CN103096307A - Secret key verification method and device - Google Patents

Secret key verification method and device Download PDF

Info

Publication number
CN103096307A
CN103096307A CN2011103319744A CN201110331974A CN103096307A CN 103096307 A CN103096307 A CN 103096307A CN 2011103319744 A CN2011103319744 A CN 2011103319744A CN 201110331974 A CN201110331974 A CN 201110331974A CN 103096307 A CN103096307 A CN 103096307A
Authority
CN
China
Prior art keywords
message
key
sta
authentication
random number
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN2011103319744A
Other languages
Chinese (zh)
Inventor
冯成燕
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN2011103319744A priority Critical patent/CN103096307A/en
Publication of CN103096307A publication Critical patent/CN103096307A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses a secret key verification method and a device. The method comprises that a special temporary authority (STA) receives secret key verification information from an access point (AP), wherein a first information verification code is carried in the secret key verification information; the STA verifies the first information verification code; and the STA sends secret key verification completion information which is carried with a second information verification code to the AP, and so that the AP verifies the second information verification code. By means of the technical scheme, complex procedures for safety verification in the prior art is decreased, the effect of shortening access network time is achieved, system performance is improved on the whole, and meanwhile, user experience (UE) is also improved.

Description

Key authentication method and device
Technical field
The present invention relates to the communications field, in particular to a kind of key authentication method and device.
Background technology
IEEE 802.11 is one of first generation WLAN (wireless local area network) (Wireless Local Area Networks is referred to as WLAN) standards.This standard definition physical layer (Physical Layer, referred to as PHY) and MAC layer (Medium Access Control, referred to as MAC) standard of agreement, this standard allows WLAN (wireless local area network) and radio equipment manufacturer to set up within the specific limits mutual operation network equipment.Through vicennial development, the development of IEEE 802.11 wlan standard working groups is perfect series of standards family wherein has considerable influence power and the widely used 802.11a of being, 802.11b, 802.11g, 802.11n, the standards such as 802.11ac.
The Wi-Fi Alliance corresponding with IEEE 802.11 is the non-profit-making international organization that sets up in 1999, is used for checking take the interoperability of IEEE802.11 specification as the wlan product on basis.Wi-Fi Alliance member's target is to improve user's experience by the interoperability of product.
As shown in Figure 1, IEEE 802.11 networks comprise: work station (Station is referred to as STA), WAP (wireless access point) (Access Point, AP).Wherein, STA is the MAC layer of any IEEE of possessing 802.11 and the equipment of PHY layer interface, usually add the lastblock wireless network card by a PC or notebook and consist of, wireless terminal can also be the embedded device that wireless connections can be provided (for example 802.11 mobile phones) on non-terminal in addition.AP can regard a wireless Hub as, is used for providing the bridge joint between STA and existing backbone network, and this backbone network can be wired, can be also wireless.AP and form Basic Service Sets (Basic Service Set is referred to as BSS) at one or more STA of its coverage.BSS carries out unique identification by basic service set identification BSSID, and BSSID is namely the MAC Address of AP.Terminal can be communicated by letter mutually in a BSS.Adopt the more massive virtual BSS of a plurality of BSS formation of identical service set SSID, be defined as extended service set (Extended Service Set is referred to as ESS).Terminal can be communicated by letter in same ESS and can be moved between a plurality of BSS of subordinate.The network and the cable network that connect a plurality of BSS in ESS are called distributed system (Distribution System is referred to as DS).DS can adopt wireless or cable technology, usually adopts ethernet technology.
In order to complete authentication and IP address assignment function, wlan network also comprises certificate server (Authentication Server, referred to as AS) and Dynamic Host Configuration Protocol server (Dynamic Host Configuration protocol Server, referred to as Dynamic Host Configuration Protocol server), as shown in Figure 2.AS provides the entity of authentication service for STA, only have the STA by authentication just can be authorized to access 802.11 networks.AS also can be embedded in AP.Dynamic Host Configuration Protocol server is STA distributing IP address.STA can access Internet by this wlan network.
Be illustrated in figure 3 as the key code system framework of the safety that IEEE 802.11i introduces.Wherein, pairwise master key (Pairwise Master Key is referred to as PMK) is the key of STA and AS each self-generating in the EAP verification process, and length is 256.Pair temporal key (Pairwise Transient Key is referred to as PTK) be STA and AP respectively according to PMK, and the random number ANonce that generates of the random number SNonce that generates of STA and AP, the key of deriving separately.Low 128 of PTK is key confirmation key (Key Confirmation Key, KCK), middle 128 is key-encrypting key (Key Encryption Key is referred to as KEK), remaining high-order MSB is temporary key (Temporal Key is referred to as TK).Wherein, KCK is used to EAPOL-KEY (the Extensible Authentication Protocol OVER LAN KEY) message in 4 handshake procedures and group key handshake procedure that data source authentication is provided; KEK is used to and shakes hands for 4 times and key information frame eapol-key message that group key is shaken hands provides Confidentiality protection; TK user protects the transmission of the data message between STA and AP.
In addition, IEEE 802.11 has also defined group temporary key (Group Temporal Key is referred to as GTK).GTK is the random number that AP generates, and in the group key handshake procedure, AP is transferred to STA after GTK is encrypted with KEK.
Fig. 4 shows the flow chart of setting up safely when STA initially accesses IEEE 802.11 network, and concrete steps are as follows:
Step 1-2: by AP broadcast beacon (Beacon) message, perhaps STA initiatively sends probe requests thereby (Probe Request) message to AP, AP informs that to STA echo probe response (Probe Response) message STA is about the information such as ability, parameter and security parameter of AP.
Carry out open system authentication between step 3-4:STA and AP.This process is not set up real safety.
Carry out association between step 5-6:STA and AP.By this step, IEEE 802.11 channels have been set up between STA and AP.
Carry out the EAP authentication between step 7:STA and AS.After this process was completed, STA and IEEE 802.11 networks had been completed two-way authentication, and have generated PMK respectively.
Step 8:AS is by remote customer dialing authentication (the Remote Authentication Dial In User Service of system, referred to as RADIUS) access acceptance (Access Accept) message, inform the AP authentication success, and the PMK that generates in the EAP process is sent to AP.
Step 9:AP sends 802.1X message to STA, wherein is packaged with EAP success (EAP-Success) message.
Begin to carry out the 4-Way Handshake process between step 10:AP and STA, the key that the checking both sides generate.AP generates random number the first random number ANonce, and it is carried in key information frame (EAPOL-Key) message, sends to STA.
Step 11:STA generates the second random number SNonce, and according to SNonce and the ANonce that receives, and the PMK that generates in EAP process generation PTK, and intercepting PTK obtains key confirmation key K CK, KEK and temporary key TK; STA sends EAPOL-Key message to AP, wherein carries the second random number SNonce.This message is carried the Message Authentication Code (Message Integrity Code is referred to as MIC) that calculates with KCK.
Step 12:AP is according to the SNonce that receives, and the PMK that generates in the ANonce that oneself generates and EAP process, according to the algorithm same with STA, derives PTK, and intercepting PTK obtains KCK, KEK and TK.AP verifies the EAPOL-Key message that receives with the KCK that generates.If be proved to be successful, AP sends EAPOL-Key message to STA, and this message is carried random number ANonce, and carries the Message Authentication Code MIC that calculates with KCK.
Step 13:STA verifies the EAPOL-Key message that receives.If be proved to be successful, STA installs the temporary key TK that obtains according to intercepting PTK, and sends EAPOL-Key message to AP.This message is carried the Message Authentication Code MIC that calculates with KCK.So far, 4 handshake procedures between STA and AP finish.
Carry out the group key handshake procedure between step 14:STA and AP.AP generates the 3rd random number GNonce alternatively, and random selection group temporary key GTK, encrypts GTK with KEK, and GTK and/or the random number GNonce that encrypts is carried in EAPOL-Key message, sends to STA.This message is equally also carried the Message Authentication Code MIC that calculates with KCK.
Step 15:STA verifies the EAPOL-Key message that receives, if success obtains GTK with the KCK deciphering; STA sends EAPOL-Key message to AP, carries the Message Authentication Code MIC that calculates with KCK.AP verifies the message that receives.So far, STA has completed initial establishment of connection, can carry out the transmitting-receiving of packet.
Step 16:STA and wlan network can carry out dhcp process, obtain the IP address.
The mobile subscriber constantly enters or leaves the overlay area of an ESS.Each when mobile device enters an ESS, mobile device must carry out the process that as shown in Figure 4 STA initial network entry is set up initial link circuit.And in the process that this initial link circuit is set up, the step of safety is more, thereby causes the time delay of initial network entry longer.When a large number of users need to access wlan network simultaneously within a short period of time (for example at subway station, a large number of users has descended to need after the subway to connect wlan network and obtained relevant route information), the problem that the networking time delay is long can be more serious.
In process for initial link circuit foundation in correlation technique, the step of safety verification is more, and the long problem of time delay that causes networking not yet proposes effective solution at present.
Summary of the invention
In process for initial link circuit foundation in correlation technique, the step of safety verification is more, and the long problem of time delay that causes networking the invention provides a kind of key authentication method and device, to address this problem at least.
According to an aspect of the present invention, provide a kind of key authentication method, having comprised: STA receives the key authentication message that comes from AP, and wherein, key authentication message carries the first Message Authentication Code; STA verifies the first Message Authentication Code; After being proved to be successful, STA sends to AP the key authentication that carries the second Message Authentication Code and completes message, so that AP verifies the second Message Authentication Code.
Before above-mentioned STA receives and comes from the key authentication message of AP, also comprise one of following: STA and AP authentication success; STA and AP begin to authenticate.
Above-mentioned key authentication message also carry following one of at least: the first random number, the second random number, Counter Value, association identification.
Before the STA reception comes from the key authentication message of AP, also comprise: AP generates the first random number or Counter Value; The first random number that the second random number that AP generates pairwise master key PMK, the STA that generates in verification process according to predetermined cipher key derivative algorithm and AP generate is calculated and is obtained pair temporal key PTK, perhaps PMK sum counter value is calculated and obtained PTK, and intercepting PTK obtains key confirmation key K CK; AP calculates according to KCK and obtains the first Message Authentication Code, and the first Message Authentication Code is carried in key authentication message sends.
When above-mentioned AP intercepting PTK obtains KCK, also comprise: AP intercepting PTK obtains key-encrypting key KEK and/or temporary key TK.
Before sending in the first Message Authentication Code is carried at key authentication message, also comprise: AP is sent to STA with the first random number; AP is carried at the first Message Authentication Code to send in key authentication message and comprises: AP adopts KEK or TK to be encrypted rear transmission to key authentication message.
Before above-mentioned STA reception comes from the key authentication message of AP, also comprise: AP chooses group temporary key GTK at random, adopts KEK to encrypt GTK; AP is carried at the GTK that encrypts in key authentication message and sends to STA.
After STA sent, also comprise: STA received the key authentication message that comes from AP in AP is carried at key authentication message with the GTK that encrypts and/or the 3rd random number; STA adopts KEK decruption key checking message to obtain GTK.
Above-mentioned STA verifies the first Message Authentication Code and comprises: the second random number that the first random number that STA generates PMK, the AP that generates in verification process according to predetermined cipher key derivative algorithm and STA generate is calculated and is obtained PTK, perhaps PMK sum counter value is calculated and obtained PTK, and intercepting PTK obtains KCK; STA adopts KCK that the first Message Authentication Code is verified.
When above-mentioned STA intercepting PTK obtains KCK, also comprise: STA intercepting PTK obtains KEK and/or TK.
Above-mentioned key authentication complete message also carry following one of at least: the first random number, the second random number.
Above-mentioned key authentication message also carry following one of at least: EAP related news and/or DHCP related news; Above-mentioned key authentication complete message also carry following one of at least: the 2nd EAP related news and/or the 2nd DHCP related news.
The one EAP related news comprise: the EAP success message; The one DHCP related news comprise: DHCP gives information, the DHCP acknowledge message; The 2nd DHCP related news comprise: dhcp discover message, DHCP request message.
Above-mentioned STA sends key authentication to AP and completes message and comprise one of following: when key authentication is completed message and comprised the 2nd DHCP related news, after STA adopts KEK or TK to encrypt the 2nd DHCP related news, the 2nd DHCP related news after encrypting are encapsulated in key authentication complete in message and send to AP; STA adopts KEK or the checking of TK encryption key to complete the backward AP of message and sends.
Before STA and AP authenticate, also comprise: AP sends Network finding message to STA, and wherein, Network finding message comprises: the 3rd EAP related news.
When STA and AP authenticated, also comprise: STA and Dynamic Host Configuration Protocol server carried out some or all of dhcp process.
Before STA and AP authenticate, also comprise: STA sends the first message to AP, wherein, the first message carry following one of at least: the second random number that STA generates, Counter Value, the 4th EAP related news, the 3rd DHCP related news.
Above-mentioned the first message is one of following: association request message; 802.1X message.
After AP is proved to be successful the second Message Authentication Code, also comprise: AP sends the second message to STA, and wherein, the second message comprises: the 4th DHCP related news.
Above-mentioned the second message is one of following: associate response message; Key information frame EAPOL-Key; 802.1X message.
It is key information frame EAPOL-Key message that message is completed in above-mentioned key authentication message and key authentication.
According to a further aspect in the invention, provide a kind of key authentication device, having comprised: the first receiver module, be used for receiving the key authentication message that comes from AP, wherein, key authentication message carries the first Message Authentication Code; The first authentication module is used for the first Message Authentication Code is verified; The first sending module is used for after being proved to be successful, and sends to AP the key authentication that carries the second Message Authentication Code and completes message, so that AP verifies the second Message Authentication Code.
Above-mentioned the first authentication module comprises: acquiring unit, be used for the pairwise master key PMK that verification process is generated according to predetermined cipher key derivative algorithm, the second random number of key authentication device generation and the first random number calculating that AP generates and obtain pair temporal key PTK, perhaps PMK sum counter value is calculated and obtained PTK, and intercepting PTK obtains key confirmation key K CK; Authentication unit is used for adopting KCK that the first Message Authentication Code is verified.
According to another aspect of the invention, provide a kind of key authentication device, having comprised: the second sending module, be used for sending key authentication message to STA, wherein, key authentication message carries the first Message Authentication Code; The second receiver module is used for after STA is proved to be successful the first Message Authentication Code, receives the key authentication that comes from STA and completes message, and wherein, key authentication is completed message and carried the second Message Authentication Code; The second authentication module is used for the second Message Authentication Code is verified.
Said apparatus also comprises: generation module is used for generating the first random number; Acquisition module, being used for the first random number that the second random number of generating according to pairwise master key PMK, STA that predetermined cipher key derivative algorithm generates verification process and generation module generate calculates and obtains pair temporal key PTK, perhaps PMK sum counter value is calculated and obtained PTK, and intercepting PTK obtains key confirmation key K CK; Computing module is used for calculating according to KCK and obtains the first Message Authentication Code; The second sending module is used for calculating according to KCK and obtains the first Message Authentication Code, and the first Message Authentication Code is carried in key authentication message sends.
Said apparatus also comprises: the 3rd sending module is used for the first random number is sent to STA.
by the present invention, after STA and AP authentication success, verify the key authentication message with the first Message Authentication Code that is sent by AP by STA, and after being proved to be successful, send to AP and complete message with the key authentication of the second Message Authentication Code, AP is verified the second Message Authentication Code, solved in the process that in the correlation technique, initial link circuit is set up, the step of safety verification is more, the long problem of time delay causes networking, and then reduced the loaded down with trivial details step of safety verification in the prior art, and reached the effect that has shortened the networking time delay, promoted on the whole the performance of system, also improved simultaneously user's experience.
Description of drawings
Accompanying drawing described herein is used to provide a further understanding of the present invention, consists of the application's a part, and illustrative examples of the present invention and explanation thereof are used for explaining the present invention, do not consist of improper restriction of the present invention.In the accompanying drawings:
Fig. 1 is a kind of IEEE 802.11 schematic network structure according to correlation technique;
Fig. 2 is the structural representation according to a kind of wlan network;
Fig. 3 is the structural representation according to the key framework of IEEE 802.11i introducing;
Fig. 4 sets up the flow chart of initial link circuit according to the terminal of IEEE 802.11 definition at present;
Fig. 5 is the flow chart according to the key authentication method of the embodiment of the present invention;
Fig. 6 is the flow chart according to the key authentication method of the preferred embodiment of the present invention one;
Fig. 7 is the flow chart according to the key authentication method of the preferred embodiment of the present invention two;
Fig. 8 is the structured flowchart according to a kind of key authentication device of the embodiment of the present invention;
Fig. 9 is a kind of according to the preferred embodiment of the invention structured flowchart of key authentication device;
Figure 10 is the structured flowchart according to the another kind of key authentication device of the embodiment of the present invention;
Figure 11 is the structured flowchart of another kind of according to the preferred embodiment of the invention key authentication device.
Embodiment
Hereinafter also describe in conjunction with the embodiments the present invention in detail with reference to accompanying drawing.Need to prove, in the situation that do not conflict, embodiment and the feature in embodiment in the application can make up mutually.
As shown in Figure 5, in the process for initial link circuit foundation in correlation technique, the step of safety verification is more, and the long problem of networking time delay, and the present embodiment provides a kind of key authentication method, comprises the following steps:
Step S502, STA receives the key authentication message that comes from AP, and wherein, key authentication message carries the first Message Authentication Code;
Step S504, STA verifies the first Message Authentication Code;
Step S506, after being proved to be successful, STA sends to AP the key authentication that carries the second Message Authentication Code and completes message, so that AP verifies the second Message Authentication Code.
in the present embodiment, in process due to initial link circuit foundation in correlation technique, the step of safety verification is more, the time delay that causes networking is longer, adopt the key authentication message with the first Message Authentication Code that is sent by AP of verifying by STA shown in Figure 5, and after being proved to be successful, send to AP and complete message with the key authentication of the second Message Authentication Code, the method that AP is verified the second Message Authentication Code, thereby can reduce the loaded down with trivial details step of safety verification in prior art, reached the effect that has shortened the networking time delay, promoted on the whole the performance of system, also improved simultaneously user's experience.
Preferably, before STA receives and to come from the key authentication message of AP, also comprise one of following processing:
(1) STA and AP authentication success;
(2) STA and AP begin to authenticate.
The trigger condition that is step S502 comprises: STA and AP authentication success, perhaps STA and AP begin mutually to authenticate.
Preferably, above-mentioned key authentication message can also carry following one of at least: the first random number (as ANonce), the second random number (as SNonce), association identification (AID).
In step S502, before the STA reception comes from the key authentication message of AP, can also comprise following processing:
(1) AP generates the first random number or Counter Value;
(2) the first random number of generating of the second random number of PMK, the STA that generates in verification process being generated according to predetermined cipher key derivative algorithm of AP and AP is calculated and is obtained PTK, and intercepting PTK obtains key confirmation key K CK; Perhaps, AP calculates pairwise master key PMK, the Counter Value COUNT that generates in verification process according to predetermined cipher key derivative algorithm and obtains pair temporal key PTK, and intercepting PTK obtains key confirmation key K CK;
Wherein, if adopt Counter Value, STA and AP safeguard a counter separately.Counter carries out initialization during initial network entry or after each authentication success, and STA and AP increase progressively the counter of own maintenance separately before or after the PTK that derives each time.The Counter Value that STA and AP safeguard separately need to carry out synchronously.
(3) AP calculates according to KCK and obtains the first Message Authentication Code, and the first Message Authentication Code is carried in key authentication message sends.
Preferably, when AP intercepting PTK obtains KCK, can also obtain one of following: key-encrypting key (KEK); Temporary key (TK); The combination of temporary key (TK) and key-encrypting key (KEK).
In step S502, with the first Message Authentication Code be carried in key authentication message send before, can also comprise that following processing: AP is sent to STA with the first random number.
As AP when transmission carries the key authentication message of the first Message Authentication Code, can also adopt above-mentioned KEK or TK to be encrypted rear transmission to the partial information unit of key authentication message or key authentication message.
In preferred implementation process, before the STA reception comes from the key authentication message of AP, can also comprise following processing:
(1) AP chooses group temporary key GTK at random, adopts KEK to encrypt GTK;
(2) AP is carried at the GTK that encrypts in key authentication message and sends to STA.
Alternatively, before sending to STA, can also comprise that following processing: AP generates the 3rd random number in AP is carried at key authentication message with GTK and/or the 3rd random number.
Wherein, after STA sends, can also comprise that following processing: STA receives the key authentication message that comes from AP in AP is carried at key authentication message with the GTK that encrypts and/or the 3rd random number, adopt afterwards the above-mentioned key authentication message of KEK deciphering to obtain GTK.
Preferably, in above-mentioned steps S504, STA verifies that to the first Message Authentication Code may further include the first random number that the second random number that following processing: STA generates PMK, the STA that generates in verification process according to predetermined cipher key derivative algorithm and AP generate calculates and obtain PTK, and intercepting PTK obtains KCK; STA adopts KCK that the first Message Authentication Code is verified; Perhaps, STA calculates PMK, the Counter Value COUNT that generates in verification process according to predetermined cipher key derivative algorithm and obtains above-mentioned PTK, and intercepts above-mentioned PTK acquisition KCK;
Wherein, above-mentioned key authentication complete message can also carry following one of at least: the first random number, the second random number, Counter Value COUNT.
Preferably, when STA intercepting PTK obtains KCK, can also comprise: STA intercepting PTK obtains KEK and/or TK.
Preferably, key authentication message can also carry following one of at least: EAP related news and/or DHCP related news.
Preferably, key authentication complete message can also carry following one of at least: the 2nd EAP related news and/or the 2nd DHCP related news.
In specific implementation process, if key authentication message carry EAP related news and/or DHCP related news, key authentication is completed message and is carried the 2nd EAP related news and/or the 2nd DHCP related news, STA is after the checking that is successfully completed the message that receives, send to the upper strata to process EAP related news and/or DHCP related news of encapsulation, if also there is subsequent message, continue to receive the corresponding subsequent message that the upper strata is returned.
For example, above-mentioned EAP related news can be EAP-Success message; Above-mentioned DHCP related news can for: DHCP gives information, the DHCP acknowledge message; Above-mentioned the 2nd DHCP related news can be dhcp discover message, DHCP request message.
Preferably, in above-mentioned steps S506, STA sends key authentication to AP and completes message and may further include one of following processing:
Process one: when key authentication is completed message and comprised the DHCP related news, after STA adopts KEK or TK to encrypt the DHCP related news, the DHCP related news after encrypting are encapsulated in key authentication complete in message and send to AP;
Process two: STA adopts KEK or the checking of TK encryption key to complete the backward AP of message and sends.
Preferably, before STA and AP authenticate, can also comprise that following processing: AP sends Network finding message to STA, wherein, Network finding message comprises: the 3rd EAP related news.
For example, above-mentioned the 2nd EAP related news can be EAP-Request/Identity message.Above-mentioned Network finding message can be Beacon message or Probe Response message.
Preferably, before STA and AP authenticate, can also comprise that following processing: STA sends the first message to AP, wherein, the first message carry following one of at least: the second random number, Counter Value COUNT, the 4th EAP related news, the 3rd DHCP related news that STA generates.
Wherein, above-mentioned the first message can be for one of following: association request message; 802.1X message.
For example, above-mentioned the 4th EAP related news can be EAP-Response/Identity; Above-mentioned the 3rd DHCP related news can be DHCP Discover message.
After AP is proved to be successful the second Message Authentication Code, can also comprise that following processing: AP sends the second message to STA, wherein, the second message comprises: the 4th DHCP related news.
Wherein, above-mentioned the second message can be for one of following: associate response message; Key information frame (EAPOL-Key); 802.1X message.
For example, above-mentioned the 4th DHCP related news can be DHCP Ack message.
It should be noted that above-mentioned EAP related news, the 2nd EAP related news, the 3rd EAP related news, the 4th EAP related news, DHCP related news, the 2nd DHCP related news, the 3rd DHCP related news and the 4th DHCP related news are upper layer message.
Preferably, when STA and AP authenticated, comprising: STA and Dynamic Host Configuration Protocol server carried out some or all of dhcp process.
By above-mentioned parallel processing, can further reduce the processing time, reduce the time delay of user access network.
It should be noted that above-mentioned key authentication method can be applied in IEEE 802.11 networks, certainly, can also be applied in other networks.For IEEE 802.11 networks, message is completed in above-mentioned key authentication message and key authentication can be EAPOL-Key message.
Two examples below in conjunction with Fig. 6 and Fig. 7 further describe above-mentioned preferred implementation.
Preferred embodiment one
Fig. 6 is the flow chart according to the key authentication method of the preferred embodiment of the present invention one.As shown in Figure 6, this key authentication method mainly comprises following processing:
Step S602 carries out between STA and AP alternately, and STA is known the security capabilities of AP.The probe request/probe response interacting message that carries out between the beacon message that this process can be broadcasted by AP or STA and AP carries out; The probe request/probe response message of carrying out between the beacon message of perhaps broadcasting by AP or STA and AP, and the related request/associate response message of carrying out between STA and AP is carried out alternately.
Preferably, in this process, STA can send to AP with the random number SNonce that generates.
Step S604 authenticates between STA and AP.This verification process can be based on the two-way authentication of EAP.After successfully completing authentication, each self-generating key of STA and AP PMK.
Preferably, in this process, STA can send to AP with random number SNonce or the Counter Value COUNT that generates.Wherein, if adopt Counter Value, STA and AP safeguard a counter separately.Counter carries out initialization during initial network entry or after each authentication success, and STA and AP increase progressively the counter of own maintenance separately before key authentication flow process each time.
Preferably, in the process of carrying out EAP, STA, AP and Dynamic Host Configuration Protocol server can carry out some or all of dhcp process simultaneously.
Step S606, AS sends EAP-Success message to AP, and this message is packaged in RADIUS message, carries key PMK.
Step S608, key authentication.If AP does not also generate random number ANonce, AP generates random number ANonce; AP is according to the PMK that receives, and SNonce and ANonce, according to the cipher key derivative algorithm of IEEE 802.11 agreement regulations, derivation key PTK; Perhaps, AP is according to the PMK that receives, and the COUNT value, according to the cipher key derivative algorithm of IEEE 802.11 agreement regulations, derivation key PTK.AP is according to the PTK that derives, and intercepting obtains KCK and/or KEK and/or TK; AP sends key authentication message to STA.This message is carried parameter: random number ANonce, and/or random number SNonce, and/or AP is the association identification AID that this STA distributes, the Message Authentication Code MIC of this message that calculates with KCK.
Alternatively, if STA and AP usage counter value COUNT generate key PTK, after AP receives the COUNT value of STA transmission, compare with the Counter Value of oneself safeguarding.If the Counter Value that the COUNT value that receives is safeguarded greater than oneself, the Counter Value of the own maintenance of the order COUNT value that equals to receive, and use this COUNT value derivation PMK; If the COUNT value that receives equals the Counter Value that oneself is safeguarded, use this COUNT value derivation PMK; The COUNT value that receives is judged to be invalid message less than the Counter Value of oneself safeguarding, enters the abnormality processing flow process.
Preferably, this key authentication message is carried the upper layer message of encapsulation: EAP-Success message, and/or DHCP related news.The DHCP related news can be DHCP Offer message, or DHPC Ack message.
Preferably, AP is packaged in key authentication message after the DHCP related news are encrypted with KEK.
Preferably, if in AP step in front, ANonce is sent to STA, send again after in this step, AP can be encrypted key authentication message.Encrypt the key that uses and can be KEK, or TK.
Preferably, AP can carry out simultaneously group key with STA and shakes hands.The optional generation random number of AP GNonce, and random selection group temporary key GTK encrypt GTK with key-encrypting key KEK, and GTK and/or the random number GNonce that encrypts is carried in key authentication message, send to STA.Wherein, this key authentication message can be EAPOL-Key message.
Step S610, key authentication is completed.STA is according to the key PMK that generates in the EAP process, and the random number ANonce that receives, and the random number SNonce that oneself generates, and according to the cipher key derivative algorithm same with AP, derives key PTK, and intercepting PTK obtains KCK and/or KEK and/or TK; Perhaps, STA is according to the PMK that receives, and the COUNT value, according to the cipher key derivative algorithm of IEEE 802.11 agreement regulations, derivation key PTK.STA verifies the MIC of the key authentication message that receives according to the KCK that derives; If be verified, STA sends key authentication to AP and completes message, wherein carries random number SNonce, and/or random number ANonce.This message is carried the Message Authentication Code MIC that calculates with KCK.
Preferably, carry upper layer message such as DHCP related news if message is completed in this key authentication, STA after the checking that is successfully completed the message that receives, sends to the upper strata to process the upper layer message of encapsulation, receives the corresponding subsequent message that the upper strata is returned.The DHCP related news can be DHCP Discover message or DHCP Offer message.
Preferably, STA is packaged in key authentication and completes in message after the DHCP related news are encrypted with KEK; Or STA completes whole key authentication and sends to AP after message is encrypted, encrypt the key that uses and can be KEK, or TK.
If the key authentication message that receives comprises the group key GTK of encryption, STA obtains GTK with the KEK deciphering.Message is completed in this key authentication can be EAPOL-Key message.
Step S612 carries out remaining DHCP or whole dhcp process between STA and AP.If in step S602, also be not successfully completed association process, this dhcp message can be carried in the message of association process and send.If in step S602, completed association process, herein dhcp process can be carried in key information frame (EAPOL-KEY) message and send, and perhaps sends in the user data message.
So far, be successfully completed the foundation of initial link circuit between STA and AP, safely the transceiving data message.
Preferred embodiment two
As shown in Figure 7, this embodiment shows a kind of method of Rapid Establishment WLAN initial link circuit, specifically comprises step S702 to S720.
Step S702, AP and STA carry out security capabilities and find flow process, and in this flow process, AP informs that STA is about the information such as ability, parameter and security parameter of AP.Alternatively, this process comprises that related request/associate response message is mutual.
Preferably, in the downlinlc message of this process, be packaged with EAP-Request/Identity message.Alternatively, this downlinlc message can also be carried the random number ANonce (being above-mentioned the first random number) that parameter: AP generates.Downlinlc message herein can be beacon message, or probe response message, or associate response message.
Step S704, STA sends the first message to AP, and this message is packaged with EAP-Response/Identity message.
Preferably, STA generates random number SNonce (being above-mentioned the second random number), and carries this random number SNonce in the first message.
Preferably, carry the DHCP Discover message of encapsulation in this first message.
The first message herein can be association request message, or 802.1X message.
Step S706, AP is packaged in EAP-Response/Identity message in RADIUS message, sends to AS.
Step S708, alternatively, AP is transmitted to Dynamic Host Configuration Protocol server with the DHCP Discover message that encapsulates in the first message; Dynamic Host Configuration Protocol server sends DHCP Offer message, configuration parameter and the IP address information of carrying network to AP.Step S706, step S708, step S710, step S712 do not have strict time sequencing.
Step S710 carries out the authentication based on EAP between STA and AS.After both sides were successfully completed authentication, STA and AS generated respectively key PMK.
Step S712, AS sends EAP-Success message to AP, and this message is packaged in RADIUS message, carries key PMK.
Step S714, if AP does not also generate random number ANonce, AP generates random number ANonce; AP is according to the PMK that receives, and SNonce and ANonce, according to the cipher key derivative algorithm of IEEE 802.11 agreement regulations, derivation key PTK; Perhaps, AP is according to the PMK that receives, and the COUNT value, according to the cipher key derivative algorithm of IEEE 802.11 agreement regulations, derivation key PTK.AP is according to the PTK that derives, and intercepting obtains KCK and/or KEK and/or TK; AP sends key authentication message to STA, and this message is carried parameter: random number ANonce, and/or random number SNonce, or Counter Value COUNT, and/or AP is the association identification AID of this STA distribution, the Message Authentication Code MIC of this message that calculates with KCK.
Wherein, if adopt Counter Value, STA and AP safeguard a counter separately.Counter carries out initialization during initial network entry or after each authentication success, and STA and AP increase progressively the counter of own maintenance separately before key authentication flow process each time.The Counter Value that STA and AP safeguard separately need to carry out synchronously.
Preferably, this key authentication message is carried the upper layer message of encapsulation: EAP-Success message, and/or DHCP Offer message.
Preferably, AP is packaged in key authentication message after DHCP Offer message is encrypted with KEK.
Alternatively, if in AP step in front, ANonce is sent to STA, send again after in this step, AP can be encrypted key authentication message.Encrypt the key that uses and can be KEK, or TK.
Preferably, AP can carry out simultaneously group key with STA and shakes hands.AP generates random number GNonce alternatively, and random selection group temporary key GTK (Group Temporal Key), encrypt GTK with key-encrypting key KEK (Key Encryption Key), the GTK and/or the random number GNonce that encrypt are carried in key authentication message, send to STA.
This key authentication message can be EAPOL-Key message.
Step S716, STA is according to the key PMK that generates in the EAP process, and the random number ANonce that receives, with the random number SNonce that oneself generates, according to the cipher key derivative algorithm same with AP, derive key PTK, and intercepting PTK obtains KCK and/or KEK and/or TK; Perhaps, STA is according to the key PMK that generates in the EAP process, and the COUNT value, according to the cipher key derivative algorithm same with AP, derives key PTK, and intercepting PTK obtains KCK and/or KEK and/or TK; STA verifies the MIC of the key authentication message that receives according to the KCK that derives; If be verified, STA sends key authentication to AP and completes message, wherein carries random number SNonce, and/or random number ANonce.This message is carried the Message Authentication Code MIC (Message Integrity Code) that calculates with KCK.
Preferably, if this key authentication message carries upper layer message EAP-Success message and/or DHCP Offer message, STA is after the checking that is successfully completed the message that receives, sends to the upper strata to process the upper layer message of encapsulation, receives the corresponding subsequent message that the upper strata is returned.
Preferably, the upper layer message that message is carried encapsulation is completed in this key authentication: DHCP Request message.
Preferably, AP is packaged in key authentication and completes in message after DHCP Request message is encrypted with KEK; Or STA completes whole key authentication and sends to AP after message is encrypted, encrypt the key that uses and can be KEK, or TK.
If the key authentication message that receives comprises the group key GTK of encryption, STA obtains GTK with the KEK deciphering.
Message is completed in this key authentication can be EAPOL-Key message.
Step S718, AP completes message with the KCK that generates to the key authentication that receives and verifies.If be proved to be successful, if completing, key authentication carries upper layer message DHCP Request in message, and alternatively, AP forwards DHCPRequest message to Dynamic Host Configuration Protocol server, and Dynamic Host Configuration Protocol server returns to DHCP Ack message to AP.
Step S720, AP sends the second message to STA.Alternatively, this message is carried parameter: the association identification AID that AP distributes for this STA, and/or upper layer message DHCP Ack message.
This second message can be associate response message, or 802.1X message, or key information frame EAPOL-Key message.
Need to prove, can carry out in the computer system such as one group of computer executable instructions in the step shown in the flow chart of accompanying drawing, and, although there is shown logical order in flow process, but in some cases, can carry out step shown or that describe with the order that is different from herein.
Fig. 8 is the structured flowchart according to a kind of key authentication device of the embodiment of the present invention.As shown in Figure 8, this device comprises: the first receiver module 102, and be used for when STA and access point AP authentication or after authentication success, receive the key authentication message that comes from AP, wherein, key authentication message carries the first Message Authentication Code; The first authentication module 104 is used for the first Message Authentication Code is verified; The first sending module 106 is used for after being proved to be successful, and sends to AP the key authentication that carries the second Message Authentication Code and completes message, so that AP verifies the second Message Authentication Code.
Preferably, above-mentioned key authentication device can be arranged in STA.
Wherein, above-mentioned key authentication message can also carry following one of at least: the first random number, the second random number, Counter Value, association identification.
Wherein, above-mentioned key authentication complete message also carry following one of at least: the first random number, the second random number.
Preferably, as shown in Figure 9, the first authentication module 104 can comprise: acquiring unit 1042, the second random number that the first random number that PMK, the AP that is used for according to predetermined cipher key derivative algorithm, verification process being generated generates and STA generate is calculated and is obtained pair temporal key PTK, perhaps PMK sum counter value is calculated and obtained PTK, and intercepting PTK obtains KCK; Authentication unit 1044 is used for adopting KCK that the first Message Authentication Code is verified.Acquiring unit 1042 is connected with authentication unit successively and is connected or coupling.
Preferably, when acquiring unit 1042 intercepting PTK obtain KCK, can also intercept PTK and obtain KEK and/or TK.
Message is completed in above-mentioned key authentication message and key authentication all can carry upper layer message.The upper layer message that key authentication message is carried can be the first EAP related news and DHCP related news, and for example, EAP related news are EAP success EAP-Success message; The one DHCP related news are: DHCP gives information, the DHCP acknowledge message; The upper layer message that message carries is completed in key authentication can be the second EAP related news and the 2nd DHCP related news, and for example, the two the second DHCP related news can be DHCP request message or dhcp discover message.
Preferably, the first sending module 106 sends key authentication to AP and completes message and comprise one of following:
When key authentication is completed message and comprised the 2nd DHCP related news, after the first sending module 106 adopts KEK or TK to encrypt the 2nd DHCP related news, the 2nd DHCP related news after encrypting are encapsulated in key authentication complete in message and send to AP; The first sending module 106 adopts KEK or the checking of TK encryption key to complete the backward AP of message and sends.
Need to prove, each module in said apparatus, the preferred working method that each unit mutually combines specifically can referring to the description of Fig. 5 to Fig. 7, repeat no more herein.
Figure 10 is the structured flowchart according to the another kind of key authentication device of the embodiment of the present invention.As shown in figure 10, this key authentication device comprises: the second sending module 202, be used for sending key authentication message to work station STA, and wherein, key authentication message carries the first Message Authentication Code; The second receiver module 204 is used for after STA is proved to be successful the first Message Authentication Code, receives the key authentication that comes from STA and completes message, and wherein, key authentication is completed message and carried the second Message Authentication Code; The second authentication module 206 is used for the second Message Authentication Code is verified.
Preferably, above-mentioned key authentication device can be arranged in AP.
Wherein, above-mentioned key authentication message can also carry following one of at least: the first random number, the second random number, Counter Value, association identification.
Wherein, key authentication complete message also carry following one of at least: the first random number, the second random number.
Preferably, as shown in figure 11, this key authentication device can also comprise: generation module 208 is used for generating the first random number; Acquisition module 210, the first random number that the second random number that PMK, the STA10 that is used for according to predetermined cipher key derivative algorithm, verification process being generated generates and generation module 208 generate is calculated and is obtained PTK, perhaps PMK sum counter value is calculated and obtained PTK, and intercept this PTK acquisition key confirmation key K CK; Computing module 212 is used for calculating according to KCK and obtains the first Message Authentication Code; The second sending module 202 is used for calculating according to KCK and obtains the first Message Authentication Code, and this first Message Authentication Code is carried in key authentication message sends.Wherein, generation module 208, acquisition module 210, computing module 212 and the sending module 202 of being connected connect successively or are coupled.
In preferred implementation process, acquisition module 210 can also obtain KEK and/or TK when this PTK of intercepting obtains KCK.
Preferably, as shown in figure 11, above-mentioned key authentication device also comprises: the 3rd sending module 214 is used for the first random number is sent to STA.
Preferably, above-mentioned key authentication device can also generate the 3rd random number alternatively before the STA reception comes from the key authentication message of above-mentioned key authentication device; Choose at random GTK, adopt KEK to encrypt GTK; The GTK that encrypts and/or the 3rd random number are carried in key authentication message send to STA.
Preferably, above-mentioned key authentication device is carried at the GTK that encrypts and/or the 3rd random number in key authentication message after STA sends; STA receives the key authentication message that comes from above-mentioned key authentication device; STA adopts KEK decruption key checking message to obtain GTK.
Before STA and above-mentioned key authentication device authenticated, above-mentioned key authentication device sent Network finding message to STA, and wherein, Network finding message comprises: the 3rd EAP related news.
STA can carry out some or all of dhcp process with Dynamic Host Configuration Protocol server when authenticating with network.
STA sends the first message to above-mentioned key authentication device, wherein, the first message carry following one of at least: the second random number that STA generates, Counter Value.
Wherein, the first message can also carry: upper layer message.Comprise: the 4th EAP related news and/or the 3rd DHCP related news.
For example, the first message can be for one of following: association request message; 802.1X message.
After above-mentioned key authentication device is proved to be successful the second Message Authentication Code, send the second message to STA, wherein, the second message comprises: the 4th DHCP related news.
For example, the second message is one of following: associate response message; Key information frame EAPOL-Key; 802.1X message.
It should be noted that above-mentioned key authentication message and key authentication complete message and can be EAPOL-Key message.
Need to prove, each module in said apparatus, the preferred working method that each unit mutually combines specifically can referring to the description of Fig. 5 to Fig. 7, repeat no more herein.
In sum, by above-described embodiment provided by the invention, increasing terminal is set up the speed of initial link circuit greatly, reduces the time delay of terminal initial access wlan network.Particularly need to access at the utmost point scene of wlan network in the short time for a large number of users, successful minimizing the loaded down with trivial details step of safety verification in the prior art, and shortened the effect of networking time delay, promoted on the whole the performance of system, also improved user's experience simultaneously.
obviously, those skilled in the art should be understood that, above-mentioned each module of the present invention or each step can realize with general calculation element, they can concentrate on single calculation element, perhaps be distributed on the network that a plurality of calculation elements form, alternatively, they can be realized with the executable program code of calculation element, carried out by calculation element thereby they can be stored in storage device, perhaps they are made into respectively each integrated circuit modules, perhaps a plurality of modules in them or step being made into the single integrated circuit module realizes.Like this, the present invention is not restricted to any specific hardware and software combination.
These are only the preferred embodiments of the present invention, be not limited to the present invention, for a person skilled in the art, the present invention can have various modifications and variations.Within the spirit and principles in the present invention all, any modification of doing, be equal to replacement, improvement etc., within all should being included in protection scope of the present invention.

Claims (26)

1. a key authentication method, is characterized in that, comprising:
Work station STA receives the key authentication message that comes from access point AP, and wherein, described key authentication message carries the first Message Authentication Code;
Described STA verifies described the first Message Authentication Code;
After being proved to be successful, described STA sends to described AP the key authentication that carries the second Message Authentication Code and completes message, so that described AP verifies described the second Message Authentication Code.
2. method according to claim 1, is characterized in that, before described STA receives and comes from the key authentication message of described AP, also comprises one of following: described STA and described AP authentication success; Described STA and described AP begin to authenticate.
3. method according to claim 1, is characterized in that, described key authentication message also carry following one of at least: described the first random number, described the second random number, Counter Value, association identification.
4. method according to claim 1, is characterized in that, before described STA reception comes from the key authentication message of described AP, also comprises:
Described AP generates the first random number or Counter Value;
Described AP obtains pair temporal key PTK according to predetermined cipher key derivative algorithm to the second random number of the pairwise master key PMK that generates in verification process, described STA generation and the first random number calculating of described AP generation, perhaps described PMK sum counter value is calculated and obtained described PTK, and intercept described PTK acquisition key confirmation key K CK;
Described AP calculates according to described KCK and obtains described the first Message Authentication Code, and described the first Message Authentication Code is carried in described key authentication message sends.
5. method according to claim 4, is characterized in that, when the described PTK of described AP intercepting obtains described KCK, also comprises: the described PTK of described AP intercepting obtains described key-encrypting key KEK and/or temporary key TK.
6. method according to claim 5, is characterized in that, before sending in described the first Message Authentication Code is carried at described key authentication message, also comprise: described AP is sent to described STA with described the first random number;
Described AP is carried at described the first Message Authentication Code to send in described key authentication message and comprises: described AP adopts described KEK or described TK to be encrypted rear transmission to described key authentication message.
7. method according to claim 5, is characterized in that, before described STA reception comes from the key authentication message of described AP, also comprises:
Described AP chooses group temporary key GTK at random, adopts described KEK to encrypt described GTK;
The described GTK that described AP will encrypt is carried in key authentication message and sends to described STA.
8. method according to claim 7, is characterized in that, after described STA sends, also comprises in described GTK that described AP will encrypt and/or described the 3rd random number are carried at described key authentication message:
Described STA receives the described key authentication message that comes from described AP;
Described STA adopts the described key authentication message of described KEK deciphering to obtain described GTK.
9. method according to claim 1, is characterized in that, described STA verifies described the first Message Authentication Code and comprises:
Described STA obtains PTK according to described predetermined cipher key derivative algorithm to the first random number of the PMK that generates in verification process, described AP generation and the second random number calculating of described STA generation, perhaps described PMK sum counter value is calculated and obtained described PTK, and intercept the described KCK of described PTK acquisition;
Described STA adopts described KCK that described the first Message Authentication Code is verified.
10. method according to claim 9, is characterized in that, when the described PTK of described STA intercepting obtains described KCK, also comprises: the described PTK of described STA intercepting obtains KEK and/or TK.
11. method according to claim 1 is characterized in that, described key authentication complete message also carry following one of at least: the first random number, the second random number.
12. according to claim 1 to 11, the described method of any one, is characterized in that,
Described key authentication message also carry following one of at least: EAP related news and/or DHCP related news;
Described key authentication complete message also carry following one of at least: the 2nd EAP related news and/or the 2nd DHCP related news.
13. method according to claim 12 is characterized in that,
Described EAP related news comprise: the EAP success message;
Described DHCP related news comprise: DHCP gives information, the DHCP acknowledge message;
Described the 2nd DHCP related news comprise: dhcp discover message, DHCP request message.
14. method according to claim 12 is characterized in that, described STA sends described key authentication to described AP and completes message and comprise one of following:
When described key authentication is completed message and is comprised described the 2nd DHCP related news, after described STA adopts described KEK or described TK to encrypt described the 2nd DHCP related news, described the 2nd DHCP related news after encrypting are encapsulated in key authentication complete in message to described AP transmission;
Described STA adopts described KEK or described TK to encrypt described key authentication and completes the backward described AP transmission of message.
15. method according to claim 1 is characterized in that, before described STA and described AP authenticate, also comprises: described AP sends Network finding message to described STA, and wherein, described Network finding message comprises: the 3rd EAP related news.
16. method according to claim 1 is characterized in that, when described STA and described AP authenticate, also comprises:
Described STA and Dynamic Host Configuration Protocol server carry out some or all of dhcp process.
17. method according to claim 1, it is characterized in that, before described STA and described AP authenticate, also comprise: described STA sends the first message to described AP, wherein, described the first message carry following one of at least: described the second random number that described STA generates, Counter Value, the 4th EAP related news, the 3rd DHCP related news.
18. method according to claim 17 is characterized in that, described the first message is one of following: association request message; 802.1X message.
19. method according to claim 1 is characterized in that, after described AP is proved to be successful described the second Message Authentication Code, also comprises: described AP sends the second message to described STA, and wherein, described the second message comprises: the 4th DHCP related news.
20. method according to claim 19 is characterized in that, described the second message is one of following: associate response message; Key information frame EAPOL-Key; 802.1X message.
21. according to claim 1 to 11,15 to 20, the described method of any one, is characterized in that, it is key information frame EAPOL-Key message that message is completed in described key authentication message and described key authentication.
22. a key authentication device is characterized in that, comprising:
The first receiver module is used for receiving the key authentication message that comes from access point AP, and wherein, described key authentication message carries the first Message Authentication Code;
The first authentication module is used for described the first Message Authentication Code is verified;
The first sending module is used for after being proved to be successful, and sends to described AP the key authentication that carries the second Message Authentication Code and completes message, so that described AP verifies described the second Message Authentication Code.
23. device according to claim 22 is characterized in that, described the first authentication module comprises:
Acquiring unit, be used for described second random number of the pairwise master key PMK that verification process is generated according to described predetermined cipher key derivative algorithm, the generation of described key authentication device and the first random number calculating of described AP generation and obtain pair temporal key PTK, perhaps described PMK sum counter value is calculated and obtained described PTK, and intercept described PTK acquisition key confirmation key K CK;
Authentication unit is used for adopting described KCK that described the first Message Authentication Code is verified.
24. a key authentication device is characterized in that, comprising:
The second sending module is used for sending key authentication message to work station STA, and wherein, described key authentication message carries the first Message Authentication Code;
The second receiver module is used for after described STA is proved to be successful described the first Message Authentication Code, receives the key authentication that comes from described STA and completes message, and wherein, described key authentication is completed message and carried the second Message Authentication Code;
The second authentication module is used for described the second Message Authentication Code is verified.
25. device according to claim 24 is characterized in that, also comprises:
Generation module is used for generating the first random number;
Acquisition module, the first random number that the second random number that pairwise master key PMK, the described STA that is used for according to predetermined cipher key derivative algorithm, verification process being generated generates and described generation module generate is calculated and is obtained pair temporal key PTK, perhaps described PMK sum counter value is calculated and obtained described PTK, and intercept described PTK acquisition key confirmation key K CK;
Computing module is used for calculating according to described KCK and obtains described the first Message Authentication Code;
Described the second sending module is used for calculating according to described KCK and obtains described the first Message Authentication Code, and described the first Message Authentication Code is carried in described key authentication message sends.
26. device according to claim 25 is characterized in that, also comprises:
The 3rd sending module is used for described the first random number is sent to described STA.
CN2011103319744A 2011-10-27 2011-10-27 Secret key verification method and device Pending CN103096307A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2011103319744A CN103096307A (en) 2011-10-27 2011-10-27 Secret key verification method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2011103319744A CN103096307A (en) 2011-10-27 2011-10-27 Secret key verification method and device

Publications (1)

Publication Number Publication Date
CN103096307A true CN103096307A (en) 2013-05-08

Family

ID=48208327

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2011103319744A Pending CN103096307A (en) 2011-10-27 2011-10-27 Secret key verification method and device

Country Status (1)

Country Link
CN (1) CN103096307A (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103391540A (en) * 2012-05-08 2013-11-13 华为终端有限公司 Method and system for generating secret key information, terminal device and access network device
CN103763697A (en) * 2013-10-29 2014-04-30 上海斐讯数据通信技术有限公司 Wireless access point multi-secret key support system and method
CN104348686A (en) * 2013-08-06 2015-02-11 华为终端有限公司 Method and device for interconnecting terminal equipment and gateway equipment
CN107210915A (en) * 2014-10-09 2017-09-26 凯里赛克公司 It is mutually authenticated
WO2017219886A1 (en) * 2016-06-23 2017-12-28 中兴通讯股份有限公司 Simple network protocol authentication method and device
WO2022109940A1 (en) * 2020-11-26 2022-06-02 华为技术有限公司 Security authentication method and apparatus applied to wi-fi
WO2023093277A1 (en) * 2021-11-23 2023-06-01 华为技术有限公司 Roaming method and system

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050032506A1 (en) * 2003-01-10 2005-02-10 Walker Jesse R. Authenticated key exchange based on pairwise master key
CN101114957A (en) * 2006-07-27 2008-01-30 西安电子科技大学 Fast switch method and system in wireless local area network

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050032506A1 (en) * 2003-01-10 2005-02-10 Walker Jesse R. Authenticated key exchange based on pairwise master key
CN101114957A (en) * 2006-07-27 2008-01-30 西安电子科技大学 Fast switch method and system in wireless local area network

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103391540B (en) * 2012-05-08 2017-02-01 华为终端有限公司 Method and system for generating secret key information, terminal device and access network device
WO2013166908A1 (en) * 2012-05-08 2013-11-14 华为终端有限公司 Method, system, terminal equipment and access network apparatus for generating key information
CN103391540A (en) * 2012-05-08 2013-11-13 华为终端有限公司 Method and system for generating secret key information, terminal device and access network device
US10171997B2 (en) 2013-08-06 2019-01-01 Huawei Device (Shenzhen) Co., Ltd. Method and apparatus for interconnection between terminal device and gateway device
CN108667699A (en) * 2013-08-06 2018-10-16 华为终端有限公司 Interconnected method and device between a kind of terminal device and gateway device
CN108667699B (en) * 2013-08-06 2021-07-20 华为终端(深圳)有限公司 Method and device for interconnecting terminal equipment and gateway equipment
CN104348686A (en) * 2013-08-06 2015-02-11 华为终端有限公司 Method and device for interconnecting terminal equipment and gateway equipment
US9949116B2 (en) 2013-08-06 2018-04-17 Huawei Device Co., Ltd. Method and apparatus for establishing SSID-based connection between terminal device and gateway device
CN104348686B (en) * 2013-08-06 2018-06-05 华为终端有限公司 Interconnected method and device between a kind of terminal device and gateway device
CN103763697A (en) * 2013-10-29 2014-04-30 上海斐讯数据通信技术有限公司 Wireless access point multi-secret key support system and method
CN103763697B (en) * 2013-10-29 2018-01-16 上海斐讯数据通信技术有限公司 A kind of WAP multi-key cipher supports system and method
US10511596B2 (en) 2014-10-09 2019-12-17 Kelisec Ab Mutual authentication
CN107210915A (en) * 2014-10-09 2017-09-26 凯里赛克公司 It is mutually authenticated
CN107547466A (en) * 2016-06-23 2018-01-05 南京中兴软件有限责任公司 A kind of simple network protocol authentication method and device
WO2017219886A1 (en) * 2016-06-23 2017-12-28 中兴通讯股份有限公司 Simple network protocol authentication method and device
WO2022109940A1 (en) * 2020-11-26 2022-06-02 华为技术有限公司 Security authentication method and apparatus applied to wi-fi
CN116438822A (en) * 2020-11-26 2023-07-14 华为技术有限公司 Security authentication method and device applied to WiFi
WO2023093277A1 (en) * 2021-11-23 2023-06-01 华为技术有限公司 Roaming method and system

Similar Documents

Publication Publication Date Title
CA2792490C (en) Key generation in a communication system
CN108781366B (en) Authentication mechanism for 5G technology
US9451460B2 (en) Method and apparatus for associating station (STA) with access point (AP)
EP1304002B1 (en) Arranging data ciphering in a wireless telecommunication system
US7624267B2 (en) SIM-based authentication method capable of supporting inter-AP fast handover
US8094821B2 (en) Key generation in a communication system
KR102024653B1 (en) Access Methods, Devices, and Systems for User Equipment (UE)
US9392453B2 (en) Authentication
CN102823282B (en) Key authentication method for binary CDMA
CN101931955B (en) Authentication method, device and system
CN103313242B (en) The verification method and device of key
Dantu et al. EAP methods for wireless networks
CN101500229A (en) Method for establishing security association and communication network system
CN103096307A (en) Secret key verification method and device
CN102685742B (en) A kind of WLAN access authentication method and device
CN103200004B (en) Send the method for message, the method for establishing secure connection, access point and work station

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20130508