password - return the identity of the client and the response password corresponding to the request password - the authentication server determines whether the response password is Correct this process, complete the certification of the client.
值得指出的是,如果口令不正确,还需要判断客户端应答口令不正确的次数是否达到一预设值,如未达到则记录客户端对应的应答口令不正确次数,然后返回执行步骤S01;如果达到,则于一预定时间周期内忽略客户端的请求,并退出。It is worth noting that if the password is incorrect, it is also necessary to determine whether the number of times the client answers the password incorrectly reaches a preset value. If the password is not reached, the number of the response password corresponding to the client is incorrect, and then returns to step S01; If it is reached, the client's request is ignored and exited within a predetermined time period.
通过于预定时间周期内忽略多次认证失败的客户端的请求,可防止具有恶意的客户端发起拒绝攻击。By ignoring the request of the client that failed the authentication multiple times within the predetermined time period, the malicious client can be prevented from initiating the denial attack.
进一步优选的实施例中,上述提出的口令规则为:提供一与客户端共享的口令表,该口令表中储存至少一个请求口令及与该请求口令一一对应的应答口令。认证服务器发送请求口令后判断接收到的应答口令是否与口令表中请求口令对应的应答口令一致,如一致判断应答口令正确;如不一致则判断应答口令不正确。In a further preferred embodiment, the password rule proposed above provides: providing a password table shared with the client, the password table storing at least one request password and a response password corresponding to the request password. After the authentication server sends the request password, it is determined whether the received response password is consistent with the response password corresponding to the requested password in the password table. If the response password is consistent, the response password is correct; if not, the response password is incorrect.
进一步优选的实施例中,还可以提供一静默表,将客户端加入静默列表,认证服务器忽略静默列表中所有终端的请求,于预定时间周期后将客户端于静默列表中删除。通过该静默表,实现了于预定时间周期内忽略客户端请求的效果。 In a further preferred embodiment, a silent table may also be provided to add the client to the silent list, and the authentication server ignores the request of all terminals in the silent list, and deletes the client in the silent list after a predetermined time period. Through the silent table, the effect of ignoring the client request within a predetermined time period is achieved.
近一步来讲,预设值可以为3。In a further step, the preset value can be 3.
近一步来讲,预定时间周期可以为3分钟。In a further step, the predetermined time period can be 3 minutes.
本发明通过对客户端和无线访问接入点的双向认证,能够有效防止“中间人攻击”。同时,增加对用户身份的第一时间识别,判定攻击者,从而阻止它们的攻击行为。简言之,本发明提供了一种对802.1X认证的改进方案,使得无线设备能更加安全稳定地运行,不会因为来自其它恶意非法无线设备的攻击,出现正常用户无法接入网络、上网体验下降,甚至设备死机瘫痪、重启等故障。The invention can effectively prevent "man-in-the-middle attacks" by mutual authentication of the client and the wireless access point. At the same time, the first time identification of the user's identity is added, and the attackers are determined, thereby preventing their attack behavior. In short, the present invention provides an improved scheme for 802.1X authentication, so that the wireless device can operate more safely and stably, and does not cause normal users to access the network and the Internet experience due to attacks from other malicious and illegal wireless devices. Drop, even equipment crashes, reboots, etc.
对于本领域的技术人员而言,阅读上述说明后,各种变化和修正无疑将显而易见。因此,所附的权利要求书应看作是涵盖本发明的真实意图和范围的全部变化和修正。在权利要求书范围内任何和所有等价的范围与内容,都应认为仍属本发明的意图和范围内。 Various changes and modifications will no doubt become apparent to those skilled in the <RTIgt; Accordingly, the appended claims are to cover all such modifications and modifications The scope and content of any and all equivalents are intended to be within the scope and spirit of the invention.

Claims (10)

  1. 一种无线局域网认证机制的改进方法,应用于客户端通过无线访问接入点与认证服务器之间进行基于数字证书的双向认证,其特征在于,所述双向认证过程中所述无线访问接入点向所述客户端明文发送认证成功报文后,还包括以下步骤:An improved method for a wireless local area network authentication mechanism, which is applied to a digital certificate-based mutual authentication between a wireless access point and an authentication server by a client, wherein the wireless access point is in the two-way authentication process After the authentication success message is sent to the client in plain text, the following steps are also included:
    步骤S1、所述客户端将一第一加密参数以一预设的加密算法加密形成一第一报文发送至所述无线访问接入点;Step S1: The client encrypts a first encryption parameter by using a preset encryption algorithm to form a first packet and sends the first packet to the wireless access point.
    步骤S2、所述无线访问接入点收到所述第一报文后根据所述加密算法对所述第一报文解密获得所述第一加密参数,并将所述第一加密参数与一第二加密参数分别以所述加密算法加密后组合形成一第二报文发送至所述客户端;Step S2: After receiving the first packet, the wireless access point decrypts the first packet according to the encryption algorithm to obtain the first encryption parameter, and the first encryption parameter and the first packet. The second encryption parameters are respectively encrypted by the encryption algorithm and combined to form a second message and sent to the client;
    步骤S3、所述客户端根据所述加密算法解密收到所述第二报文,以获得所述第二报文中的第一加密参数以及所述第二加密参数;Step S3: The client decrypts and receives the second packet according to the encryption algorithm, to obtain a first encryption parameter and the second encryption parameter in the second packet.
    步骤S4、所述客户端判断所述第一加密参数与所述第二报文中获得的第一加密参数是否相同,如不相同判断所述无线访问接入点非法,并退出;Step S4: The client determines whether the first encryption parameter is the same as the first encryption parameter obtained in the second packet, and if not, the wireless access point is illegal, and exits;
    步骤S5、所述客户端将所述第二报文中获得的所述第二加密参数以所述加密算法加密后形成一第三报文发送至所述无线访问接入点;Step S5: The client encrypts the second encryption parameter obtained in the second packet by using the encryption algorithm to form a third packet, and sends the third packet to the wireless access point.
    步骤S6、所述无线访问接入点根据所述加密算法解密收到所述第三报文,以获得所述第三报文中的第二参数;Step S6: The wireless access point decrypts and receives the third packet according to the encryption algorithm to obtain a second parameter in the third packet.
    步骤S7、所述无线访问接入点判断所述第二加密参数与所述第三报文中的第二加密参数是否相同,如不相同则向所述客户端返回认 证失败,并退出;Step S7: The wireless access point determines whether the second encryption parameter is the same as the second encryption parameter in the third packet, and if not, returns the recognition to the client. The certificate fails and exits;
    步骤S8、所述无线访问接入点向所述客户端返回认证成功。Step S8: The wireless access point returns the authentication success to the client.
  2. 根据权利要求1所述的无线局域网认证机制的改进方法,其特征在于,所述步骤S8包括以下步骤:The method for improving a wireless local area network authentication mechanism according to claim 1, wherein the step S8 comprises the following steps:
    步骤S81、所述无线访问接入点将一安全密钥及所述认证成功报文通过所述加密算法加密形成一第四报文发送至所述客户端;Step S81: The wireless access point encrypts a security key and the authentication success packet by using the encryption algorithm to form a fourth packet, and sends the fourth packet to the client.
    步骤S82、所述客户端根据所述加密算法解密收到所述第四报文,以获得所述安全密钥及所述认证成功报文;Step S82: The client decrypts and receives the fourth packet according to the encryption algorithm to obtain the security key and the authentication success packet.
    步骤S83、所述客户端向用户显示所述认证成功报文,并以所述安全密钥与所述无线访问接入点进行通信。Step S83: The client displays the authentication success message to the user, and communicates with the wireless access point with the security key.
  3. 根据权利要求1所述的无线局域网认证机制的改进方法,其特征在于,所述第一加密参数为所述客户端随机生成。The method for improving a wireless local area network authentication mechanism according to claim 1, wherein the first encryption parameter is randomly generated by the client.
  4. 根据权利要求1所述的无线局域网认证机制的改进方法,其特征在于,所述第二加密参数为所述无线访问接入点随机生成。The method for improving a wireless local area network authentication mechanism according to claim 1, wherein the second encryption parameter is randomly generated by the wireless access point.
  5. 根据权利要求1所述的无线局域网认证机制的改进方法,其特征在于,所述加密算法为所述客户端与所述无线访问接入点事先约定。The method for improving a wireless local area network authentication mechanism according to claim 1, wherein the encryption algorithm is previously agreed between the client and the wireless access point.
  6. 根据权利要求2所述的无线局域网认证机制的改进方法,其特征在于,于所述安全密钥为所述无线访问接入点通过哈希算法生成。The method for improving a wireless local area network authentication mechanism according to claim 2, wherein the security key is generated by the hash algorithm for the wireless access point.
  7. 根据权利要求6所述的无线局域网认证机制的改进方法,其特征在于,所述哈希算法为MD5算法。 The improved method of the wireless local area network authentication mechanism according to claim 6, wherein the hash algorithm is an MD5 algorithm.
  8. 根据权利要求1所述的无线局域网认证机制的改进方法,其特征在于,所述认证服务器提供一口令规则,所述双向认证过程中所述无线访问接入点向所述客户端明文发送认证成功报文之前还包括:The method for improving the wireless local area network authentication mechanism according to claim 1, wherein the authentication server provides a password rule, and the wireless access point sends the authentication success to the client in the clear text. The message also includes:
    步骤S01、所述认证服务器向所述客户端发送身份请求及关联于所述口令规则的请求口令;Step S01: The authentication server sends an identity request and a request password associated with the password rule to the client.
    步骤S02、所述客户端接收所述身份请求后,返回所述客户端的身份以及对应所述请求口令的应答口令;Step S02: After receiving the identity request, the client returns an identity of the client and a response password corresponding to the request password.
    步骤S03、所述认证服务器根据所述口令规则判断接收到的所述应答口令是否正确,如正确执行步骤S05;Step S03, the authentication server determines, according to the password rule, whether the received response password is correct, if step S05 is performed correctly;
    步骤S04、判断所述客户端应答口令不正确的次数是否达到一预设值,如未达到则记录所述客户端对应的应答口令不正确次数后返回所述步骤S01,如达到则于一预定时间周期内忽略所述客户端的请求,并退出;Step S04: determining whether the number of times the client responds to the incorrect password reaches a preset value, and if not, records the incorrect number of response passwords corresponding to the client, and returns to the step S01. Ignore the request of the client during the time period and exit;
    步骤S05、继续认证过程。Step S05, continuing the authentication process.
  9. 根据权利要求8所述的无线局域网认证机制的改进方法,其特征在于,所述口令规则为,提供一与所述客户端共享的口令表,所述口令表中储存至少一个请求口令,及与所述请求口令一一对应的应答口令,所述认证服务器发送所述请求口令后判断接收到的所述应答口令是否与所述口令表中所述请求口令对应的应答口令一致,如一致判断应答口令正确,如不一致则判断应答口令不正确;和/或The method for improving a wireless local area network authentication mechanism according to claim 8, wherein the password rule is to provide a password table shared with the client, wherein the password table stores at least one request password, and The request password corresponds to a response password, and the authentication server sends the request password to determine whether the received response password is consistent with a response password corresponding to the request password in the password table, such as a consistent judgment response. The password is correct. If the password is inconsistent, the answer password is incorrect; and/or
    所述步骤S04中于所述预定时间周期内忽略所述客户端请求的方法为,提供一静默列表,将所述客户端加入所述静默列表,所述认 证服务器忽略所述静默列表中所有终端的请求,于所述预定时间周期后将所述客户端于所述静默列表中删除;和/或In the step S04, the method for ignoring the client request in the predetermined time period is: providing a silent list, adding the client to the silent list, and the acknowledgment The server ignores the request of all terminals in the silent list, and deletes the client in the silent list after the predetermined time period; and/or
    所述预设值为3;和/或The preset value is 3; and/or
    所述预定时间周期为3分钟。The predetermined time period is 3 minutes.
  10. 根据权利要求1所述的无线局域网认证机制的改进方法,其特征在于,所述认证服务器为RADIUS服务器。 The method for improving a wireless local area network authentication mechanism according to claim 1, wherein the authentication server is a RADIUS server.
PCT/CN2017/077417 2016-04-29 2017-03-21 Method for improving wireless local area network authentication mechanism WO2017185913A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201610284755.8 2016-04-29
CN201610284755.8A CN105828332B (en) 2016-04-29 2016-04-29 improved method of wireless local area network authentication mechanism

Publications (1)

Publication Number Publication Date
WO2017185913A1 true WO2017185913A1 (en) 2017-11-02

Family

ID=56527885

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/077417 WO2017185913A1 (en) 2016-04-29 2017-03-21 Method for improving wireless local area network authentication mechanism

Country Status (2)

Country Link
CN (1) CN105828332B (en)
WO (1) WO2017185913A1 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112039921A (en) * 2020-09-15 2020-12-04 广东安居宝数码科技股份有限公司 Verification method for parking access, parking user terminal and node server
CN113067705A (en) * 2021-04-13 2021-07-02 广州锦行网络科技有限公司 Method for identity authentication in connection establishment
US11089008B2 (en) 2018-11-20 2021-08-10 HCL Technologies Italy S.p.A. System and method for facilitating pre authentication of user[s] intended to access data resources
CN113573307A (en) * 2021-07-28 2021-10-29 西安热工研究院有限公司 Rapid authentication method based on extensible authentication protocol
WO2023083007A1 (en) * 2021-11-11 2023-05-19 广东石油化工学院 Internet of things device identity authentication method, apparatus and system, and storage medium

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105828332B (en) * 2016-04-29 2019-12-10 上海斐讯数据通信技术有限公司 improved method of wireless local area network authentication mechanism
CN108259160B (en) * 2016-12-28 2021-06-18 湖北高瞻科技有限责任公司 Data communication encryption method and device
CN108881105A (en) * 2017-05-08 2018-11-23 中车株洲电力机车研究所有限公司 A kind of method and system of connection setup
CN107682371A (en) * 2017-11-21 2018-02-09 北京安博通科技股份有限公司 A kind of malice AP detection method and device
CN108809933A (en) * 2018-04-12 2018-11-13 北京奇艺世纪科技有限公司 A kind of auth method, device and electronic equipment
CN111107551A (en) * 2018-10-29 2020-05-05 杭州海康威视数字技术股份有限公司 Wireless network bridge networking method and device
CN109218334B (en) * 2018-11-13 2021-11-16 迈普通信技术股份有限公司 Data processing method, device, access control equipment, authentication server and system
CN113079170B (en) * 2021-04-13 2023-04-07 厦门美域中央信息科技有限公司 SDN dynamic target defense method based on multistage interactive verification mechanism

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1426200A (en) * 2002-11-06 2003-06-25 西安西电捷通无线网络通信有限公司 Sefe access of movable terminal in radio local area network and secrete data communication method in radio link
CN1564514A (en) * 2004-03-26 2005-01-12 中兴通讯股份有限公司 Self arranged net mode shared key authentication and conversation key consulant method of radio LAN
CN1665183A (en) * 2005-03-23 2005-09-07 西安电子科技大学 Key agreement method in WAPI authentication mechanism
CN101772024A (en) * 2008-12-29 2010-07-07 中国移动通信集团公司 User identification method, device and system
CN105188057A (en) * 2015-08-26 2015-12-23 上海斐讯数据通信技术有限公司 Method and system for enhancing network access authentication security
CN105828332A (en) * 2016-04-29 2016-08-03 上海斐讯数据通信技术有限公司 Method of improving wireless local area authentication mechanism

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1426200A (en) * 2002-11-06 2003-06-25 西安西电捷通无线网络通信有限公司 Sefe access of movable terminal in radio local area network and secrete data communication method in radio link
CN1564514A (en) * 2004-03-26 2005-01-12 中兴通讯股份有限公司 Self arranged net mode shared key authentication and conversation key consulant method of radio LAN
CN1665183A (en) * 2005-03-23 2005-09-07 西安电子科技大学 Key agreement method in WAPI authentication mechanism
CN101772024A (en) * 2008-12-29 2010-07-07 中国移动通信集团公司 User identification method, device and system
CN105188057A (en) * 2015-08-26 2015-12-23 上海斐讯数据通信技术有限公司 Method and system for enhancing network access authentication security
CN105828332A (en) * 2016-04-29 2016-08-03 上海斐讯数据通信技术有限公司 Method of improving wireless local area authentication mechanism

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11089008B2 (en) 2018-11-20 2021-08-10 HCL Technologies Italy S.p.A. System and method for facilitating pre authentication of user[s] intended to access data resources
CN112039921A (en) * 2020-09-15 2020-12-04 广东安居宝数码科技股份有限公司 Verification method for parking access, parking user terminal and node server
CN113067705A (en) * 2021-04-13 2021-07-02 广州锦行网络科技有限公司 Method for identity authentication in connection establishment
CN113573307A (en) * 2021-07-28 2021-10-29 西安热工研究院有限公司 Rapid authentication method based on extensible authentication protocol
CN113573307B (en) * 2021-07-28 2024-01-30 西安热工研究院有限公司 Rapid authentication method based on extensible authentication protocol
WO2023083007A1 (en) * 2021-11-11 2023-05-19 广东石油化工学院 Internet of things device identity authentication method, apparatus and system, and storage medium

Also Published As

Publication number Publication date
CN105828332A (en) 2016-08-03
CN105828332B (en) 2019-12-10

Similar Documents

Publication Publication Date Title
WO2017185913A1 (en) Method for improving wireless local area network authentication mechanism
US9847882B2 (en) Multiple factor authentication in an identity certificate service
US7860485B2 (en) Device and process for wireless local area network association and corresponding products
WO2018076365A1 (en) Key negotiation method and device
CN104168267B (en) A kind of identity identifying method of access SIP security protection video monitoring systems
JP2017535998A5 (en)
WO2016115807A1 (en) Wireless router access processing method and device, and wireless router access method and device
CN103763356A (en) Establishment method, device and system for connection of secure sockets layers
JP2004030611A (en) Method for changing communication password by remote control
CN112312393A (en) 5G application access authentication method and 5G application access authentication network architecture
US8498617B2 (en) Method for enrolling a user terminal in a wireless local area network
KR100957044B1 (en) Method and system for providing mutual authentication using kerberos
CN104901940A (en) 802.1X network access method based on combined public key cryptosystem (CPK) identity authentication
WO2016011588A1 (en) Mobility management entity, home server, terminal, and identity authentication system and method
WO2015158228A1 (en) Server, user equipment, and method for user equipment to interact with server
CN114765534A (en) Private key distribution system based on national password identification cryptographic algorithm
CN105141629A (en) Method for improving network security of public Wi-Fi based on WPA/WPA2 PSK multiple passwords
WO2015180399A1 (en) Authentication method, device, and system
CN114024672A (en) Safety protection method and system for low-voltage power line carrier communication system
WO2006026925A1 (en) A method for setting the authentication key
Hoeper et al. Where EAP security claims fail
Dey et al. An efficient dynamic key based eap authentication framework for future ieee 802.1 x wireless lans
KR20130046781A (en) System and method for access authentication for wireless network
Singh et al. Survey and analysis of Modern Authentication system
Zhao et al. Addressing the vulnerability of the 4-way handshake of 802.11 i

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17788566

Country of ref document: EP

Kind code of ref document: A1

122 Ep: pct application non-entry in european phase

Ref document number: 17788566

Country of ref document: EP

Kind code of ref document: A1