WO2018120247A1 - 一种终端匹配方法、装置 - Google Patents

一种终端匹配方法、装置 Download PDF

Info

Publication number
WO2018120247A1
WO2018120247A1 PCT/CN2016/114060 CN2016114060W WO2018120247A1 WO 2018120247 A1 WO2018120247 A1 WO 2018120247A1 CN 2016114060 W CN2016114060 W CN 2016114060W WO 2018120247 A1 WO2018120247 A1 WO 2018120247A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal
message
information
identifier information
address
Prior art date
Application number
PCT/CN2016/114060
Other languages
English (en)
French (fr)
Inventor
李小仙
方平
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to US16/474,890 priority Critical patent/US11128661B2/en
Priority to PCT/CN2016/114060 priority patent/WO2018120247A1/zh
Priority to CN201680080490.8A priority patent/CN108886685B/zh
Publication of WO2018120247A1 publication Critical patent/WO2018120247A1/zh
Priority to US17/459,858 priority patent/US11824892B2/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/30Security of mobile devices; Security of mobile applications
    • H04W12/33Security of mobile devices; Security of mobile applications using wearable devices, e.g. using a smartwatch or smart-glasses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1475Passive attacks, e.g. eavesdropping or listening without modification of the traffic monitored
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • H04W12/108Source integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/71Hardware identity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/10Small scale networks; Flat hierarchical networks
    • H04W84/12WLAN [Wireless Local Area Networks]

Definitions

  • the present application relates to the field of communications, and in particular, to a terminal matching method and apparatus.
  • Wireless local area network can provide wireless data transmission services for terminals in a limited range.
  • WiFi wireless fidelity
  • WiFi is addressed based on media access control (MAC) address.
  • the WiFi system can include the following two devices: access point (AP) and station (English: station, STA) Specific: an AP can connect multiple stations or one station through WiFi, such as the wearable device scene shown in Figure 1a, wearable devices with WiFi communication modules, such as bracelets, watches, glasses, necklaces, jewelry , shoes, etc., can be connected to the user's smart terminal, such as mobile phones, tablets, etc., wherein the smart terminal can be used as an AP of the WiFi system, and the wearable device is used as the STA of the WiFi system.
  • AP access point
  • STA station
  • an AP can connect multiple stations or one station through WiFi, such as the wearable device scene shown in Figure 1a
  • wearable devices with WiFi communication modules such as bracelets, watches, glasses, necklaces, jewelry , shoes, etc.
  • smart terminal such as mobile phones, tablets, etc.
  • the wearable device is used as the STA of the WiFi system.
  • the STA and the AP exchange messages through the WLAN air interface.
  • the MAC Header of the message sent and received on the WLAN air interface carries the Receiver Address (RA) and the sender address.
  • Transmitter Address, TA), RA and TA are usually fixed MAC addresses for a long time.
  • the eavesdropper can obtain the MAC address of the recipient of the message and the MAC address of the sender of the message by receiving and analyzing the message on the air interface.
  • the eavesdropper can obtain the privacy information of the terminal user by tracking the MAC address of a certain terminal (the sender of the message or the sender of the message), such as the location and time that often occurs, and the living habits of the terminal user can be known through a large amount of data analysis. Privacy information such as hobbies and even social relationships, so the existing WiFi system interaction method will lead to user information leakage and reduce the security of WiFi.
  • the technical problem to be solved by the embodiments of the present application is to provide a terminal matching method and device, which can solve the problem of low security of WiFi in the prior art.
  • a terminal matching method includes the following steps:
  • the second terminal obtains the interface address of the first terminal at the first time, the interface address of the first terminal is the first medium access control address MAC1, and the interface address of the second terminal is at the first time point. a second medium access control address MAC2; at a second time point after the first time point, the second terminal receives the first message sent by the first terminal, and the sender address included in the first message is the first
  • the interface address of the terminal is the changed third medium access control address MAC3, the first message includes: first identifier information, where the first identifier information is that the first terminal inputs the MAC1, the MAC2, and the secret information.
  • the information calculated by a preset irreversible calculation method is information shared by the first terminal and the second terminal; the second terminal compares the first identification information with the second identification information, such as The identifier information is consistent with the second identifier information, and the second terminal determines that the MAC3 of the first message and the MAC1 acquired by the second terminal are the same device, and the same device a first terminal; the second identifier information is that the second terminal inputs the MAC1, the MAC2, and the secret information into the information calculated by the first preset irreversible calculation method; A terminal sends a response message of the first message, where the response message carries a fourth medium access control address MAC4, and the MAC4 is the changed interface address of the second terminal.
  • the technical solution provided by the first aspect matches the first terminal device by using the generated first identifier information, so that after the MAC address of the first terminal device is changed, the peer device, such as the second terminal device, can identify and transform by using the first identifier information.
  • the subsequent MAC address is the MAC address of the first terminal.
  • the eavesdropper after the first identification information is obtained, since the first identification information is calculated by the irreversible algorithm, the eavesdropper cannot obtain the secret through the first identification information. Information, so for the eavesdropper, it can only obtain user information for a period of time, can not obtain complete user information, can not track the user's privacy (such as location information), thereby improving the security of WIFI.
  • the method further includes: the response message of the first message carries third identifier information, where the third identifier information is that the second terminal sends the MAC1, the MAC2, and the The secret information is input into the information calculated by the second preset irreversible calculation method.
  • the solution informs the first terminal that the second terminal is the corresponding device of the MAC2 by using the third identifier information in the response message of the first message.
  • the method further includes: the second terminal receives a second message sent by the first terminal, where the second message includes the first terminal determining that the MAC4 is the second An acknowledgment indication of the terminal interface address; when the second message includes the acknowledgment indication, the second terminal sends a response message of the second message to the first terminal.
  • the solution provides a scheme for the second terminal MAC address change notification, and implements the transformation of the second terminal address.
  • the second terminal detects whether the MAC1 conflicts with the medium access control address in the communication range of the second terminal, and if the second terminal detects the MAC1 conflict, sends the MAC1 to the first terminal.
  • the third message carries an indication that the medium access control address conflicts.
  • the first message, the second message, the third message, or the fourth message is a management frame
  • the information, the third identifier information, or the fourth identifier information is carried in an anti-tracking information element of the load portion in the management frame, where the anti-tracking information element includes: an element identifier and the identifier information; or the first message
  • the second message, the third message or the fourth message is a management frame or a control frame, and the subtype field of the management frame or the control frame indicates that the frame is an anti-tracking type frame
  • the load part of the frame or the control frame carries the first identification information, the second identification information, the third identification information or the fourth identification information.
  • a subtype field of the data frame indicates that the frame is an anti-tracking data frame, where the data frame is
  • the A3 field carries the first identification information.
  • the scheme provides another specific bit of the identification information in the message. The implementation of the first aspect of the technical solution is supported.
  • the subtype field of the data frame is set to an anti-tracking data frame, where the data is The A4 field of the frame carries the second identification information.
  • the solution provides another specific location of the identification information in the message, and supports the implementation of the first aspect technical solution.
  • a matching device configured in the second terminal, and the device includes: an acquiring unit, configured to acquire an interface address of the first terminal at a first time point, where the first terminal is The interface address is the first medium access control address MAC1, the interface address of the second terminal is the second medium access control address MAC2 at the first time point, and the transceiver unit is configured to use the second medium after the first time point Receiving, by the first terminal, the first message sent by the first terminal, where the sender address included in the first message, that is, the interface address of the first terminal, is the changed third medium access control address MAC3, and the first message includes a first identifier information, where the first identifier information is that the first terminal inputs the MAC1, the MAC2, and the secret information into the first preset irreversible calculation method, where the secret information is the first terminal and the second The information shared by the terminal, the processing unit, configured to compare the first identifier information with the second identifier information, where the first identifier
  • the technical solution provided by the second aspect matches the first terminal device by using the generated first identifier information, so that after the MAC address of the first terminal device is changed, the peer device, such as the second terminal device, can identify and transform by using the first identifier information.
  • the subsequent MAC address is the MAC address of the first terminal.
  • the first identification information is calculated by the irreversible algorithm. The eavesdropper cannot obtain the secret information through the first identification information, so for the eavesdropper, it can only obtain the user information for a certain period of time, cannot obtain the complete user information, and cannot track the user's privacy (such as location information). Thereby improving the security of WIFI.
  • the transceiver unit and the processing unit provided by the second aspect may be used to perform the foregoing optional technical solutions.
  • a terminal is provided, where the terminal is a second terminal, including: a processor, a wireless transceiver, a memory, and a bus, where the processor, the wireless transceiver, and the memory are connected by using the bus: the processor And obtaining, by the first time point, an interface address of the first terminal, where the interface address of the first terminal is the first medium access control address MAC1, and the interface address of the second terminal is at the first time point.
  • the first message includes: first identifier information, where the first identifier information is that the first terminal inputs MAC1, MAC2, and secret information into the first The information calculated by the preset irreversible calculation method, the secret information is information shared by the first terminal and the second terminal, and the processor is configured to use the first identifier information and the second identifier If the first identifier information is consistent with the second identifier information, the second terminal determines that the MAC3 of the first message and the MAC1 obtained by the second terminal are the same device, The same device is the first terminal; the second identifier information is information that the processor inputs the MAC1, the MAC2, and the secret information into the first preset irreversible calculation method; the transceiver And sending
  • the technical solution provided by the third aspect matches the first terminal device by using the generated first identifier information, so that after the MAC address of the first terminal device is changed, the peer device, such as the second terminal device, can identify and transform by using the first identifier information.
  • the subsequent MAC address is the MAC address of the first terminal.
  • the first identification information is calculated by the irreversible algorithm. The eavesdropper cannot obtain the secret information through the first identification information, so for the eavesdropper, it can only obtain the user information for a certain period of time, cannot obtain the complete user information, and cannot track the user's privacy (such as location information). Thereby improving the security of WIFI.
  • the fourth aspect provides a terminal matching method, where the method includes the following steps: the second terminal acquires an interface address of the first terminal at a first time, and the interface address of the first terminal is the first time a media access control address MAC1; at a second time after the first time point, the second terminal receives a first message sent by the first terminal, and the sender address included in the first message is The interface address of the terminal is the changed third medium access control address MAC3, and the first message includes: first identifier information, where the first identifier information is that the first terminal controls the MAC1 and the second medium.
  • the address MAC2 and the secret information are input to the information calculated by the first preset irreversible calculation method;
  • the secret information is information shared by the first terminal and the second terminal, and the interface address of the second terminal is at the first time point And the second time is MAC2;
  • the second terminal compares the first identifier information with the second identifier information, and if the first identifier information is consistent with the second identifier information, the second Determining that the MAC3 of the first message and the MAC1 acquired by the second terminal are the same device, the same device is the first terminal, and the second identifier information is a second terminal. And inputting the MAC1, the MAC2, and the secret information into the information calculated by the first preset irreversible calculation method; the second terminal sends a response message of the first message to the first terminal, where the response message Carrying the MAC2.
  • the technical solution provided by the fourth aspect can arbitrarily change the MAC address without confirming according to the information sent by the peer end.
  • FIG. 1a is a schematic diagram of a wearable device scenario.
  • Figure 1b is a flow chart of a terminal matching method.
  • FIG. 1c is a flowchart of a terminal matching method provided by the prior art.
  • FIG. 2 is a schematic diagram of a terminal matching method provided by the present application.
  • FIG. 3 is a flowchart of a terminal matching method according to another embodiment of the present application.
  • FIG. 4 is a schematic flow chart of a temporary matching method.
  • FIG. 5 is a flowchart of a method for matching a terminal according to another embodiment of the present disclosure.
  • FIG. 6 is a flowchart of a terminal matching method according to another embodiment of the present application.
  • Figure 7-1 is a schematic diagram of the format of a message provided by the present application.
  • FIG. 7-2 is another schematic diagram of a format of a message provided by the present application.
  • 7-3 is a schematic diagram of still another format of the message provided by the present application.
  • FIG. 8 is a schematic structural diagram of a matching apparatus according to an embodiment of the present application.
  • FIG. 9 is a schematic diagram of hardware of a terminal according to an embodiment of the present application.
  • FIG. 1b is a flowchart of a method for a terminal to negotiate a temporary MAC address according to the prior art.
  • the method shown in FIG. 1b can be implemented in the scenario shown in FIG. 1a, as shown in FIG. 1a.
  • the mobile phone 11 can be an AP
  • the portable wearable device can be an STA.
  • the smart glasses 12, the smart bracelet 13 , the smart running shoes 14 , and the smart clothing 15 can all be STAs.
  • the method includes the following steps:
  • Step S101 When the STA determines that MAC address replacement is required, the STA generates a temporary MAC address.
  • Step S102 The STA sends the temporary MAC address to the AP.
  • Step S103 The AP detects the basic service set (BBS) in which the temporary service MAC address is unique. If the temporary MAC address is unique, the AP sends a message to the STA, where the message carries the temporary MAC address. Instructions.
  • BSS basic service set
  • Step S104 The STA uses the temporary MAC address as the currently used interface address.
  • the above method as shown in FIG. 1b requires the STA and the AP to use a special message to make a temporary MAC address convention.
  • the STA translates the MAC address only in the BSS where it is located, but cannot autonomously change the MAC address according to its own rules.
  • FIG. 2 is a flowchart of a terminal matching method according to an embodiment of the present disclosure.
  • the technical scenario implemented in this embodiment is that the first terminal and the second terminal may be connected by using a wireless manner, for example, the first terminal may be configured.
  • the second terminal can be an AP of an infrastructure network.
  • the first terminal and the second terminal may be a WiFi P2P (peer-to-peer) device.
  • the first terminal and the second terminal may be devices based on a WiFi NAN (Neighbor Awareness Network) standard.
  • the first terminal may also be an AP, and the second terminal may also be an STA.
  • the first terminal and the second terminal may both be STAs or APs.
  • the specific implementation manner of the present application does not limit the forms of the first terminal and the second terminal.
  • the first terminal is associated with the second terminal, for example, the first terminal and the second terminal exchange service discovery function (SDF) messages, and the interface address of the peer end is obtained through the SDF message, and the pair is known.
  • SDF service discovery function
  • the first terminal and the second terminal are considered to be associated.
  • the first terminal and the second terminal complete the interaction at least once, the interface address of the other party is obtained.
  • the first terminal and the second terminal are considered to be associated.
  • the manner of the above interaction includes but is not limited to: an association step or a service discovery interaction.
  • the interface address in the embodiment of the present application refers to an address used to identify the device, for example, a MAC address, when the first terminal interacts with the second terminal in wireless communication.
  • the message sent by the first terminal to the second terminal in this embodiment is exemplified by unicast.
  • the above method is shown in Figure 2 and includes the following steps:
  • Step S201 The first terminal acquires the interface address of the second terminal at the first time point, where the interface address of the second terminal is MAC2 at the first time point, and the interface address of the first terminal is at the first time point.
  • the second terminal acquires the interface address MAC1 of the first terminal at the first time point;
  • the manner of obtaining the interface address of the second terminal in the foregoing step S201 may be performed in multiple manners.
  • the first terminal and the second terminal are WiFi P2P devices
  • the first terminal may pass at least one probe request and The Probe Response message acquires the interface address of the second terminal.
  • the two parties respectively know the interface address of the opposite end.
  • Step S202 The first terminal sends a first message to the second terminal at a second time point after the first time point, where the TA (which is the MAC address of the first terminal) is the changed MAC3, the first The RA (which is the MAC address of the second terminal) in the message is the MAC2, and the first message may include: first identifier information, where the first identifier information may be preset by using at least the information including the MAC1, the MAC2, and the secret information. The irreversible calculation method is calculated.
  • Receiving, by the second terminal, the first message at a second time point after the first time point it may be understood that the receiving of the first message occurs at a second time point after the first time point, or slightly more than the second time The time is later (considering the transmission time of the first message).
  • the MAC address of the second terminal can be changed from MAC2 to MAC4, and the message that the target address (ie, RA) is MAC2 can still be received.
  • a possible implementation manner is: setting a virtual MAC entity inside the second terminal, and setting the MAC address of the virtual MAC entity to MAC2.
  • the first identification information is transmitted to the matching module in the second terminal, such as a multi-band SME (Station Management Entity) in the second terminal, and the matching module confirms that the terminal corresponding to the MAC3 is the MAC1 according to the first identification information.
  • the MAC entity indicating that the MAC address is MAC4 replies to the response message of the first message, and then the MAC entity of the MAC4 interacts with the first terminal.
  • the MAC address of the second frequency band can be set to MAC2, and when the MAC entity of the second frequency band receives After the first message, the first identifier information is transmitted to the matching module in the second terminal, such as the SME in the second frequency band.
  • the matching module confirms that the terminal corresponding to the MAC3 is the device corresponding to the MAC1 according to the first identifier information, the MAC is indicated.
  • the SME of the first frequency band whose address is MAC4 replies to the second message, and then the MAC entity whose MAC address is MAC4 interacts with the first terminal.
  • the irreversible calculation method in the above step S202 can be set by the manufacturer, for example, a hash algorithm, such as SHA-256, SHA-1 or a calculation method combined with a hash algorithm, such as performing a hash algorithm calculation on the input information. Perform processing such as intercepting several bits, adding several bits of other information.
  • a hash algorithm such as SHA-256, SHA-1
  • a calculation method combined with a hash algorithm, such as performing a hash algorithm calculation on the input information.
  • Perform processing such as intercepting several bits, adding several bits of other information.
  • First identification information LSB 48bit SHA-265 (MAC1
  • the specific calculation manner of the foregoing first identifier information is: the result obtained by inputting MAC1, MAC2 and secret information as input information into the SHA-256 algorithm, and taking the least significant bit of 48 bits as the first identification information, where
  • the first terminal may send the first message in multiple manners, for example, sending the first message by multicast, specifically, the receiving address of the first message is a broadcast address or a multicast address.
  • the first message may also be sent in a unicast manner.
  • the first terminal may use the MAC2 as the receiving address of the first message.
  • the first terminal first performs passive monitoring. If the first terminal can monitor the message using the MAC2 as the sending address, the first terminal determines that the second terminal still uses the MAC2.
  • the first terminal sets the receiving address of the first message to MAC2.
  • the secret information may be the secret information shared by the first terminal and the second terminal, and may be obtained by using any one of the following manners. Of course, the secret information may be obtained by using other methods, only the first terminal and The second terminal can obtain the same secret information.
  • the above calculation method is calculated by using the irreversible calculation method in order to prevent the above secret information from being reversed, which affects the security of the WIFI.
  • the first terminal and the second terminal perform a 4-way handshake (English: 4way-handshake), the first terminal and the second terminal both generate the same pairwise transit key (PTK), and the PTK is used as a follow-up
  • the seed key of the encryption key and the integrity check is generated, and the secret information can be obtained by the PTK, for example, intercepting or converting the PTK, or calculating with other information (for example, fixed plaintext) to derive the secret information.
  • secret information SHA-256 (64 bits after PTK
  • the first terminal and the second terminal perform a key establishment process, and the secret information exchanged by the key generated by the key establishment process is encrypted, for example, the first terminal and the second terminal perform 4way-handshake, and both sides generate the same PTK, using PTK to further generate TK (temporal key), when both parties need to secretly transmit information, secret information can be generated by either party (first terminal or second terminal), and the secret information transmission is encrypted by TK. Give each other so that both parties share secret information.
  • the first terminal and the second terminal pass Diffie Hellman (English: Diffie Hellman, DH) Key exchange algorithm or elliptic curve Diffie Hellman (ECDH) key exchange algorithm to obtain a shared DH key or ECDH key, intercept or convert the DH Key or ECDH key to obtain the above
  • the secret information for example, intercepts the first 128 bits of the DH key or the ECDH key as the above secret information.
  • the mode D, the first terminal, and the second terminal obtain the secret information by using a trusted third party.
  • the first terminal and the second terminal acquire configuration information of a configuration device, where the configuration information includes secret information of the first terminal and the second terminal.
  • the trusted third party of the first terminal and the second terminal is a configuration device, and the device configuration is configured.
  • the configuration device may include the secret information or the information used to generate the secret information in the configuration information sent to the first terminal and the configuration information sent to the second terminal.
  • Step S203 The second terminal receives the first message, extracts the first identifier information of the first message, compares the first identifier information with the second identifier information, and if the comparison is consistent, confirms that the sending device that sends the first message is currently used.
  • the interface address MAC3 and the interface address MAC1 of the peer device associated with the second terminal identify the same device, that is, the first terminal.
  • the second identifier information is calculated by the second terminal by inputting MAC1, MAC2, and secret information into a preset irreversible calculation method.
  • the foregoing steps may further include the following steps:
  • Step S204 The second terminal sends the second message to the first terminal by using the changed MAC4 as the current MAC address, where the second message is a response message of the first message, and is used to indicate the first terminal to the first terminal.
  • the second terminal is a corresponding device of MAC2.
  • the MAC address translation in the prior art provides a solution as shown in FIG. 1c (ie, FIG. 1 of the patent), and the STA 103 obtains the information 102 from the AP 101 (AP_info, specifically as may be The service set identifier (SSID) of the AP, the STA 103 combines the information 102 and the permanent address PMA of the STA 103 (generally the global MAC address of the mobile device) by a preset algorithm 104 (such as a hash algorithm).
  • SSID service set identifier
  • the STA 103 uses the temporary MAC address for subsequent communication with the AP 101 (eg, Authentication Authentication) Process), after receiving the message sent by the STA 103, the AP 101 matches the PMA of the STA 103 that the AP 101 has previously learned with the temporary MAC address of the received STA 103.
  • the AP 101 eg, Authentication Authentication
  • the AP 101 matches the PMA of the STA 103 that the AP 101 has previously learned with the temporary MAC address of the received STA 103.
  • a mobile device associates a network access point, obtains information from the wireless access point, and generates a temporary identification information according to the information and the permanent address of the mobile device (generally the global MAC address of the mobile device).
  • the temporary identification information is used as an addressing identifier for communication in the network of the network access point.
  • the STA updates the MAC address
  • the message sent by the STA to the AP will not be received by the AP, and the STA will be disconnected from the AP.
  • the technical solution shown in FIG. 2 generates the identification information by using the two-party MAC addresses (ie, MAC1 and MAC2) and the shared key when the AP and the STA are associated each time. First, the MAC address of any device can be autonomously changed.
  • the STA does not need to determine the new MAC address according to the information sent by the AP, and the MAC address can be arbitrarily changed. Secondly, if the MAC address of any device is changed, if it is to be compared with the peer device. If the device is re-matched, the device generates the identification information for matching the peer end, so that after the other party receives the identifier, the device identifies the sender device according to the identifier information, and sends a response message to the sender device, and receives the response. The sender device of the message can determine that the device that sent the response message is the previously associated peer device, thereby achieving matching.
  • the above-mentioned indication to the first terminal may be an implicit indication.
  • the second terminal of the sending device that determines the response message is a device corresponding to the MAC2.
  • the indication to the first terminal may also be an explicit indication.
  • the corresponding device that indicates that the second terminal is the MAC2 to the first terminal may be indicated by a value of an indication bit, of course, in practical application. In other ways, it may also be indicated by other means, for example, by using special characters of a plurality of consecutive fields.
  • step S204 can also be replaced by the following steps;
  • Step S204-1 The second terminal sends a second message to the first terminal, where the second message is a response message (ACK) of the first message, and the TA of the ACK (the interface address of the second terminal) is MAC2, the ACK And a corresponding device for indicating to the first terminal that the second terminal is MAC2.
  • ACK response message
  • TA of the ACK the interface address of the second terminal
  • the second terminal does not change the interface address, and this solution can change the first terminal interface address from MAC1 to MAC3.
  • step S204 can also be replaced by the following steps;
  • Step S204-2 The second terminal sends a second message to the first terminal, where the second message carries a third identifier, where the third identifier may be temporarily generated after the second terminal receives the first message and matches successfully, or may be advanced. generate.
  • the third identification information is also generated based on at least the MAC1, MAC2, and secret information by using another irreversible algorithm.
  • a different generation formula may be used when generating the first identification information or different parameters may be input in the same formula, for example, using a segment.
  • the above plaintext information indicates that the information is information that the first terminal and the second terminal can acquire.
  • the first terminal After the first terminal receives the second message, the first terminal confirms that the third identifier information matches the locally stored identifier information, and confirms that both the MAC4 and the MAC2 are interface addresses of the second terminal, that is, the sending device of the second message. That is the second terminal.
  • the first terminal For the calculation manner of the above-mentioned locally stored identification information, refer to the calculation manner of the third identification information.
  • the technical solution provided by the embodiment of the present application implements the change of the MAC address of the first terminal. Because the first terminal of the technical solution can change the currently used interface address, the eavesdropper can obtain the MAC address by receiving the message on the air interface. However, since the eavesdropper cannot know the secret information, the eavesdropper can only obtain the user information corresponding to the MAC address of one period, so that the eavesdropper cannot obtain the complete user information, and cannot perform the privacy of the user (such as location information). Tracking to improve the security of WIFI.
  • the foregoing method may further include: before step S203:
  • the second terminal extracts the interface address MAC3 of the first message, and when the MAC3 conflicts with the interface address of the transmission range where the second terminal is located, the second terminal sends a third message to the first terminal, where the third message carries a MAC address conflict.
  • the indication that the third message carries is a MAC address conflict, and the first terminal changes the currently used interface address from MAC3 to another MAC.
  • the indication of the MAC address conflict may be an indication value, and the indication value may be a conflict or a non-collision, which may be represented by one bit.
  • the indication of the MAC address conflict may also be through the Status Code field. Expression.
  • This technical solution can avoid communication failure due to MAC address conflict.
  • the foregoing method may further include:
  • the first terminal encrypts the message sent to the second terminal by using the key material.
  • the above key material can adopt the PTK of the above mode A, and of course, in practical applications, it can also be replaced by a KEYK-like key material.
  • the technical solution can reduce the interaction step between the first terminal and the second terminal.
  • the first terminal and the second terminal need to perform the 4 handshake step again.
  • the new PTK is obtained, and then the new PTK is used to encrypt the message sent to the second terminal.
  • the PTK in the above manner A does not need to perform the 4 handshake step again, thereby reducing the number of information interactions between the first terminal and the second terminal.
  • FIG. 3 is a flowchart of a terminal matching method according to another embodiment of the present disclosure.
  • the technical scenario implemented in this embodiment is that the first terminal and the second terminal may be connected by using a wireless manner, and the first terminal may be configured.
  • the second terminal may be an AP of an infrastructure network, or the first terminal and the second terminal are WiFi P2P (peer-to-peer) devices.
  • the wireless method includes but is not limited to: WiFi, Bluetooth (English: blue tooth, BT) or Zigbee.
  • the message sent by the first terminal to the second terminal in the embodiment is described by taking a multicast message as an example.
  • an interface address of the first terminal is identified as MAC1
  • the second terminal in the multicast is An interface address is identified as MAC2.
  • the above method is shown in FIG. 3 and includes the following steps:
  • Step S301 The first terminal acquires the interface address of the second terminal, that is, MAC2, at the first time, the interface address of the first terminal is MAC1 at the first time, and the second terminal acquires the interface of the first terminal at the first time.
  • the address is MAC1;
  • Step S302 The first terminal sends a first multicast message at a second time point after the first time point, where the TA (the MAC address of the first terminal) in the first multicast message is MAC3, and the first multicast message may be Including first identification information;
  • Step S303 The second terminal receives the first multicast message, and extracts the first identifier information of the first multicast message, compares the first identifier information with the second identifier information, and if the comparison is consistent, confirms that the first message is sent.
  • the interface address MAC3 currently used by the device and the MAC1 of the peer device associated with the second terminal identify the same device, that is, the first terminal.
  • Step S304 The second terminal sends a second message to the first terminal, where the TA of the second message (the interface address of the second terminal) is MAC4, and the RA of the second message (the interface address of the first terminal) is MAC3.
  • the second message carries the third identification information.
  • the third identification information may be through MAC1, MAC2
  • the secret information is input into the identification information calculated by another preset irreversible calculation method.
  • the third identifier information L265(MAC1
  • Step S305 The first terminal receives the second message, extracts the third identifier information of the second message, compares the third identifier information with the fourth identifier information, and if the comparison is consistent, confirms the interface currently used by the sending device that sends the second message.
  • the MAC2 of the peer device whose address MAC4 is associated with the first terminal identifies the same device, that is, the second terminal.
  • the fourth identifier may be identifier information calculated by inputting MAC1, MAC2, and secret information into another preset irreversible calculation method.
  • identifier information calculated by inputting MAC1, MAC2, and secret information into another preset irreversible calculation method.
  • specific calculation method refer to the calculation method of the third identification information.
  • the method may further include: the first terminal inputs the interface addresses MAC3, MAC4, and secret information used by the current two parties into the preset irreversible algorithm to obtain a fifth identifier, when the first terminal changes the MAC address again,
  • the fifth identification information is used as the identification information after the conversion.
  • the foregoing method may further include:
  • the first terminal sends a fourth message to the second terminal, where the fourth message may include an acknowledgement indication that the currently used interface address of the second terminal is MAC4, and the confirmation indication value may be confirmed or not confirmed, and the specific terminal may pass One bit is represented by, for example, 1 for acknowledgment, 0 for no acknowledgment, and second terminal for receiving the fourth message, and for extracting the indication of the fourth message as acknowledgment, transmitting a response to the fourth message to the first terminal. Message.
  • This technical solution can solve the problem that the first terminal and the second terminal cannot communicate due to hibernation. Specifically, after receiving the second message, the first terminal sends an ack message to the second terminal. If the ack message is not received by the second terminal and the first terminal is dormant, the first terminal is The second identifier information is generated, and after the first terminal wakes up, if the MAC is replaced, the second identifier information is carried in the message, and the second terminal uses the second identifier because the ack message is not received. Information, which results in a mismatch in the identification information and thus inability to communicate.
  • FIG. 4 is a flowchart of a terminal matching method according to an embodiment of the present disclosure.
  • the technical scenario implemented in this embodiment is that the first terminal and the second terminal may be connected by using a wireless manner, and the first terminal may be The STA of the infrastructure network, the second terminal may be an AP of an infrastructure network.
  • the method is as shown in FIG. 4, and includes the following steps:
  • Step S401 The first terminal acquires the interface address of the second terminal at the first time point, where the interface address of the second terminal is MAC2 at the first time point, and the interface address of the first terminal is at the first time point.
  • the second terminal acquires the interface address MAC1 of the first terminal at the first time.
  • Step S402 The first terminal sends a first message to the second terminal at a second time point after the first time point, where the TA (which is the MAC address of the first terminal) is the changed MAC3, the first The RA (which is the MAC address of the second terminal) in the message is the MAC2, and the first message may include: first identifier information, where the first identifier information may be preset by using at least the information including the MAC1, the MAC2, and the secret information. The irreversible calculation method is calculated.
  • Step S403 The second terminal receives the first message, extracts the first identifier information of the first message, compares the first identifier information with the second identifier information, and if the comparison is consistent, confirms that the sending device that sends the first message is currently used.
  • the interface address MAC3 and the interface address MAC1 of the peer device associated with the second terminal identify the same device, that is, the first terminal.
  • Step S404 The second terminal sends a response message of the first message, where the RA of the response message of the first message (which is the MAC address of the first terminal) is the changed MAC3, and the TA in the first message is the second The MAC address of the terminal is MAC2.
  • the address translation of the first terminal may be any transformation, which does not need to determine a new MAC address according to the information sent by the peer end, and the MAC address may be arbitrarily transformed.
  • FIG. 5 is a flowchart of a terminal matching method according to another embodiment of the present disclosure.
  • the technical scenario implemented in this embodiment is that the first terminal and the second terminal may be connected by using a wireless manner, and the first terminal may be a The STA of the infrastructure network, the second terminal may be an AP of an infrastructure network.
  • the wireless method includes but is not limited to: WIFI, Bluetooth (English: blue tooth, BT) or Zigbee.
  • the message sent by the first terminal to the second terminal in the embodiment is illustrated by using multicast as an example.
  • the interface address of the first terminal is identified as MAC1, and the interface address of the second terminal in the multicast is used.
  • the ID is MAC2.
  • the above method is shown in FIG. 5 and includes the following steps:
  • the first terminal is associated with the second terminal
  • the implementation method of the foregoing step S502 is specifically: when the first terminal receives the cancellation sent by the second terminal If the message indicates that the second terminal STA supports anti-tracking, the first terminal may determine that the second terminal supports Anti-tracking. In the subsequent process, the first terminal may be associated with the second terminal. After the terminal establishes association, the solution of this embodiment is started.
  • the second terminal supports anti-tracking and can also be the default setting of the second terminal, and does not require an explicit indication.
  • the first terminal establishes first secret information shared by the second terminal.
  • the first terminal generates the identifier information, that is, the first identifier information.
  • the implementation method of the foregoing step S504 may be specifically: the first terminal generates the identifier information by using the irreversible algorithm according to at least the current MAC address of the second terminal (ie, MAC2), the current MAC address of the second terminal (ie, MAC1), and the first secret information.
  • the identifier information is carried by the first terminal when the first terminal sends the first message, and the identifier information can be used to receive the first terminal, that is, the second terminal performs identity matching on the first terminal based on the identifier information.
  • the first terminal When the first terminal is associated with multiple peer devices, that is, multiple terminals (for example, the third terminal and the fourth terminal), it maintains a list including the identification information corresponding to the multiple terminals, and the first terminal sends the first
  • the message retains a list of search element information including a mapping relationship between the following parameters (eg, the MAC address of the second terminal or the current MAC address of the first terminal) and the identification information.
  • the identifier information may be generated when the first terminal needs to send the first message, or may be generated before at least one of the first terminal and the second terminal changes the MAC address.
  • the first terminal sends a broadcast or unicast first message, where the first message carries the first identifier information, where the sending address of the first message is the MAC address of the first terminal, that is, MAC3.
  • the first terminal receives the response message of the first message, and the sending address of the response message is MAC4.
  • step S507 may be performed. Further optionally, step S508 may also be performed.
  • the first terminal maps the MAC address of the sending address of the response message to the MAC2 address, that is, determines that the MAC4 and the MAC2 identify the same device, that is, the second terminal.
  • the foregoing current association is compared to the previous association. Specifically, it can be understood that when the first terminal acknowledges receipt of the response message of the first message and the sending address of the response message is MAC4, the first terminal determines that the MAC4 corresponds to The device is the second terminal corresponding to the MAC2 that is associated with the last time, so that the first terminal can directly multiplex the information obtained when the last time is associated with the second terminal (the connection information of the interaction in step S502, such as the security key and the sequence counter. , packet value counter, associated information, robust security network association (RSNA), etc., and then can use this information to continue communication with the second terminal, it can be understood that the two parties have achieved the association again, ie, Current association.
  • the connection information of the interaction in step S502 such as the security key and the sequence counter. , packet value counter, associated information, robust security network association (RSNA), etc.
  • the second terminal may discard the original identification information after receiving the response message sent by the first terminal (for example, a new message second message or a response message of the first message response message), and use the current The MAC address used by both parties is re-generated to generate new matching identification information.
  • the second identifier information may be generated according to the current MAC address of the first terminal, the current MAC address of the second terminal, and the first secret information are generated by using a preset irreversible algorithm, and the MAC address of the first terminal is changed from the previous MAC1 to the current one.
  • the second identifier information of the second terminal is the MAC2 and is not changed.
  • the second identifier information may be generated according to the MAC3, the MAC2, and the first secret information by using a preset irreversible algorithm.
  • the technical solution can change the identification information according to the current MAC address when the MAC address of any one of the parties changes, thereby ensuring the freshness of the identification information.
  • the technical solution provided by the embodiment of the present application implements the change of the MAC address of the first terminal.
  • the first terminal can change the currently used interface address at any time, so that even if the eavesdropper obtains the MAC address by receiving the message on the air interface, However, since the eavesdropper cannot know the secret information, the eavesdropper can only obtain the user information corresponding to the MAC address of a period of time, so that the eavesdropper cannot obtain the complete user information, and cannot track the user's privacy (such as location information). To improve the security of WIFI.
  • FIG. 6 is a flowchart of a terminal matching method according to another embodiment of the present application.
  • the technical scenario implemented in this embodiment is that the first terminal and the second terminal may be connected by using a wireless manner, and the first terminal may be a basic The STA of the facility network, the second terminal may be an AP of an infrastructure network, and the peer terminal of the second terminal may also be multiple, and the second terminal maintains a list including the identifier information corresponding to the multiple peer devices.
  • the above method is shown in Figure 6, and includes the following steps:
  • Step S601 the second terminal starts
  • Step S602 the second terminal establishes an association with the anti-tracking STA.
  • Step S603 the second terminal establishes first secret information shared with the STA.
  • Step S604 The second terminal generates first identifier information, and adds the first identifier information to the identifier information list (list) recorded on the second terminal.
  • the foregoing second terminal generating the identification information may be calculated by inputting the MAC1, the MAC2, and the first secret information into a preset irreversible calculation method.
  • the above irreversible calculation method can be set by the manufacturer itself, for example: a hash algorithm, such as SHA-256, SHA-1 or a calculation method combining a hash algorithm, such as performing a hash algorithm calculation on the input information and then intercepting several bits. , adding a number of other information and other processing.
  • first identification information LSB 48bit SHA-265 (MAC1
  • the result takes the least significant bit of 48 bits as the first identification information, where
  • Step S605 The second terminal receives a broadcast or unicast message carrying the second identification information.
  • Step S606 The second terminal determines whether the second identifier information is the same as a matching identifier information in the identifier information list.
  • Step S607 If the second identifier information is the same as the first identifier information in the list, extract the MAC address (ie, MAC1) of the peer STA used when generating the first identifier information, and send the broadcast or unicast message to the address (ie, MAC3) is mapped to MAC1, confirming that MAC3 and MAC1 identify the same peer device.
  • Step S608 The second terminal sends a response message of the broadcast or unicast message to the STA, and uses the current MAC address (ie, MAC4) as the response message sending address.
  • MAC4 the current MAC address
  • Step S609 determining that the MAC address used by the currently associated two parties is different from the last used MAC address, and then discarding the original identification information, that is, the first identification information, and using the MAC address used by both parties in the current association (in this case)
  • the new identification information that is, the third identification information, is newly generated for the MAC3, MAC4, and the first secret information, and the third identification information is added to the list.
  • the second terminal determines that the MAC address used by the currently associated two parties is changed compared to the MAC address used by the last associated party. It can be understood that, as shown in FIG. 2, after the step S204, the second terminal receives the pair sent by the first terminal. After the acknowledgement ACK message of the first message response message (or, as shown in FIG. 3, the terminal receives the acknowledgement message sent by the first terminal to the second message), the second terminal may confirm The MAC addresses of the two parties currently associated with each other are MAC3 and MAC4, and the MAC addresses used by both parties are changed compared to the last time the two parties are associated.
  • the technical solution provided by the foregoing embodiment provides that the AP establishes an identifier information list when multiple STAs are connected to the AP, and can update the identifier information in the identifier information list according to whether the current MAC address of the AP or the STA changes, so the support is supported.
  • the security of information exchange of multiple STAs improves the security of WIFI.
  • the identification information in the embodiment of the present application may be carried in the following fields in the message.
  • the identifier information (including the first identifier information, the second identifier information, the third identifier information, the fourth identifier information, or the fifth identifier information) carries an information element defined in a payload portion of the management frame.
  • IE for example, as shown in FIG. 7-1, an anti-tracking information element Anti-tracking IE is defined, the anti-tracking information element including an element ID and identification information.
  • the management frame is, for example, a Probe Request or a Probe Response.
  • Figure 7-2 takes a management frame as an example.
  • This management frame can also be replaced with a control frame.
  • the Subtype field of the management frame indicates that the frame is an anti-tracking management frame, and the payload portion of the management frame includes the above-described identification information.
  • use an Public Action Frame to define an Anti-tracking public action frame, and include the above identification information in its payload part.
  • the message is a data frame, as shown in Figure 7-3.
  • the data frame is an anti-tracking data frame, and the A3 (address 3) position or A4 (address 4) of the data frame is set to the identification information or the 6-byte information containing the identification information.
  • the identifier information is carried in the case where the A3 is only applicable to the source device of the data frame, because the source MAC address of the data frame is not indicated for the A1 and A2 fields according to the definition of the data frame.
  • destination MAC if the first terminal is not the source device of the data frame, then A3 has a specific meaning. If it is modified, it will affect the transmission of the data frame.
  • the identification information carried in A4 is only applicable to the second terminal for the data.
  • the case of a destination device of a frame because if the second terminal is a non-target device, carrying the identification information at the A4 location will affect the transmission of the data frame.
  • FIG. 8 provides the matching apparatus 800.
  • the matching apparatus 800 is configured and the second terminal, and the matching apparatus 800 can be used to perform operations of the second terminal in FIG. 2 and FIG. 3.
  • the device includes:
  • the obtaining unit 801 is configured to acquire an interface address of the first terminal at a first time point, where an interface address of the first terminal is a first medium access control address MAC1, and an interface address of the second terminal is at the first time Point time is the second medium access control address MAC2;
  • the transceiver unit 802 is configured to receive, by the second time point after the first time point, the first message sent by the first terminal, where the sender address included in the first message, that is, the interface address of the first terminal, is The third medium access control address MAC3, the first message includes: first identifier information, where the first identifier information is calculated by the first terminal to input MAC1, MAC2, and secret information into a first preset irreversible calculation method. The obtained information; the secret information is information shared by the first terminal and the second terminal;
  • the processing unit 803 is configured to compare the first identifier information with the second identifier information. If the first identifier information is consistent with the second identifier information, the second terminal determines the MAC3 and the location of the first message. The MAC1 obtained by the second terminal identifies the same device, and the same device is the first terminal;
  • the second identifier information is information that the processing unit inputs the MAC1, the MAC2, and the secret information into the first preset irreversible calculation method;
  • the transceiver unit 802 is further configured to send a response message of the first message to the first terminal, where the response message carries a fourth medium access control address MAC4, where the MAC4 is the changed interface address of the second terminal.
  • FIG. 9 is a terminal.
  • the terminal is a second terminal, and includes a processor 901, a wireless transceiver 902, a memory 903, and a bus 904.
  • the transceiver 902 is configured to send and receive data with and from an external device.
  • the number of processors 901 may be one or more.
  • processor 901, memory 902, and transceiver 903 may be connected by bus 904 or other means.
  • the terminal 90 can be used to perform the steps of the second terminal in FIG. 2 or 3.
  • the program code is stored in the memory 903.
  • the processor 901 is configured to call the program code stored in the memory 903 for performing the following operations:
  • the processor 901 is configured to acquire an interface address of the first terminal at a first time point, where an interface address of the first terminal is a first medium access control address MAC1, and an interface address of the second terminal is a second medium access control Address MAC2;
  • the transceiver 902 is configured to receive, by the second time point after the first time point, the first message sent by the first terminal, where the sender address included in the first message, that is, the interface address of the first terminal, is The third medium access control address MAC3, the first message includes: first identifier information, where the first identifier information is calculated by the first terminal to input MAC1, MAC2, and secret information into a first preset irreversible calculation method. The obtained information, where the secret information is information shared by the first terminal and the second terminal;
  • the processor 901 is configured to compare the first identifier information with the second identifier information. If the first identifier information is consistent with the second identifier information, the second terminal determines the MAC3 and the location of the first message. The MAC1 obtained by the second terminal identifies the same device, and the same device is the first terminal;
  • the second identifier information is information that the processor 901 inputs by using the MAC1, the MAC2, and the secret information into the first preset irreversible calculation method.
  • the transceiver 902 is further configured to send a response message of the first message to the first terminal, where the response message carries a third medium access control address MAC4, where the MAC4 is the changed interface address of the second terminal.
  • the processor 901 herein may be a processing component or a general term of multiple processing components.
  • the processing component may be a central processing unit (CPU), an application specific integrated circuit (ASIC), or one or more integrated circuits configured to implement the embodiments of the present application.
  • CPU central processing unit
  • ASIC application specific integrated circuit
  • DSPs digital singal processors
  • FPGAs Field Programmable Gate Arrays
  • the memory 903 may be a storage device or a collective name of a plurality of storage elements, and is used to store executable program code or parameters, data, and the like required for the application running device to operate. And the memory 903 may include random access memory (RAM), and may also include non-volatile memory (non-volatile memory) Memory), such as disk storage, flash (Flash), etc.
  • RAM random access memory
  • non-volatile memory non-volatile memory
  • flash flash
  • the bus 904 may be an Industry Standard Architecture (ISA) bus, a Peripheral Component (PCI) bus, or an Extended Industry Standard Architecture (EISA) bus.
  • ISA Industry Standard Architecture
  • PCI Peripheral Component
  • EISA Extended Industry Standard Architecture
  • the bus can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is shown in Figure 9, but it does not mean that there is only one bus or one type of bus.
  • the terminal may also include input and output means coupled to bus 904 for connection to other portions, such as processor 901, via a bus.
  • the input/output device can provide an input interface for the operator, so that the operator can select the control item through the input interface, and can also be other interfaces through which other devices can be externally connected.
  • the storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM), or a random access memory (RAM).

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

本申请实施例公开了一种终端匹配方法、装置,所述方法包括:第二终端获取第一终端的接口地址,所述第一终端的接口地址为MAC1;第二终端接收第一终端发送的第一消息,所述第一消息的第一终端的接口地址为变更后的MAC3,所述第一消息包括:第一标识信息;所述第二终端将所述第一标识信息与第二标识信息比对,如第一标识信息与第二标识信息一致,所述第二终端确定所述第一消息的所述MAC3与所述第二终端获取的所述MAC1是标识同一个设备,所述同一个设备为第一终端。本申请具有安全性高的优点。

Description

一种终端匹配方法、装置 技术领域
本申请涉及通信领域,尤其涉及一种终端匹配方法及装置。
背景技术
无线局域网(英文:wireless local area network,WLAN)能够在一个有限的范围内为其中的终端提供无线数据传输服务。在基于IEEE802.11的WLAN,即无线保真(英文:wireless fidelity,WiFi),)中,通过网关等设备还能够使终端接入因特网(Internet)。由于WiFi具有的部署快速、使用便利和传输速率高等优势,因而已被广泛应用于各个行业,WiFi网络的接入点遍布于酒店、咖啡厅、学校和医院等场所。
WiFi基于介质访问控制(英文:media access control,MAC)地址进行寻址,在WiFi系统中可以包括如下二种设备,接入点(英文:access point,AP)和站(英文:station,STA),具体的:一个AP可以通过WiFi连接多个站或1个站,例如图1a所示的可穿戴设备场景,带有WiFi通讯模块的可穿戴设备,如手环、手表、眼镜、项链、饰品、鞋子等,可以连接至用户的智能终端,如手机、平板等,其中智能终端可以作为WiFi系统的一个AP,可穿戴设备作为WiFi系统的STA。
在WiFi系统中,STA与AP之间会通过WLAN空口进行消息交互,在WLAN空口上收发的消息的MAC消息头(MAC Header)中会携带接收方地址(Receiver Address,RA)和发送方地址(Transmitter Address,TA),RA和TA通常均为在较长的时间内固定不变的MAC地址。在信息交互中,如果出现窃听者,窃听者通过在空口上接收和分析消息报文,可以获取消息接收方的MAC地址以及消息发送方的MAC地址。窃听者通过追踪某一个终端(消息接收方或消息发送方)的MAC地址,可以获得该终端用户的隐私信息,如经常出现的地点、时间,通过大量数据分析可以获知该终端用户的生活习惯、兴趣爱好甚至社会关系等隐私信息,所以现有的WiFi系统的交互方式会导致用户信息泄露,降低了WiFi的安全性。
发明内容
本申请实施例所要解决的技术问题在于,提供一种终端匹配方法及装置,可解决现有技术中WiFi的安全性低的问题。
第一方面,提供一种终端匹配方法,所述方法包括如下步骤:
第二终端在第一时间点获取第一终端的接口地址,所述第一终端的接口地址为第一介质访问控制地址MAC1,所述第二终端的接口地址在所述第一时间点时为第二介质访问控制地址MAC2;在所述第一时间点之后的第二时间点,第二终端接收第一终端发送的第一消息,所述第一消息中包含的发送方地址,即第一终端的接口地址,为变更后的第三介质访问控制地址MAC3,所述第一消息包括:第一标识信息,所述第一标识信息为所述第一终端将MAC1、MAC2和秘密信息输入第一预设的不可逆计算方法计算得到的信息;所述秘密信息为第一终端与第二终端共享的信息;所述第二终端将所述第一标识信息与第二标识信息比对,如第一标识信息与第二标识信息一致,所述第二终端确定所述第一消息的所述MAC3与所述第二终端获取的所述MAC1是标识同一个设备,所述同一个设备为第一终端;所述第二标识信息为第二终端将所述MAC1、所述MAC2和所述秘密信息输入所述第一预设的不可逆计算方法计算得到的信息;所述第二终端向第一终端发送第一消息的响应消息,所述响应消息里携带第四介质访问控制地址MAC4,所述MAC4为所述第二终端变更后的接口地址。
第一方面提供的技术方案通过生成的第一标识信息来匹配第一终端设备,这样在第一终端设备的MAC地址变更后,对端设备如第二终端设备可以通过第一标识信息来识别变换后的MAC地址为第一终端的MAC地址,对于窃听者来说,即时其获取第一标识信息后,由于第一标识信息为不可逆算法计算得到的,所以窃听者无法通过第一标识信息获取秘密信息,所以对于窃听者来说,其只能获取一段时间的用户信息,无法获取完整的用户信息,无法对用户的隐私(例如位置信息)进行追踪,从而提高WIFI的安全性。
在一种可选方案中,所述方法还包括:所述第一消息的响应消息携带有第三标识信息,所述第三标识信息为第二终端将所述MAC1、所述MAC2和所述秘密信息输入第二预设的不可逆计算方法计算得到的信息。该方案通过第一消息的响应消息中的第三标识信息来告知第一终端第二终端为MAC2的对应设备。
在又一种可选方案中,所述方法还包括:所述第二终端接收第一终端发送的第二消息,所述第二消息包括所述第一终端确定所述MAC4为所述第二终端接口地址的确认指示;当所述第二消息包括所述确认指示时,所述第二终端向第一终端发送第二消息的响应消息。该方案提供了一种第二终端MAC地址变换通知的方案,实现了第二终端地址的变换。
在另一种可选方案中,第二终端检测所述MAC1是否与所述第二终端通信范围内的介质访问控制地址冲突,如第二终端检测所述MAC1冲突,向所述第一终端发送第三消息,所述第五消息携带介质访问控制地址冲突的指示。该方案实现了MAC地址冲突检测,避免了MAC地址的冲突。
在另一种可选方案中,如所述第一消息、所述第二消息、所述第三消息或所述第四消息为管理帧,将所述第一标识信息、所述第二标识信息、第三标识信息或第四标识信息携带在所述管理帧中负载部分的反追踪信息元素中,所述反追踪信息元素包括:元素标识和所述标识信息;或如所述第一消息、所述第二消息、所述第三消息或所述第四消息为管理帧或控制帧且所述管理帧或控制帧的子类型字段指示该帧为反追踪类型的帧,在所述管理帧或控制帧的负载部分携带所述第一标识信息、所述第二标识信息、第三标识信息或第四标识信息。该方案提供了标识信息在消息中的具体位置,支持了第一方面技术方案的实现。
在另一种可选方案中,如所述第一终端为源设备且所述第一消息为数据帧,所述数据帧的子类型字段指示该帧为反追踪数据帧,在所述数据帧的A3字段携带所述第一标识信息。该方案提供了标识信息在消息中的另一种具体位 置,支持了第一方面技术方案的实现。
在另一种可选方案中,如所述第二终端为目标设备且所述一消息的响应消息为数据帧,在所述数据帧的子类型字段设置成反追踪数据帧,在所述数据帧的A4字段携带所述第二标识信息。该方案提供了标识信息在消息中的又一种具体位置,支持了第一方面技术方案的实现。
第二方面,提供一种匹配装置,所述匹配装置配置与第二终端内,所述装置包括:获取单元,用于在第一时间点获取第一终端的接口地址,所述第一终端的接口地址为第一介质访问控制地址MAC1,所述第二终端的接口地址在所述第一时间点时为第二介质访问控制地址MAC2;收发单元,用于在第一时间点之后的第二时间点接收第一终端发送的第一消息,所述第一消息中包含的发送方地址,即第一终端的接口地址,为变更后的第三介质访问控制地址MAC3,所述第一消息包括:第一标识信息,所述第一标识信息为所述第一终端将MAC1、MAC2和秘密信息输入第一预设的不可逆计算方法计算得到的信息,所述秘密信息为第一终端与第二终端共享的信息;处理单元,用于将所述第一标识信息与第二标识信息比对,如第一标识信息与第二标识信息一致,所述第二终端确定所述第一消息的所述MAC3与所述第二终端获取的所述MAC1是标识同一个设备,所述同一个设备为第一终端;所述第二标识信息为所述处理单元将所述MAC1、所述MAC2和所述秘密信息输入所述第一预设的不可逆计算方法计算得到的信息;收发单元,还用于向第一终端发送第一消息的响应消息,所述响应消息里携带第四介质访问控制地址MAC4,所述MAC4为所述第二终端变更后的接口地址。
第二方面提供的技术方案通过生成的第一标识信息来匹配第一终端设备,这样在第一终端设备的MAC地址变更后,对端设备如第二终端设备可以通过第一标识信息来识别变换后的MAC地址为第一终端的MAC地址,对于窃听者来说,即时其获取第一标识信息后,由于第一标识信息为不可逆算法计算得到的,所 以窃听者无法通过第一标识信息获取秘密信息,所以对于窃听者来说,其只能获取一段时间的用户信息,无法获取完整的用户信息,无法对用户的隐私(例如位置信息)进行追踪,从而提高WIFI的安全性。
在第二方面的可选技术方案中,第二方面提供的收发单元和处理单元可以用于执行上述可选的技术方案。
第三方面,提供一种终端,所述终端为第二终端,包括:处理器、无线收发器、存储器和总线,所述处理器、无线收发器、存储器通过所述总线连接:所述处理器,用于在第一时间点获取第一终端的接口地址,所述第一终端的接口地址为第一介质访问控制地址MAC1,所述第二终端的接口地址在所述第一时间点时为第二介质访问控制地址MAC2;收发器,用于在第一时间点后的第二时间点接收第一终端发送的第一消息,所述第一消息中包含的发送方地址,即第一终端的接口地址,为变更后的第三介质访问控制地址MAC3,所述第一消息包括:第一标识信息,所述第一标识信息为所述第一终端将MAC1、MAC2和秘密信息输入第一预设的不可逆计算方法计算得到的信息,所述秘密信息为第一终端与第二终端共享的信息;所述处理器,用于将所述第一标识信息与第二标识信息比对,如第一标识信息与第二标识信息一致,所述第二终端确定所述第一消息的所述MAC3与所述第二终端获取的所述MAC1是标识同一个设备,所述同一个设备为第一终端;所述第二标识信息为所述处理器将所述MAC1、所述MAC2和所述秘密信息输入所述第一预设的不可逆计算方法计算得到的信息;收发器,还用于向第一终端发送第一消息的响应消息,所述响应消息里携带第四介质访问控制地址MAC4,所述MAC4为所述第二终端变更后的接口地址。
第三方面提供的技术方案通过生成的第一标识信息来匹配第一终端设备,这样在第一终端设备的MAC地址变更后,对端设备如第二终端设备可以通过第一标识信息来识别变换后的MAC地址为第一终端的MAC地址,对于窃听者来说,即使其获取第一标识信息后,由于第一标识信息为不可逆算法计算得到的,所 以窃听者无法通过第一标识信息获取秘密信息,所以对于窃听者来说,其只能获取一段时间的用户信息,无法获取完整的用户信息,无法对用户的隐私(例如位置信息)进行追踪,从而提高WIFI的安全性。
第四方面,提供终端匹配方法,所述方法包括如下步骤:第二终端在第一时间点获取第一终端的接口地址,所述第一终端的接口地址在所述第一时间点时为第一介质访问控制地址MAC1;在所述第一时间点之后的第二时间点,所述第二终端接收第一终端发送的第一消息,所述第一消息中包含的发送方地址,即第一终端的接口地址,为变更后的第三介质访问控制地址MAC3,所述第一消息包括:第一标识信息,所述第一标识信息为所述第一终端将MAC1、第二介质访问控制地址MAC2和秘密信息输入第一预设的不可逆计算方法计算得到的信息;所述秘密信息为第一终端与第二终端共享的信息,所述第二终端的接口地址在所述第一时间点以及第二时间点时为MAC2;所述第二终端将所述第一标识信息与第二标识信息比对,如果第一标识信息与第二标识信息一致,所述第二终端确定所述第一消息的所述MAC3与所述第二终端获取的所述MAC1是标识同一个设备,所述同一个设备为所述第一终端;所述第二标识信息为第二终端将所述MAC1、所述MAC2和所述秘密信息输入所述第一预设的不可逆计算方法计算得到的信息;所述第二终端向第一终端发送第一消息的响应消息,所述响应消息里携带所述MAC2。
第四方面提供的技术方案能够任意的改变MAC地址,无需依据对端发送的信息确认。
附图说明
为了更清楚地说明本申请实施例或现有技术中的技术方案,下面将对实施例中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域普通技术人员来讲,还可以根据这些附图获得其他的附图。
图1a为可穿戴设备场景示意图。
图1b是一种终端匹配方法的流程图。
图1c是现有技术提供的一种终端匹配方法的流程图。
图2是本申请提供的一种终端匹配方法示意图。
图3是本申请另一实施例提供的一种终端匹配方法的流程图。
图4是一种临时匹配方法的流程示意图。
图5为本申请又一实施例提供的一种终端匹配方法的流程图。
图6为本申请另一实施例提供的一种终端匹配方法的流程图。
图7-1为本申请提供的消息的格式示意图。
图7-2为本申请提供的消息的另一种格式示意图。
图7-3为本申请提供的消息的又一种格式示意图。
图8为本申请实施例提供的一种匹配装置的结构示意图。
图9为本申请实施例提供的一种终端的硬件示意图。
具体实施方式
下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本申请一部分实施例,而不是全部的实施例。
参阅图1b,图1b为现有技术提供的一种终端协商临时MAC地址的方法的流程图,如图1b所示的方法可以在如图1a所示的场景下实现,如图1a所示,手机11可以为AP,便携式穿戴设备均可以为STA,例如,智能眼镜12、智能手环13、智能跑鞋14、智能服装15等均可以为STA,该方法包括如下步骤:
步骤S101、STA确定需要进行MAC地址更换时,STA生成一个临时MAC地址。
步骤S102、STA将该临时MAC地址发送至AP。
步骤S103、AP检测其所在的基本服务集(英文:basic service set,BBS)该临时MAC地址是否唯一,如该临时MAC地址唯一,则向STA发送一个消息,该消息携带有确定该临时MAC地址的指示。
步骤S104、STA将该临时MAC地址作为当前使用的接口地址。
上述的如图1b所示的方法需要STA和AP使用专门的消息去进行临时MAC地址的约定。且STA变换MAC地址只能在自身所在的BSS内,而不能按照自己的规则自主变换MAC地址。
参阅图2,图2为本申请一实施例提供的一种终端匹配方法的流程图,本实施例实现的技术场景为,第一终端与第二终端可以通过无线方式连接,例如第一终端可以为一个基础设施网络的STA,第二终端可以为一个基础设施网络的AP。又如第一终端以及第二终端可以为WiFi P2P(peer-to-peer)设备。再如,第一终端和第二终端可以为基于WiFi NAN(Neighbor Awareness Network,临近感知网络)标准的设备。当然上述第一终端还可以为AP,第二终端还可以为STA;第一终端和第二终端均可以为STA或AP,本申请具体实施方式并不限制第一终端与第二终端的形式。
上述第一终端与第二终端建立了关联,例如:第一终端和第二终端交互完服务发现(英文:service discovery function,SDF)消息,通过SDF消息分别获知了对端的接口地址,在获知对端的接口地址后,认为第一终端和第二终端建立了关联。又如第一终端与第二终端之间至少完成了一次交互获得了对方的接口地址,在获知对端的接口地址后,认为第一终端和第二终端建立了关联。上述交互的方式包括但不限于:Association(关联)步骤或服务发现交互等方式。
本申请实施例中的接口地址是指第一终端与第二终端在无线通信交互时用于标识设备的地址,例如,MAC地址。本实施例的第一终端向第二终端发送的消息以单播为例来说明。上述方法如图2所示,包括如下步骤:
步骤S201、第一终端在第一时间点获取第二终端的接口地址,所述第二终端的接口地址在所述第一时间点时为MAC2,第一终端的接口地址在第一时间点时为MAC1,第二终端在第一时间点获取第一终端的接口地址MAC1;
上述步骤S201中获取第二终端的接口地址的方式可以采用多种方式,例如:当第一终端与第二终端为WiFi P2P设备时,第一终端可以通过至少一对探测请求(Probe request)和探测响应(Probe Response)消息获取第二终端的接口地址。又如当第一终端和第二终端为基于WiFi NAN标准的设备时,第一终端和第二终端交互完SDF消息后,双方分别获知了对端的接口地址。
步骤S202、第一终端在第一时间点后的第二时间点向第二终端发送第一消息,该第一消息中的TA(为第一终端的MAC地址)为变更后的MAC3,该第一消息中的RA(为第二终端的MAC地址)为MAC2,该第一消息可以包括:第一标识信息,该第一标识信息可以为将至少包括MAC1、MAC2和秘密信息的信息采用预设的不可逆计算方法计算得到。第二终端在所述第一时间点之后的第二时间点接收所述第一消息,可以理解为该第一消息的接收发生在第一时间点后的第二时间点,或稍微比第二时间点再晚一点(考虑到第一消息的传输时间)。
在一些情况下,通过对第二终端进行设定,可以使得第二终端的MAC地址由MAC2变成MAC4后,仍然能够接收目标地址(即RA)为MAC2的消息。例如,一种可能的实现方式为:在第二终端内部设置一个虚拟的MAC实体,并将该虚拟的MAC实体的MAC地址设置为MAC2,当该虚拟的MAC实体接收到第一消息后,将第一标识信息传至第二终端内部的匹配模块,如第二终端内部的multi-band SME(station management entity,站点管理实体),当匹配模块根据第一标识信息确认MAC3对应的终端即为MAC1对应的终端后,指示MAC地址为MAC4的MAC实体回复第一消息的响应消息,后续通过MAC4的MAC实体与第一终端交互。
另一种可能的实现方式为:如果第二终端为支持多频带运行(Multi-band operation)的设备,则可以将第二频段的MAC地址设置为MAC2,当该第二频段的MAC实体接收到第一消息后,将第一标识信息传至第二终端内部的匹配模块,如第二频段的SME,当匹配模块根据第一标识信息确认MAC3对应的终端即为MAC1对应的设备后,指示MAC地址为MAC4的第一频段的SME回复第二消息,后续通过MAC地址为MAC4的MAC实体与第一终端交互。
上述步骤S202中的不可逆计算方法可以由厂家自行设定,例如:哈希算法,如SHA-256、SHA-1或者结合了哈希算法的计算方法,如对输入信息进行哈希算法计算之后再进行截取若干位、添加若干位其他信息等处理。例如,一种可能的不可逆算法举例:
第一标识信息=LSB 48bit SHA-265(MAC1||MAC2||秘密信息)
上述第一标识信息的具体计算方式为:将MAC1,MAC2和秘密信息作为输入信息输入SHA-256算法计算后得到的结果取48bit的最低有效位作为第一标识信息,其中||表示合并。
上述步骤中第一终端发送第一消息的方式可以有多种,例如:通过多播发送第一消息,具体地,第一消息的接收地址为广播地址或者组播地址。当然还可以采用单播方式发送第一消息,具体地,当第一终端确定第二终端当前使用的MAC地址仍是MAC2,第一终端可以使用MAC2作为第一消息的接收地址。例如,当第一终端需要发送第一消息时,第一终端首先进行被动监听,如果第一终端能够监听到使用MAC2作为发送地址的消息时,第一终端判断第二终端当前仍使用MAC2,此时,第一终端将第一消息的接收地址设置为MAC2。
上述秘密信息可以为第一终端与第二终端共享的秘密信息,可以采用下述方式中的任意一种方式来获取,当然也可以采用其他的方式来获取该秘密信息,只需第一终端和第二终端能够得到同样的秘密信息即可。上述计算方式采用不可逆计算方法进行计算是为了避免上述秘密信息可以被反推出来,影响WIFI的安全性。
方式A、第一终端和第二终端进行4步握手(英文:4way-handshake),第一终端和第二终端都生成相同的成对临时密钥(pairwise transit key,PTK),将PTK作为后续生成加密密钥和完整性校验的种子密钥,那么可以由PTK得到上述秘密信息,例如对PTK进行截取或转换,或者再结合其他信息(例如固定明文)进行计算,从而衍生出秘密信息。例如:秘密信息=SHA-256(PTK后64位||“secret info”),其中||表示合并,“secret info”为固定明文。
方式B、第一终端和第二终端进行密钥建立过程,并由密钥建立过程生成的密钥加密交换的秘密信息,例如,第一终端和第二终端进行4way-handshake,双方都生成相同的PTK,使用PTK进一步生成TK(temporal key,临时密钥),当双方需要秘密传输信息时,可以由任何一方(第一终端或第二终端)生成秘密信息,并通过TK加密该秘密信息传输给对方,从而使双方共享秘密信息。
方式C、第一终端和第二终端间通过迪菲-赫尔曼(英文:Diffie Hellman, DH)密钥交换算法或者椭圆曲线迪菲-赫尔曼(英文:elliptic curve Diffie Hellman,ECDH)密钥交换算法得到共享的DH key或者ECDH key,在对DH Key或ECDH key截取或转换得到上述秘密信息,例如,截取DH key或ECDH key前128位作为上述秘密信息。
方式D、第一终端和第二终端通过可信第三方获得上述秘密信息。例如第一终端和第二终端获取一个配置设备的配置信息,在所述配置信息中包含第一终端和第二终端的秘密信息。具体地,当第一终端和第二终端为支持设备供应协议(英文:device provisioning protocol,DPP)的设备时,第一终端和第二终端的可信第三方为一个配置设备,在配置设备配置所述第一终端和第二终端时,配置设备可以分别在发送给第一终端的配置信息和发送给第二终端的配置信息中包含上述秘密信息或者用于生成上述秘密信息的信息。
步骤S203、第二终端接收该第一消息,提取该第一消息的第一标识信息,将第一标识信息与第二标识信息对比,如对比一致,确认发送第一消息的发送设备当前使用的接口地址MAC3与第二终端关联的对端设备的接口地址MAC1标识的是同一个设备,即第一终端。
上述第二标识信息为第二终端通过将MAC1、MAC2和秘密信息输入预设的不可逆计算方法计算得到。
可选的,上述步骤在S203之后,还可以包括如下步骤:
步骤S204、第二终端使用变更后的MAC4作为当前的MAC地址,向第一终端发送第二消息,所述第二消息为第一消息的响应消息,用于向所述第一终端指示所述第二终端为MAC2的对应设备。
现有技术中的MAC地址变换,如在专利US8009626B2中,所提供的方案如图1c(即为该专利的附图1)所示,STA 103从AP 101获得信息102(AP_info,具体如可以为AP的服务集标识(service set identifier,SSID)),STA 103结合该信息102和STA 103的永久地址PMA(一般为该移动设备的全球MAC地址)通过预设算法104(如哈希算法)生成一个临时MAC地址,STA 103使用该临时MAC地址与在该AP 101进行后续的通信(如,鉴权Authentication 过程),AP 101接收到STA 103发送的消息后,将AP 101之前已经获知的STA103的PMA与收到的STA 103的临时MAC地址进行匹配。该方案中,一个移动设备关联网络接入点后,从无线接入点获得信息,并结合该信息和移动设备的永久地址(一般为该移动设备的全球MAC地址)生成一个临时的标识信息,使用该临时的标识信息作为在该网络接入点的网络中通信的寻址标识。该方案中,只考虑了STA的MAC地址改变的情况,未考虑AP的MAC地址改变的情况,即,只考虑了只有其中一方的MAC地址发生改变的情况,如果当STA更新了MAC地址,而刚好AP的MAC地址也发生改变,则STA发送给AP的消息将无法被AP接收,进而导致STA与AP断开连接。本申请如图2所示的技术方案通过AP和STA每一次关联后,使用关联时的双方MAC地址(即MAC1和MAC2)和共享的密钥生成标识信息。首先,任一方设备的MAC地址均可以自主变换,STA无需依据AP发送的信息来确定新的MAC地址,MAC地址可以任意变换;其次,在任一方设备的MAC地址变换后,如果要与对端设备重新匹配,则该设备生成用于匹配对端的标识信息,使得对方接收后,根据其中的标识信息去识别发送方即是之前关联的对端设备,并回复响应消息给发送方设备,收到响应消息的发送方设备则可以判断发送响应消息的设备即为之前关联的对端设备,从而实现匹配。
当然上述向所述第一终端指示可以为隐式的指示,例如,当第一终端接收到一个第一消息的响应消息时,则判断该响应消息的发送设备第二终端为对应MAC2的设备,上述向所述第一终端指示也可以为显式的指示,例如,上述向所述第一终端指示所述第二终端为MAC2的对应设备可以通过一个指示位的值来指示,当然在实际应用中,也可以采用其他方式来指示,例如用多个连续字段的特殊字符来指示。
可选的,上述步骤S204还可以用下述步骤来替换;
步骤S204-1、第二终端向第一终端发送第二消息,所述第二消息为第一消息的响应消息(ACK),该ACK的TA(第二终端的接口地址)为MAC2,该ACK用于向所述第一终端指示所述第二终端为MAC2的对应设备。
此步骤S204-1中第二终端未变更接口地址,此方案能够实现对第一终端接口地址从MAC1变更到MAC3。
可选的,上述步骤S204还可以用下述步骤来替换;
步骤S204-2、第二终端向第一终端发送第二消息,所述第二消息携带第三标识,该第三标识可由第二终端在接收第一消息并匹配成功后临时生成,也可提前生成。第三标识信息也至少基于MAC1、MAC2、秘密信息采用另一不可逆算法生成,当然还可以使用与生成第一标识信息时不同的生成公式或者在相同的公式中输入不同的参数,例如,使用一段特别的明文信息到标识信息生成公式中,例如:第三标识信息=LSB 48bit H265(MAC1||MAC2||TK||“match found”)。其中,match found可以为特别的明文信息。上述明文信息表示该信息为第一终端和第二终端可以获取的信息。
当第一终端接收上述第二消息后,第一终端确认第三标识信息与本地存储的标识信息匹配,则确认所述MAC4和MAC2均为第二终端的接口地址,即第二消息的发送设备即为第二终端。上述本地存储的标识信息的计算方式可以参见第三标识信息的计算方式。
本申请一实施例提供的技术方案实现了第一终端的MAC地址的变化,由于该技术方案第一终端可以随时变换当前使用的接口地址,这样即使窃听者通过在空口接收消息能够得到MAC地址,但是由于窃听者无法获知该秘密信息,所以窃听者也仅仅只能获取一个时段的MAC地址对应的用户信息,这样窃听者就无法获取完整的用户信息,无法对用户的隐私(例如位置信息)进行追踪,从而提高WIFI的安全性。
可选的,上述方法在步骤S203之前还可以包括:
第二终端提取该第一消息的接口地址MAC3,当该MAC3与第二终端所在传输范围的接口地址冲突时,第二终端向第一终端发送第三消息,该第三消息携带有MAC地址冲突的指示,如第三消息携带的指示为MAC地址冲突,第一终端将当前使用的接口地址从MAC3更换成另一MAC。
上述MAC地址冲突的指示可以为一个指示值,该指示值可以为冲突或不冲突,其可以通过1个bit来表示,当然在实际应用中,上述MAC地址冲突的指示还可以通过Status Code字段来表述。
此技术方案能够避免因为MAC地址冲突导致的通信失败。
可选的,上述方法在步骤S201之后还可以包括:
第一终端采用秘钥材料加密向第二终端发送的消息。上述秘钥材料可以采用上述方式A的PTK,当然在实际应用中,还可以用类似PTK的秘钥材料来替代。
此技术方案能够减少第一终端与第二终端之间的交互步骤,对于第一终端和第二终端来说,如果不采用上述的PTK,那么第一终端与第二终端需要重新进行4握手步骤得到新的PTK,然后采用新的PTK加密向第二终端发送的消息,采用上述方式A的PTK则无需再次进行4握手步骤,从而减少了第一终端与第二终端之间信息交互次数。
参阅图3,图3为本申请另一实施例提供的一种终端匹配方法的流程图,本实施例实现的技术场景为,第一终端与第二终端可以通过无线方式连接,第一终端可以为一个基础设施网络的STA,第二终端可以为一个基础设施网络的AP,或者第一终端和第二终端为WiFi P2P(peer-to-peer)设备。该无线方式包括但不限于:WiFi、蓝牙(英文:blue tooth,BT)或Zigbee等。本实施例的第一终端向第二终端发送的消息以组播消息为例来说明,为了描述的方便,这里将第一终端的一个接口地址标识为MAC1,将组播内的第二终端的一个接口地址标识为MAC2。上述方法如图3所示,包括如下步骤:
步骤S301、第一终端在第一时间点获取第二终端的接口地址即MAC2,第一终端的接口地址在第一时间点时为MAC1,第二终端在第一时间点获取第一终端的接口地址即MAC1;
步骤S302、第一终端在第一时间点后的第二时间点发送第一组播消息,该第一组播消息中的TA(第一终端的MAC地址)为MAC3,第一组播消息可以包括第一标识信息;
步骤S303、第二终端接收该第一组播消息,提取该第一组播消息的第一标识信息,将第一标识信息与第二标识信息对比,如对比一致,确认发送第一消息的发送设备当前使用的接口地址MAC3与第二终端关联的对端设备的MAC1是标识同一个设备,即第一终端。
步骤S304、第二终端向第一终端发送第二消息,所述第二消息的TA(第二终端的接口地址)为MAC4,所述第二消息的RA(第一终端的接口地址)为MAC3,所述第二消息携带第三标识信息。该第三标识信息可以为通过将MAC1、MAC2 和秘密信息输入另一个预设的不可逆计算方法计算得到的标识信息。
上述第三标识信息=LSB 48bit H265(MAC1||MAC2||TK||“match found”),当然还可以采用其他的不可逆计算方式来计算该第三标识信息。
步骤S305、第一终端接收第二消息,提取该第二消息的第三标识信息,将第三标识信息与第四标识信息对比,如对比一致,确认发送第二消息的发送设备当前使用的接口地址MAC4与第一终端关联的对端设备的MAC2是标识同一个设备,即第二终端。
上述第四标识可以为通过将MAC1、MAC2和秘密信息输入另一个预设的不可逆计算方法计算得到的标识信息。具体计算方法可以参见第三标识信息的计算方法。
可选的,上述方法还可以包括:第一终端将当前双方使用的接口地址MAC3、MAC4和秘密信息输入到该预设的不可逆算法中得到第五标识,当第一终端再次变换MAC地址时,将该第五标识信息作为再次变换后的标识信息。
可选的,上述方法在上述步骤S306之前之后还可以包括:
第一终端向第二终端发送第四消息,该第四消息可以包括上述第二终端的当前使用的接口地址为MAC4的确认指示,该确认指示值可以为,确认或不确认,其具体可以通过1个bit位来表示,例如以1表示确认,以0表示不确认,第二终端接收第四消息,提取该第四消息中的指示值为确认时,向第一终端发送第四消息的响应消息。
此技术方案能够解决休眠引起的第一终端与第二终端无法通信的问题。具体的,第一终端在接收到第二消息后,会向第二终端发送一个ack消息,如果该ack消息未被第二终端接收到且第一终端休眠了,那么第一终端在休眠前由于已经生成了第二标识信息,那么第一终端在醒来后,如果MAC出现更换,会将第二标识信息携带在消息中,而第二终端由于未接收到该ack消息,还是使用第二标识信息,这样导致标识信息的不匹配,从而无法通信。
参阅图4,图4为本申请一个实施例提供的一种终端匹配方法的流程图,本实施例实现的技术场景为,第一终端与第二终端可以通过无线方式连接,第一终端可以为一个基础设施网络的STA,第二终端可以为一个基础设施网络的AP,该方法如图4所示,包括如下步骤:
步骤S401、第一终端在第一时间点获取第二终端的接口地址,所述第二终端的接口地址在所述第一时间点时为MAC2,第一终端的接口地址在第一时间点时为MAC1,第二终端在第一时间点获取第一终端的接口地址MAC1.
步骤S402、第一终端在第一时间点后的第二时间点向第二终端发送第一消息,该第一消息中的TA(为第一终端的MAC地址)为变更后的MAC3,该第一消息中的RA(为第二终端的MAC地址)为MAC2,该第一消息可以包括:第一标识信息,该第一标识信息可以为将至少包括MAC1、MAC2和秘密信息的信息采用预设的不可逆计算方法计算得到。
上述预设的不可逆计算方法可以参见如步骤S202中的描述,这里不再赘述。
步骤S403、第二终端接收该第一消息,提取该第一消息的第一标识信息,将第一标识信息与第二标识信息对比,如对比一致,确认发送第一消息的发送设备当前使用的接口地址MAC3与第二终端关联的对端设备的接口地址MAC1标识的是同一个设备,即第一终端。
步骤S404、第二终端发送第一消息的响应消息,所述第一消息的响应消息的RA(为第一终端的MAC地址)为变更后的MAC3,该第一消息中的TA(为第二终端的MAC地址)为MAC2。
相对于现有技术,第一终端的地址变换可以是任意变换,其无需依据对端发送的信息来确定新的MAC地址,MAC地址可以任意变换。
参阅图5,图5为本申请又一实施例提供的终端匹配方法的流程图,本实施例实现的技术场景为,第一终端与第二终端可以通过无线方式连接,第一终端可以为一个基础设施网络的STA,第二终端可以为一个基础设施网络的AP。该无线方式包括但不限于:WIFI、蓝牙(英文:blue tooth,BT)或Zigbee等。本实施例的第一终端向第二终端发送的消息以组播为例来说明,为了描述的方便,这里将第一终端的接口地址标识为MAC1,将组播内的第二终端的接口地址标识为MAC2。上述方法如图5所示,包括如下步骤:
S501、第一终端启动;
S502:第一终端与第二终端建立关联,
上述步骤S502的实现方法具体为:当第一终端接收到第二终端发送的消 息,该消息中指示该第二终端STA支持反追踪(英文:Anti-tracking),则第一终端可以判断第二终端支持Anti-tracking,在后续的过程中,第一终端可以与该第二终端建立关联后启动本实施例的方案。第二终端支持防追踪也可以为第二终端的缺省设置,不需要明确指示。
S503,第一终端建立与第二终端共享的第一秘密信息。
上述步骤S503中的第一秘密信息具体可以参见如图2所示实施例的描述。
S504:第一终端生成标识信息,即第一标识信息;
上述步骤S504的实现方法具体可以为:第一终端利用不可逆算法至少根据第二终端的当前的MAC地址(即MAC2)、自身当前的MAC地址(即MAC1)及第一秘密信息生成标识信息。该标识信息在后续第一终端发送第一消息时携带,该标识信息可以用于接收所述第一消息的对端即第二终端基于该标识信息对第一终端进行身份匹配。当第一终端关联有多个对端设备即多个终端(例如第三终端、第四终端)时,其维持包含与该多个终端对应的标识信息的列表,并且第一终端在发送第一消息时保留一个包括以下参数(例如:第二终端的MAC地址或第一终端当前的MAC地址)与标识信息的映射关系的检索元素信息列表。需要说明的是,标识信息可以在第一终端需要发送第一消息时生成,也可以在第一终端与第二终端中的至少一方改变MAC地址前生成。
S505、第一终端发送广播或单播的第一消息,该第一消息携带所述第一标识信息,其中第一消息的发送地址为第一终端变换后的MAC地址,即MAC3。
上述第一终端单播第一消息的实现方法可以参见上述步骤S202中的方法,这里不再赘述。
S506、第一终端接收到第一消息的响应消息且响应消息的发送地址为MAC4。
执行S506后,可以执行步骤S507,进一步可选的,还可执行步骤S508。
S507、第一终端将所述响应消息的发送地址MAC4地址映射至MAC2地址,即确定MAC4与MAC2标识同一个设备即第二终端。
S508、确定当前关联的双方(第一终端和第二终端)使用的MAC地址相比双方上一次使用的MAC地址有改变(如,MAC1或者MAC2中的至少一个已经改变,本实施例中两者都已经改变),弃用原来的标识信息即第一标识信息,并 使用当前关联时双方使用的MAC地址(如,此时分别为MAC3和MAC4)重新生成新的匹配标识信息即第二标识信息。
上述当前关联是相较于上一次关联而言的,具体可以理解为:当第一终端确认收到第一消息的响应消息且该响应消息的发送地址为MAC4时,第一终端确定MAC4对应的设备是上次关联过的MAC2对应的第二终端,从而第一终端可以直接复用上次与第二终端关联时获得的信息(上述步骤S502中交互的连接信息,如安全密钥、序列计数器、数据包数值计数器、关联信息、健壮安全网络关联(英文:robust security network association,RSNA)等),然后就能利用这些信息与第二终端继续通信,可以理解为双方再次实现了关联,即,当前关联。
可选的,第二终端可以在接收到第一终端发送的响应消息(例如一个新的消息第二消息,也可以为第一消息响应消息的响应消息)后丢弃原来的标识信息,并使用当前关联时双方使用的MAC地址重新生成新的匹配标识信息。
上述第二标识信息可以根据第一终端当前的MAC地址,第二终端当前的MAC地址以及第一秘密信息采用预设的不可逆算法生成,以第一终端的MAC地址从之前的MAC1变化成当前的MAC3,第二终端的地址之前为MAC2且当前未变的场景为例,此时的第二标识信息可以根据MAC3、MAC2以及第一秘密信息采用预设的不可逆算法生成。该技术方案可以在双方任何一方的MAC地址有变,就根据当前的MAC地址更新标识信息,保证了标识信息的新鲜性。本申请又一实施例提供的技术方案实现了第一终端的MAC地址的变化,由于该技术方案第一终端可以随时变换当前使用的接口地址,这样即使窃听者通过在空口接收消息获得MAC地址,但是由于窃听者无法获知秘密信息,所以窃听者也仅仅只能获取一个时段的MAC地址对应的用户信息,这样窃听者就无法获取完整的用户信息,无法对用户的隐私(例如位置信息)进行追踪,从而提高WIFI的安全性。
参阅图6,图6本申请又一实施例提供的终端匹配方法的流程图,本实施例实现的技术场景为,第一终端与第二终端可以通过无线方式连接,第一终端可以为一个基础设施网络的STA,第二终端可以为一个基础设施网络的AP,上述第二终端的对端设备也可以为多个,第二终端维持包含与该多个对端设备对应的标识信息的列表。上述方法如图6所示,包括如下步骤:
步骤S601、第二终端启动;
步骤S602:第二终端与反追踪STA建立关联,
步骤S603,第二终端建立与STA共享的第一秘密信息。
步骤S604:第二终端生成第一标识信息;将所述第一标识信息添加至所述第二终端上所记录的标识信息列表(list)中。
上述第二终端生成标识信息可以通过将MAC1、MAC2和第一秘密信息输入预设的不可逆计算方法计算得到。上述不可逆计算方法可以由厂家自行设定,例如:哈希算法,如SHA-256、SHA-1或者结合了哈希算法的计算方法,如对输入信息进行哈希算法计算之后再进行截取若干位、添加若干位其他信息等处理。例如,一种可能的不可逆算法举例:第一标识信息=LSB 48bit SHA-265(MAC1||MAC2||第一秘密信息),即对MAC1,MAC2和第一秘密信息输入SHA-256算法计算后的结果取48bit的最低有效位作为第一标识信息,其中||表示合并。
步骤S605、第二终端接收携带有第二标识信息的广播或单播消息。
步骤S606、第二终端判断第二标识信息是否与标识信息list中的某个匹配标识信息相同。
步骤S607、如第二标识信息与list中的第一标识信息相同,提取生成第一标识信息时使用的对端STA的MAC地址(即MAC1),将该广播或单播消息的发送地址(即MAC3)映射至MAC1,确认MAC3和MAC1标识同一个对端设备。
步骤S608、第二终端向STA发送广播或单播消息的响应消息,使用当前的MAC地址(即MAC4)作为响应消息发送地址。
步骤S609、确定当前关联的双方使用的MAC地址相比双方上一次使用的MAC地址有改变后,弃用原来的标识信息即第一标识信息,并使用当前关联时双方使用的MAC地址(如此时分别为MAC3、MAC4)以及第一秘密信息重新生成新的标识信息即第三标识信息,将第三标识信息加入到list中。
第二终端确定当前关联的双方使用的MAC地址相比上一次关联双方使用的MAC地址有改变可以理解为:以图2为例,在步骤S204后,第二终端收到第一终端发送的对所述第一消息响应消息的确认ACK消息(或,以图3为例,终端收到第一终端发送的对所述第二消息的确认消息)后,则第二终端可以确 定当前关联的双方的MAC地址为MAC3和MAC4,相比上一次双方关联时双方使用的MAC地址都发生了改变。
上述当前关联的条件可以参见上述步骤S508中的描述,这里不在赘述。
上述实施例提供的技术方案在具有多个STA与AP连接时,AP建立标识信息列表,并可以根据AP或STA的当前MAC地址是否发生变化对标识信息列表中的标识信息进行更新,所以其支持了多个STA的信息交互的安全性,提高了WIFI的安全性。
本申请实施例中的标识信息可以携带在消息中的下述字段中,
当消息为管理帧时,上述标识信息(包括第一标识信息、第二标识信息、第三标识信息、第四标识信息或第五标识信息)携带在管理帧的负载部分定义的一种信息元素(IE)内,例如,如图7-1所示,定义一个反追踪信息元素Anti-tracking IE,该反追踪信息元素包含元素标识(Element ID)和标识信息。该管理帧例如探测请求(Probe Request)或探测响应(Probe Response)。
当消息为管理消息或控制消息时,如图7-2所示,图7-2以管理帧为例。该管理帧也可以用控制帧替换。在管理帧的子类型Subtype域指示该帧为反追踪(Anti-tracking)的管理帧,在该管理帧的负载部分包含上述的标识信息。或者利用公共动作帧(Public Action frame)定义一个Anti-tracking public action frame,在其负载部分包含上述的标识信息。
当消息为数据帧时,如图7-3所示。例如在数据帧的Subtype field指示该数据帧为一个反追踪数据帧,在该数据帧的A3(address 3)位置或A4(address 4)设置为标识信息或包含标识信息的6字节信息。需要说明的是,将标识信息携带在A3仅适用于第一终端为该数据帧的源设备(source device)的情况,因为依据数据帧的定义,对于A1、A2字段别表示数据帧的源MAC和目的MAC,如果第一终端不是该数据帧的源设备,那么A3有具体的含义,如果修改,将影响数据帧的发送,同理,标识信息携带在A4仅仅适用于第二终端为该数据帧的目标设备(destination device)的情况,因为如果第二终端为非目标设备,在A4位置携带标识信息将影响数据帧的发送。
参阅图8,图8为本申请提供该一种匹配装置800,所述匹配装置800配置与第二终端内,匹配装置800可以用于执行如图2、图3中第二终端的操作。 所述装置包括:
获取单元801,用于在第一时间点获取第一终端的接口地址,所述第一终端的接口地址为第一介质访问控制地址MAC1,所述第二终端的接口地址在所述第一时间点时为第二介质访问控制地址MAC2;
收发单元802,用于在第一时间点之后的第二时间点接收第一终端发送的第一消息,所述第一消息中包含的发送方地址,即第一终端的接口地址,为变更后的第三介质访问控制地址MAC3,所述第一消息包括:第一标识信息,所述第一标识信息为所述第一终端将MAC1、MAC2和秘密信息输入第一预设的不可逆计算方法计算得到的信息;所述秘密信息为第一终端与第二终端共享的信息;
处理单元803,用于将所述第一标识信息与第二标识信息比对,如果第一标识信息与第二标识信息一致,所述第二终端确定所述第一消息的所述MAC3与所述第二终端获取的所述MAC1是标识同一个设备,所述同一个设备为第一终端;
所述第二标识信息为所述处理单元将所述MAC1、所述MAC2和所述秘密信息输入所述第一预设的不可逆计算方法计算得到的信息;
收发单元802,还用于向第一终端发送第一消息的响应消息,所述响应消息里携带第四介质访问控制地址MAC4,所述MAC4为所述第二终端变更后的接口地址。
本申请提供的匹配装置的技术效果以及细化的技术方案可以参见如图2或图3所示实施例中的描述,上述处理单元以及收发单元可以用于执行如图2或图3所示的细化方案,这里不在赘述。
参阅图9,图9为一种终端,所述终端为第二终端,包括:处理器901、无线收发器902、存储器903和总线904,收发器902用于与外部设备之间收发数据。处理器901的数量可以是一个或多个。本申请的一些实施例中,处理器901、存储器902和收发器903可通过总线904或其他方式连接。终端90可以用于执行图2或图3中第二终端的步骤。关于本实施例涉及的术语的含义以及举例,可以参考图2或图3对应的实施例。此处不再赘述。
其中,存储器903中存储程序代码。处理器901用于调用存储器903中存储的程序代码,用于执行以下操作:
处理器901,用于在第一时间点获取第一终端的接口地址,所述第一终端的接口地址为第一介质访问控制地址MAC1,所述第二终端的接口地址为第二介质访问控制地址MAC2;
收发器902,用于在第一时间点之后的第二时间点接收第一终端发送的第一消息,所述第一消息中包含的发送方地址,即第一终端的接口地址,为变更后的第三介质访问控制地址MAC3,所述第一消息包括:第一标识信息,所述第一标识信息为所述第一终端将MAC1、MAC2和秘密信息输入第一预设的不可逆计算方法计算得到的信息,所述秘密信息为第一终端与第二终端共享的信息;
处理器901,用于将所述第一标识信息与第二标识信息比对,如果第一标识信息与第二标识信息一致,所述第二终端确定所述第一消息的所述MAC3与所述第二终端获取的所述MAC1是标识同一个设备,所述同一个设备为第一终端;
所述第二标识信息为处理器901将所述MAC1、所述MAC2和所述秘密信息输入所述第一预设的不可逆计算方法计算得到的信息。
收发器902,还用于向第一终端发送第一消息的响应消息,所述响应消息里携带第三介质访问控制地址MAC4,所述MAC4为所述第二终端变更后的接口地址。
需要说明的是,这里的处理器901可以是一个处理元件,也可以是多个处理元件的统称。例如,该处理元件可以是中央处理器(Central Processing Unit,CPU),也可以是特定集成电路(Application Specific Integrated Circuit,ASIC),或者是被配置成实施本申请实施例的一个或多个集成电路,例如:一个或多个微处理器(digital singnal processor,DSP),或,一个或者多个现场可编程门阵列(Field Programmable Gate Array,FPGA)。
存储器903可以是一个存储装置,也可以是多个存储元件的统称,且用于存储可执行程序代码或应用程序运行装置运行所需要参数、数据等。且存储器903可以包括随机存储器(RAM),也可以包括非易失性存储器(non-volatile  memory),例如磁盘存储器,闪存(Flash)等。
总线904可以是工业标准体系结构(Industry Standard Architecture,ISA)总线、外部设备互连(Peripheral Component,PCI)总线或扩展工业标准体系结构(Extended Industry Standard Architecture,EISA)总线等。该总线可以分为地址总线、数据总线、控制总线等。为便于表示,图9中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。
该终端还可以包括输入输出装置,连接于总线904,以通过总线与处理器901等其它部分连接。该输入输出装置可以为操作人员提供一输入界面,以便操作人员通过该输入界面选择布控项,还可以是其它接口,可通过该接口外接其它设备。
本领域普通技术人员可以理解实现上述实施例方法中的全部或部分流程,是可以通过计算机程序来指令相关的硬件来完成,所述的程序可存储于一计算机可读取存储介质中,该程序在执行时,可包括如上述各方法的实施例的流程。其中,所述的存储介质可为磁碟、光盘、只读存储记忆体(Read-Only Memory,ROM)或随机存储记忆体(Random Access Memory,RAM)等。
以上所揭露的仅为本申请一种较佳实施例而已,当然不能以此来限定本申请之权利范围,本领域普通技术人员可以理解实现上述实施例的全部或部分流程,并依本申请权利要求所作的等同变化,仍属于申请所涵盖的范围。

Claims (22)

  1. 一种终端匹配方法,其特征在于,所述方法包括如下步骤:
    第二终端在第一时间点获取第一终端的接口地址,所述第一终端的接口地址在所述第一时间点时为第一介质访问控制地址MAC1,所述第二终端的接口地址在所述第一时间点时为第二介质访问控制地址MAC2;
    在所述第一时间点之后的第二时间点,所述第二终端接收第一终端发送的第一消息,所述第一消息中包含的发送方地址,即第一终端的接口地址,为变更后的第三介质访问控制地址MAC3,所述第一消息包括:第一标识信息,所述第一标识信息为所述第一终端将MAC1、MAC2和秘密信息输入第一预设的不可逆计算方法计算得到的信息;所述秘密信息为第一终端与第二终端共享的信息;
    所述第二终端将所述第一标识信息与第二标识信息比对,如果第一标识信息与第二标识信息一致,所述第二终端确定所述第一消息的所述MAC3与所述第二终端获取的所述MAC1是标识同一个设备,所述同一个设备为所述第一终端;
    所述第二标识信息为第二终端将所述MAC1、所述MAC2和所述秘密信息输入所述第一预设的不可逆计算方法计算得到的信息;
    所述第二终端向第一终端发送第一消息的响应消息,所述响应消息里携带第四介质访问控制地址MAC4,所述MAC4为所述第二终端变更后的接口地址。
  2. 根据权利要求1所述的方法,其特征在于,所述方法还包括:
    所述第一消息的响应消息携带有第三标识信息,所述第三标识信息为第二终端将所述MAC1、所述MAC2和所述秘密信息输入第二预设的不可逆计算方法计算得到的信息。
  3. 根据权利要求1所述的方法,其特征在于,在所述第二终端向第一终端发送第一消息的响应消息后,所述方法还包括:
    所述第二终端接收第一终端发送的第二消息,所述第二消息包括所述第一 终端确定所述MAC4为所述第二终端的接口地址的确认指示;
    当所述第二消息包括所述确认指示时,所述第二终端向所述第一终端发送所述第二消息的响应消息。
  4. 根据权利要求1所述的方法,其特征在于,在所述第二终端在第一时间点获取第一终端的接口地址之后,所述方法还包括:
    第二终端检测所述MAC1是否与所述第二终端通信范围内的介质访问控制地址冲突,如第二终端检测所述MAC1冲突,向所述第一终端发送第三消息,所述第三消息携带MAC地址冲突的指示。
  5. 根据权利要求1-4任一项所述的方法,其特征在于,
    所述第一消息、所述第二消息、所述第三消息或所述第四消息为管理帧,将所述第一标识信息、所述第二标识信息、第三标识信息或第四标识信息携带在所述管理帧中负载部分的反追踪信息元素中,所述反追踪信息元素包括:元素标识和所述标识信息;或,
    所述第一消息、所述第二消息、所述第三消息或所述第四消息为管理帧或控制帧且所述管理帧或控制帧的子类型字段指示该帧为反追踪类型的帧,在所述管理帧或控制帧的负载部分携带所述第一标识信息、所述第二标识信息、第三标识信息或第四标识信息。
  6. 根据权利要求1-4任一项所述的方法,其特征在于,
    如所述第一终端为源设备且所述第一消息为数据帧,所述数据帧的子类型字段指示该帧为反追踪数据帧,在所述数据帧的A3字段携带所述第一标识信息。
  7. 根据权利要求1所述的方法,其特征在于,
    如所述第二终端为目标设备且所述第一消息的响应消息为数据帧,在所述数据帧的子类型字段设置成反追踪数据帧,在所述数据帧的A4字段携带所述第二标识信息。
  8. 一种匹配装置,其特征在于,所述匹配装置配置于第二终端内,所述装置包括:
    获取单元,用于在第一时间点获取第一终端的接口地址,所述第一终端的接口地址为第一介质访问控制地址MAC1,所述第二终端的接口地址在所述第一时间点时为第二介质访问控制地址MAC2;
    收发单元,用于在所述第一时间点之后的第二时间点接收第一终端发送的第一消息,所述第一消息中包含的发送方地址,即第一终端的接口地址,为变更后的第三介质访问控制地址MAC3,所述第一消息包括:第一标识信息,所述第一标识信息为所述第一终端将MAC1、MAC2和秘密信息输入第一预设的不可逆计算方法计算得到的信息,所述秘密信息为第一终端与第二终端共享的信息;
    处理单元,用于将所述第一标识信息与第二标识信息比对,如果第一标识信息与第二标识信息一致,所述第二终端确定所述第一消息的所述MAC3与所述第二终端获取的所述MAC1是标识同一个设备,所述同一个设备为所述第一终端;
    所述第二标识信息为所述处理单元将所述MAC1、所述MAC2和所述秘密信息输入所述第一预设的不可逆计算方法计算得到的信息;
    收发单元,还用于向第一终端发送第一消息的响应消息,所述响应消息里携带第四介质访问控制地址MAC4,所述MAC4为所述第二终端变更后的接口地址。
  9. 根据权利要求8所述的装置,其特征在于,
    所述第一消息的响应消息携带有第三标识信息,所述第三标识信息为第二终端将所述MAC1、所述MAC2和所述秘密信息输入第二预设的不可逆计算方法计算得到的信息。
  10. 根据权利要求8所述的装置,其特征在于,
    所述收发单元,还用于在向第一终端发送第一消息的响应消息后,接收第一终端发送的第二消息,所述第二消息包括所述第一终端确定所述MAC4为所述第二终端的接口地址的确认指示,当所述第二消息包括所述确认指示时,向第一终端发送第二消息的响应消息。
  11. 根据权利要求8所述的装置,其特征在于,
    所述处理单元,还用于所述MAC1是否与所述第二终端通信范围内的介质访问控制地址冲突;
    所述收发单元,还用于如检测所述MAC1冲突,向所述第一终端发送第三消息,所述第三消息携带介质访问控制地址冲突的指示。
  12. 根据权利要求8-11任一项所述的装置,其特征在于,
    所述处理单元,还用于如所述第一消息、所述第二消息、所述第三消息或所述第四消息为管理帧,将所述第一标识信息、所述第二标识信息、第三标识信息或第四标识信息携带在所述管理帧中负载部分的反追踪信息元素中,所述反追踪信息元素包括:元素标识和所述标识信息;
    或所述处理单元,还用于如所述第一消息、所述第二消息、所述第三消息或所述第四消息为管理帧或控制帧且所述管理帧或控制帧的子类型字段指示该帧为反追踪类型的帧,在所述管理帧或控制帧的负载部分携带所述第一标识信息、所述第二标识信息、第三标识信息或第四标识信息。
  13. 根据权利要求8-11任一项所述的装置,其特征在于,
    所述处理单元,还用于如所述第一终端为源设备且所述第一消息为数据帧,所述数据帧的子类型字段指示该帧为反追踪数据帧,在所述数据帧的A3字段携带所述第一标识信息。
  14. 根据权利要求8所述的装置,其特征在于,
    所述处理单元,还用于如所述第二终端为目标设备且所述第一消息的响应消息为数据帧,在所述数据帧的子类型字段设置成反追踪数据帧,在所述数据 帧的A4字段携带所述第二标识信息。
  15. 一种终端,其特征在于,所述终端为第二终端,包括:处理器、无线收发器、存储器和总线,所述处理器、无线收发器、存储器通过所述总线连接:
    所述处理器,用于在第一时间点获取第一终端的接口地址,所述第一终端的接口地址为第一介质访问控制地址MAC1,所述第二终端的接口地址在所述第一时间点时为第二介质访问控制地址MAC2;
    收发器,用于在所述第一时间点之后的第二时间点接收第一终端发送的第一消息,所述第一消息中包含的发送方地址,即第一终端的接口地址,为变更后的第三介质访问控制地址MAC3,所述第一消息包括:第一标识信息,所述第一标识信息为所述第一终端将MAC1、MAC2和秘密信息输入第一预设的不可逆计算方法计算得到的信息,所述秘密信息为第一终端与第二终端共享的信息;
    所述处理器,用于将所述第一标识信息与第二标识信息比对,如果第一标识信息与第二标识信息一致,所述第二终端确定所述第一消息的所述MAC3与所述第二终端获取的所述MAC1是标识同一个设备,所述同一个设备为所述第一终端;
    所述第二标识信息为所述处理器将所述MAC1、所述MAC2和所述秘密信息输入所述第一预设的不可逆计算方法计算得到的信息;
    收发器,还用于向第一终端发送第一消息的响应消息,所述响应消息里携带第四介质访问控制地址MAC4,所述MAC4为所述第二终端变更后的接口地址。
  16. 根据权利要求15所述的终端,其特征在于,
    所述第一消息的响应消息携带有第三标识信息,所述第三标识信息为第二终端将所述MAC1、所述MAC2和所述秘密信息输入第二预设的不可逆计算方法计算得到的信息。
  17. 根据权利要求15所述的终端,其特征在于,
    所述第二消息的发送地址为:第四介质访问控制地址MAC4;
    所述收发器,还用于接收第一终端发送的第二消息,所述第二消息包括所述第一终端确定所述MAC4为所述第二终端的接口地址的确认指示,如所述第二消息包括所述确认指示时,向第一终端发送第二消息的响应消息。
  18. 根据权利要求15所述的终端,其特征在于,
    所述处理器,还用于所述MAC1是否与所述第二终端通信范围内的介质访问控制地址冲突;
    所述收发器,还用于如检测所述MAC1冲突,向所述第一终端发送第三消息,所述第三消息携带介质访问控制地址冲突的指示。
  19. 根据权利要求15-18任一项所述的终端,其特征在于,
    所述处理器,还用于如所述第一消息、所述第二消息、所述第三消息或所述第四消息为管理帧,将所述第一标识信息、所述第二标识信息、第三标识信息或第四标识信息携带在所述管理帧中负载部分的反追踪信息元素中,所述反追踪信息元素包括:元素标识和所述标识信息;
    或所述处理器,还用于如所述第一消息、所述第二消息、所述第三消息或所述第四消息为管理帧或控制帧且所述管理帧或控制帧的子类型字段指示该帧为反追踪类型的帧,在所述管理帧或控制帧的负载部分携带所述第一标识信息、所述第二标识信息、第三标识信息或第四标识信息。
  20. 根据权利要求15-18任一项所述的终端,其特征在于,
    所述处理器,还用于如所述第一终端为源设备且所述第一消息为数据帧,所述数据帧的子类型字段指示该帧为反追踪数据帧,在所述数据帧的A3字段携带所述第一标识信息。
  21. 根据权利要求15所述的终端,其特征在于,
    所述处理器,还用于如所述第二终端为目标设备且所述第一消息的响应消息为数据帧,在所述数据帧的子类型字段设置成反追踪数据帧,在所述数据帧 的A4字段携带所述第二标识信息。
  22. 一种终端匹配方法,其特征在于,所述方法包括如下步骤:
    第二终端在第一时间点获取第一终端的接口地址,所述第一终端的接口地址在所述第一时间点时为第一介质访问控制地址MAC1;
    在所述第一时间点之后的第二时间点,所述第二终端接收第一终端发送的第一消息,所述第一消息中包含的发送方地址,即第一终端的接口地址,为变更后的第三介质访问控制地址MAC3,所述第一消息包括:第一标识信息,所述第一标识信息为所述第一终端将MAC1、第二介质访问控制地址MAC2和秘密信息输入第一预设的不可逆计算方法计算得到的信息;所述秘密信息为第一终端与第二终端共享的信息,所述第二终端的接口地址在所述第一时间点以及第二时间点时为MAC2;
    所述第二终端将所述第一标识信息与第二标识信息比对,如果第一标识信息与第二标识信息一致,所述第二终端确定所述第一消息的所述MAC3与所述第二终端获取的所述MAC1是标识同一个设备,所述同一个设备为所述第一终端;
    所述第二标识信息为第二终端将所述MAC1、所述MAC2和所述秘密信息输入所述第一预设的不可逆计算方法计算得到的信息;
    所述第二终端向第一终端发送第一消息的响应消息,所述响应消息里携带所述MAC2。
PCT/CN2016/114060 2016-12-31 2016-12-31 一种终端匹配方法、装置 WO2018120247A1 (zh)

Priority Applications (4)

Application Number Priority Date Filing Date Title
US16/474,890 US11128661B2 (en) 2016-12-31 2016-12-31 Terminal matching method and apparatus
PCT/CN2016/114060 WO2018120247A1 (zh) 2016-12-31 2016-12-31 一种终端匹配方法、装置
CN201680080490.8A CN108886685B (zh) 2016-12-31 2016-12-31 一种终端匹配方法、装置
US17/459,858 US11824892B2 (en) 2016-12-31 2021-08-27 Terminal matching method and apparatus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2016/114060 WO2018120247A1 (zh) 2016-12-31 2016-12-31 一种终端匹配方法、装置

Related Child Applications (2)

Application Number Title Priority Date Filing Date
US16/474,890 A-371-Of-International US11128661B2 (en) 2016-12-31 2016-12-31 Terminal matching method and apparatus
US17/459,858 Continuation US11824892B2 (en) 2016-12-31 2021-08-27 Terminal matching method and apparatus

Publications (1)

Publication Number Publication Date
WO2018120247A1 true WO2018120247A1 (zh) 2018-07-05

Family

ID=62707683

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/114060 WO2018120247A1 (zh) 2016-12-31 2016-12-31 一种终端匹配方法、装置

Country Status (3)

Country Link
US (2) US11128661B2 (zh)
CN (1) CN108886685B (zh)
WO (1) WO2018120247A1 (zh)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115988609A (zh) * 2022-12-28 2023-04-18 北京数原数字化城市研究中心 一种设备归类方法、装置、电子设备及存储介质
WO2024092531A1 (en) * 2022-11-01 2024-05-10 Nokia Shanghai Bell Co., Ltd Method, device and computer-readable medium for communication

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11039306B2 (en) * 2017-11-28 2021-06-15 Intel IP Corporation Authentication of ranging device
US11582230B2 (en) * 2019-05-03 2023-02-14 Zte Corporation Dynamic MAC address change mechanism for wireless communications
CN112788160B (zh) * 2020-12-30 2022-12-09 普联技术有限公司 一种地址信息的切换方法及切换装置
US11855960B2 (en) 2021-05-19 2023-12-26 Cisco Technology, Inc. Device address rotation management protocol for a wireless local area network
US11700527B2 (en) * 2021-05-25 2023-07-11 Cisco Technology, Inc. Collaborative device address rotation
US11902775B2 (en) * 2021-05-28 2024-02-13 Cisco Technology, Inc. Encrypted nonces as rotated device addresses
CN113347580B (zh) * 2021-06-07 2023-03-31 美的集团股份有限公司 智能设备配网方法、装置、电子设备及存储介质
US12120525B2 (en) * 2021-09-13 2024-10-15 Cisco Technology, Inc. Concealing low power mobile device address during advertisement
GB2616033A (en) * 2022-02-24 2023-08-30 Canon Kk Method for changing the MAC address of a non-AP station for a next association with an AP station
US11902246B2 (en) 2022-04-28 2024-02-13 Cisco Technology, Inc. Central scheduling for enterprise wireless randomizing changing/rotating MAC address

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070019609A1 (en) * 2005-07-11 2007-01-25 Toshiba America Research, Inc. Dynamic temporary mac address generation in wireless networks
CN101588345A (zh) * 2008-05-23 2009-11-25 深圳华为通信技术有限公司 站与站之间信息发送、转发和接收方法、装置和通信系统
CN104955038A (zh) * 2014-03-25 2015-09-30 华为终端有限公司 分配寻址标识的方法及接入点、站点和通信系统
CN105451222A (zh) * 2014-07-31 2016-03-30 华为技术有限公司 一种终端建立连接的方法、装置及系统

Family Cites Families (27)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6397248B1 (en) * 1999-05-04 2002-05-28 Nortel Networks Limited System and method to discover end node physical connectivity to networking devices
JP3736451B2 (ja) * 2001-12-18 2006-01-18 ブラザー工業株式会社 アドレス推定システム、ネットワークデバイス、アドレス推定方法およびアドレス推定プログラム
JP4553565B2 (ja) * 2002-08-26 2010-09-29 パナソニック株式会社 電子バリューの認証方式と認証システムと装置
WO2004064434A2 (en) * 2003-01-08 2004-07-29 Nortel Networks Limited Method and apparatus for updating locations of dormant mobile stations
US7305458B2 (en) * 2003-04-22 2007-12-04 Accton Technology Corporation System and method for auto-configuring stackable network devices
US8751801B2 (en) * 2003-05-09 2014-06-10 Emc Corporation System and method for authenticating users using two or more factors
JP4617763B2 (ja) * 2003-09-03 2011-01-26 ソニー株式会社 機器認証システム、機器認証サーバ、端末機器、機器認証方法、および機器認証プログラム
US7474617B2 (en) * 2005-03-04 2009-01-06 Ibahn General Holdings Corporation Detection of multiple users of a network access node
US20060288209A1 (en) * 2005-06-20 2006-12-21 Vogler Dean H Method and apparatus for secure inter-processor communications
WO2007032499A1 (ja) * 2005-09-16 2007-03-22 National Institute Of Information And Communications Technology 無線通信システム及び無線通信方法
DE102006008745A1 (de) 2005-11-04 2007-05-10 Siemens Ag Verfahren und Server zum Bereitstellen eines Mobilitätsschlüssels
US20080178252A1 (en) * 2007-01-18 2008-07-24 General Instrument Corporation Password Installation in Home Networks
US8095667B1 (en) * 2008-02-19 2012-01-10 Marvell International Ltd. Methods and apparatus for remotely waking up a computer system on a computer network
US20110191664A1 (en) * 2010-02-04 2011-08-04 At&T Intellectual Property I, L.P. Systems for and methods for detecting url web tracking and consumer opt-out cookies
US20110208850A1 (en) * 2010-02-25 2011-08-25 At&T Intellectual Property I, L.P. Systems for and methods of web privacy protection
US8737370B2 (en) * 2010-05-17 2014-05-27 Qualcomm Incorporated Methods and apparatuses for direct link setup
US9232472B2 (en) * 2010-12-23 2016-01-05 Stmicroelectronics, Inc. Multiple MAC addresses in a device
US20140133656A1 (en) 2012-02-22 2014-05-15 Qualcomm Incorporated Preserving Security by Synchronizing a Nonce or Counter Between Systems
EP3082058B1 (en) * 2014-05-14 2018-02-28 Huawei Technologies Co. Ltd. Terminal matching method and matched terminal
US9305179B2 (en) * 2014-07-24 2016-04-05 Google Inc. Systems and methods for reducing accuracy of web bugs
US20160081005A1 (en) * 2014-09-17 2016-03-17 Qualcomm Incorporated Route formation and message transmission in a data link group over multiple channels
CN105530681B (zh) 2014-09-28 2019-02-19 华为技术有限公司 业务处理方法及装置
CN105530631A (zh) 2014-09-28 2016-04-27 华为技术有限公司 一种通信方法、装置及系统
US10237738B2 (en) * 2014-11-10 2019-03-19 Qualcomm Incorporated Wi-Fi privacy in an access point using media access control address randomization
US10034218B2 (en) * 2016-06-30 2018-07-24 Intel IP Corporation Apparatus, system and method of communicating a short sector sweep (SSW) packet
JP6737955B2 (ja) * 2016-09-27 2020-08-12 エーナイン・ドット・コム インコーポレイテッドA9.com, Inc. ネットワーク設定を共有する方法
US10362374B2 (en) * 2016-10-27 2019-07-23 Itron, Inc. Discovery mechanism for communication in wireless networks

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070019609A1 (en) * 2005-07-11 2007-01-25 Toshiba America Research, Inc. Dynamic temporary mac address generation in wireless networks
CN101588345A (zh) * 2008-05-23 2009-11-25 深圳华为通信技术有限公司 站与站之间信息发送、转发和接收方法、装置和通信系统
CN104955038A (zh) * 2014-03-25 2015-09-30 华为终端有限公司 分配寻址标识的方法及接入点、站点和通信系统
CN105451222A (zh) * 2014-07-31 2016-03-30 华为技术有限公司 一种终端建立连接的方法、装置及系统

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2024092531A1 (en) * 2022-11-01 2024-05-10 Nokia Shanghai Bell Co., Ltd Method, device and computer-readable medium for communication
CN115988609A (zh) * 2022-12-28 2023-04-18 北京数原数字化城市研究中心 一种设备归类方法、装置、电子设备及存储介质
CN115988609B (zh) * 2022-12-28 2023-12-19 北京数原数字化城市研究中心 一种设备归类方法、装置、电子设备及存储介质

Also Published As

Publication number Publication date
US20190349397A1 (en) 2019-11-14
US20220053021A1 (en) 2022-02-17
CN108886685B (zh) 2021-02-09
US11128661B2 (en) 2021-09-21
US11824892B2 (en) 2023-11-21
CN108886685A (zh) 2018-11-23

Similar Documents

Publication Publication Date Title
WO2018120247A1 (zh) 一种终端匹配方法、装置
US10601594B2 (en) End-to-end service layer authentication
US10250698B2 (en) System and method for securing pre-association service discovery
KR20230118849A (ko) 멀티 링크 피어 투 피어 통신을 위한 통신 장치 및 통신 방법
WO2015144050A1 (zh) 分配寻址标识的方法及接入点、站点和通信系统
US11109206B2 (en) Security method and system for supporting discovery and communication between proximity based service terminals in mobile communication system environment
JP2019504526A (ja) セキュアファインタイミング測定
JP2016538770A (ja) 統合されたメッシュ認証および関連付けのためのシステムおよび方法
WO2020050138A1 (ja) コアネットワーク装置、アクセスネットワーク装置、通信端末、通信システム、及び通信方法
WO2017133021A1 (zh) 一种安全处理方法及相关设备
US11121871B2 (en) Secured key exchange for wireless local area network (WLAN) zero configuration
CN116963054B (zh) Wlan多链路tdls密钥导出
WO2017026930A1 (en) Methods and devices for privacy enhancement in networks
JP2017028457A (ja) 通信装置、通信方法及びプログラム
WO2019019280A1 (zh) 物联网终端数据的分时段加密方法及装置
WO2023050373A1 (zh) 一种通信方法、装置及系统
WO2018040805A1 (zh) 无线局域网中建立关联的方法、终端和接入点
WO2019010793A1 (zh) 物联网接入点接收数据的分时段加密方法及装置
WO2019015041A1 (zh) 一种物联网中继器数据的分时段加密方法及装置
WO2017169957A1 (ja) 通信システム、子機及び親機
SINGH SECURE 6LOWPAN NETWORKS FOR E-HEALTHCARE MONITORING APPLICATIONS.
WO2019019287A1 (zh) 一种物联网终端数据的随机加密方法及装置
WO2023213205A1 (zh) 通信方法和装置
JP2018133737A (ja) ネットワーク構築システム、方法及び無線ノード

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16925395

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16925395

Country of ref document: EP

Kind code of ref document: A1