CN107690138A

CN107690138A - A kind of method for fast roaming, device, system, access point and movement station

Info

Publication number: CN107690138A
Application number: CN201610640221.4A
Authority: CN
Inventors: 陈国海
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2016-08-05
Filing date: 2016-08-05
Publication date: 2018-02-13
Anticipated expiration: 2036-08-05
Also published as: CN107690138B

Abstract

The invention discloses a kind of method for fast roaming, device, system, access point and movement station, belong to network technique field.Methods described includes：Fast roaming device obtains the first AP characteristic information；Fast roaming device sends the first AP characteristic information to STA it is determined that after the 2nd AP of STA accesses；STA generations, random number is sent, and generate PTK；Fast roaming device obtains STA characteristic information；Fast roaming device sends STA characteristic information to the first AP；First AP generates PTK, and link authentication, access authentication, key agreement are completed；STA is sent using the data message after PTK encryptions after it is determined that being switched to the first AP to the first AP；The data message after encryption is decrypted using PTK by first AP；Whether the first AP is consistent according to the internal information of the data message after decryption, completes association.The time of roaming switch can be reduced to 0 by the present invention.

Description

A kind of method for fast roaming, device, system, access point and movement station

Technical field

The present invention relates to network technique field, more particularly to a kind of method for fast roaming, device, system, access point and shifting Dynamic station.

Background technology

Roaming (English：Roaming mobile station (English) is referred to：Station, referred to as：STA) from WLAN (English： Wireless Local Area Networks, referred to as：WLAN a WAP (English)：Access Point, letter Claim：AP another AP) is switched to, WLAN can still provide it the function of service.

AP switching at present needs to realize link authentication, association (English by repeatedly interacting between STA and AP： Association), access authentication, key agreement Four processes.If aforementioned four process is carried out respectively, entirely roam through The time that journey expends is up to hundreds of milliseconds.IEEE's (English：Institute of Electrical And Electronics Engineers, referred to as：IEEE it is) WLAN (English：Wireless Local Area Networks, referred to as：WLAN) in the standard 802.11r formulated, interaction flow is reduced by the way of information loads are increased, Key agreement is carried out during association and certification, the time for roaming consuming is reduced in 100 milliseconds, realizes fast roaming.

During the present invention is realized, inventor has found that prior art at least has problems with：

International Telecommunication Union's (English：International Telecommunication Union, referred to as：International telecommunication Alliance) in the standard that defines, conversed (English with voice over internet protocol：Voice over Internet Protocol, letter Claim：VoIP exemplified by), it is desirable to which One Way Delay is less than 200ms, and shake is less than 40ms.The time that consuming is roamed in 802.11r is usually 50ms~80ms, if communication network causes time delay to be dithered as 30ms or so, then for 160ms or so due to the sudden of flow Unidirectional maximum delay is 160ms+80ms=240ms ＞ 200ms in roaming, is dithered as 30ms+80ms=110ms ＞ 40ms, nothing Method meets the business demands such as VoIP.

The content of the invention

In order to solve the problems, such as that prior art can not meet the business demands such as VoIP, the embodiments of the invention provide a kind of fast Fast loaming method, device, system, access point and movement station.The technical scheme is as follows：

In a first aspect, the embodiments of the invention provide a kind of method for fast roaming, methods described includes：

Fast roaming device obtains the first access point AP characteristic information, and the characteristic information of the first AP includes described the One AP medium access control MAC Address and the random number of the first AP generations；

The fast roaming device sends the first AP it is determined that after the 2nd AP of movement station STA accesses to the STA Characteristic information, the first AP be the 2nd AP neighbours；

The STA generates and sends random number, based on the STA generation random number, the STA MAC Address, in pairs Master key PMK and the first AP characteristic information generation pair temporal key PTK；

The fast roaming device obtains the characteristic information of the STA, and the characteristic information of the STA includes the STA's The characteristic value of MAC Address, the random number of STA generations and the PMK；

The fast roaming device sends the characteristic information of the STA to the first AP；

The characteristic information of characteristic information and first AP of first AP based on the STA generates the PTK, described Link authentication, access authentication and key agreement between STA and the first AP are completed；

The STA is sent using after PTK encryptions after it is determined that being switched to the first AP to the first AP Data message；

The data message after encryption is decrypted using the PTK by first AP；

Whether the first AP is consistent according to the internal information of the data message after decryption, completes the STA and institute State the association between the first AP.

In the case of it is determined that STA has accessed the 2nd AP, it is contemplated that STA only has the link authentication by the 2nd AP, access The processes such as certification could access the 2nd AP, therefore can now determine that STA has obtained preliminary guarantor by certification, its legitimacy Card.In order to avoid realizing access authentication due to carrying out multiple message negotiation and taking a substantial amount of time, the present invention is to STA from second The process that AP is switched to the first AP is simplified：Before STA is switched to the first AP, the letter between STA and the first AP is realized Breath interaction, STA and the first AP get the MAC Address of other side, configured PMK and generate PTK, complete STA and the first AP Between link authentication, access authentication and key agreement；After STA determines to be switched to the first AP, the first AP is according to STA Whether the internal information of first data message sent to the first AP is consistent, completes the association between STA and the first AP.

After accessing the 2nd AP in STA, nothing is established in STA and as interaction between the first AP of the 2nd AP neighbours The MAC Address of line link, the information such as PMK, PTK, complete link authentication, access authentication, key during STA accesses the first AP Consult, greatly reduce the time spent by interactive information in STA roam procedures.Simultaneously when STA determines to be switched to an AP, AP It is whether consistent according to the internal information of STA to AP first data message sent, the association between STA and the first AP is completed, So that not having the consumption (i.e. the time of roaming switch reduces to 0) of time in STA roam procedure, handoff procedure is fast, completely can be with Meet the business demands such as VoIP, effective guarantee Consumer's Experience.

In a kind of possible implementation of first aspect, the data message includes data and data summarization, and described Whether one AP is consistent according to the internal information of the data message after decryption, completes between the STA and the first AP Association, including：

First AP is calculated the data after decryption using data summarization algorithm, the data calculated Summary；

First AP is contrasted the data summarization calculated and the data summarization after decryption；

When the data summarization calculated is consistent with the data summarization after decryption, the STA and described first Association between AP is completed.

Whether the first AP is consistent with data summarization using the data in existing data summarization algorithm detection data message, and It is applied to association process：By verifying that the correctness of the summary in first data message completes the association between STA and AP, do not have Have independent association message, on the basis of by the way that link authentication, access authentication and key agreement are completed in interaction twice, by AP and The STA internetwork roaming times are kept to 0, ensure Consumer's Experience.

In the alternatively possible implementation of first aspect, the fast roaming device is arranged on AP or accessed control On device AC processed, the AC is used to controlling and managing the AP.

Fast roaming device is realized by being improved to existing equipment, cost of implementation is low.

In first aspect in another possible implementation, the characteristic information of the first AP also includes the first AP Cipher mode, the frequency of the first AP, at least one of the bandwidth of the first AP.

Accommodation can be carried out to the first AP characteristic information according to access AP information needed.

Second aspect, the embodiments of the invention provide a kind of method for fast roaming, methods described includes：

The fast roaming device sends the first AP it is determined that after the 2nd AP of movement station STA accesses to the STA Characteristic information, the first AP be the 2nd AP neighbours, the STA is generated and sent random number, based on the STA The random number of generation, the MAC Address of the STA, pairwise master key PMK and the first AP characteristic information generation are paired Temporary key PTK；

The fast roaming device sends the characteristic information of the STA to the first AP, the first AP is based on institute The characteristic information of the characteristic information and the first AP of stating STA generates the PTK, the chain between the STA and the first AP Road certification, access authentication and key agreement are completed.

After accessing the 2nd AP in STA, nothing is established in STA and as interaction between the first AP of the 2nd AP neighbours The MAC Address of line link, the information such as PMK, PTK, complete link authentication, access authentication, key during STA accesses the first AP Consult, greatly reduce the time spent by interactive information in STA roam procedures.

In a kind of possible implementation of second aspect, the fast roaming device is arranged on AP or Access Control On device AC, the AC is used to controlling and managing the AP.

The third aspect, the embodiments of the invention provide a kind of method for fast roaming, methods described includes：

First access point AP completes link authentication, access authentication, the key agreement between movement station STA, obtains described STA MAC Address, pairwise master key PMK and pair temporal key PTK；

First AP receives the STA it is determined that being switched to from the 2nd AP described in the use that is sent after the first AP Data message after PTK encryptions, the first AP are the neighbours of the 2nd AP；

The data message after encryption is decrypted using the PTK by first AP；

By STA determine be switched to the AP from the 2nd AP before, complete and STA between link authentication, access authentication, Key agreement, STA MAC Address, PMK and PTK is obtained, determined in STA after the 2nd AP is switched to the AP, received STA and adopt The data message sent after being encrypted with PTK, the data message after encryption is decrypted using PTK, and according to the number after decryption It is whether consistent according to the internal information of message, complete the association between STA and the first AP so that when not having in STA roam procedure Between consumption (i.e. the time of roaming switch reduces to 0), handoff procedure is fast, can meet the business demands such as VoIP completely, effectively protect Hinder Consumer's Experience.

In a kind of possible implementation of the third aspect, the data message includes data and data summarization, and described Whether one AP is consistent according to the internal information of the data message after decryption, completes between the STA and the first AP Association, including：

First AP is by verifying that the correctness of the summary in first data message completes the association between STA and AP, without only Vertical association message, on the basis of by the way that link authentication, access authentication and key agreement are completed in interaction twice, by AP and STA The internetwork roaming time is kept to 0, ensures Consumer's Experience.

Fourth aspect, the embodiments of the invention provide a kind of method for fast roaming, methods described includes：

Movement station STA after the second access point AP is accessed, complete and the first AP between link authentication, access authentication, Key agreement, obtains MAC Address, pairwise master key PMK and the pair temporal key PTK of the first AP, and the first AP is The neighbours of 2nd AP；

The STA is sent using after PTK encryptions after it is determined that being switched to the first AP to the first AP Data message.

By before STA determines to be switched to the first AP from the 2nd AP, completing the link authentication between the first AP, access Certification, key agreement, the first AP MAC Address, PMK and PTK is obtained, determined in STA after the 2nd AP is switched to the AP, to STA is sent using the data message after PTK encryptions, makes the first AP that the data message after encryption be decrypted using PTK, and root It is whether consistent according to the internal information of data message after decryption, complete the association between STA and the first AP so that STA's roams through There is no the consumption (i.e. the time of roaming switch reduces to 0) of time in journey, handoff procedure is fast, can meet the business need such as VoIP completely Ask, effective guarantee Consumer's Experience.

5th aspect, the embodiments of the invention provide a kind of fast roaming system, the system includes above-mentioned for realizing The equipment of method described in first aspect, such as fast roaming device, movement station STA, the second access point AP, the first AP.

6th aspect, the embodiments of the invention provide a kind of fast roaming device, described device includes above-mentioned for realizing The unit of method described in second aspect, for example, AP information acquisition units, AP information transmitting units, STA information acquisition units, STA information transmitting units.

7th aspect, the embodiments of the invention provide a kind of access point AP, the AP includes being used to realize above-mentioned third party The unit of method described in face, such as access preparatory unit, message receiving unit, decryption unit, determining unit.

Eighth aspect, the embodiments of the invention provide a kind of movement station STA, the STA includes being used to realize the above-mentioned 4th The unit of method described in aspect, such as access preparatory unit, access complete unit.

9th aspect, the embodiments of the invention provide a kind of fast roaming device, described device includes：Memory, with depositing The processor of reservoir connection, the memory are used to store software program and module, when the processor is used to run or hold When row is stored in the software program and module in the memory, the method described in second aspect can be performed.

Tenth aspect, the embodiment of the present invention additionally provide a kind of computer-readable medium, for storing what is performed for terminal Program code, described program code include performing the instruction of the method described in second aspect.

Tenth on the one hand, and the embodiments of the invention provide a kind of access point AP, the AP includes：Memory and memory The processor of connection, the memory are used to store software program and module, when the processor is used to run or perform to deposit When storing up software program and module in the memory, the method described in the third aspect can be performed.

12nd aspect, the embodiment of the present invention additionally provide a kind of computer-readable medium, are performed for storing for terminal Program code, described program code include perform the third aspect described in method instruction.

13rd aspect, the embodiments of the invention provide a kind of movement station STA, the STA includes：Memory and storage The processor of device connection, the memory are used to store software program and module, when the processor is used to run or perform When the software program and module that are stored in the memory, the method described in fourth aspect can be performed.

Fourteenth aspect, the embodiment of the present invention additionally provide a kind of computer-readable medium, are performed for storing for terminal Program code, described program code include perform fourth aspect described in method instruction.

The beneficial effect that technical scheme provided in an embodiment of the present invention is brought is：

Brief description of the drawings

Technical scheme in order to illustrate the embodiments of the present invention more clearly, make required in being described below to embodiment Accompanying drawing is briefly described, it should be apparent that, drawings in the following description are only some embodiments of the present invention, for For those of ordinary skill in the art, on the premise of not paying creative work, other can also be obtained according to these accompanying drawings Accompanying drawing.

Fig. 1 is the application scenario diagram of method for fast roaming provided in an embodiment of the present invention；

Fig. 2 is the network architecture diagram provided in an embodiment of the present invention for realizing AP switchings；

Fig. 3 is the hardware structure diagram of fast roaming device provided in an embodiment of the present invention；

Fig. 4 is the first AP provided in an embodiment of the present invention hardware structure diagram；

Fig. 5 is STA provided in an embodiment of the present invention hardware structure diagram；

Fig. 6 is a kind of flow chart of method for fast roaming provided in an embodiment of the present invention；

Fig. 7 is the interaction figure that STA provided in an embodiment of the present invention accesses the 2nd AP；

Fig. 8 a and Fig. 8 b are the process schematics that STA provided in an embodiment of the present invention has found the 2nd AP；

Fig. 9 a and Fig. 9 b are the schematic diagrames that STA provided in an embodiment of the present invention and the 2nd AP carries out link authentication；

Figure 10 is the schematic diagram that STA provided in an embodiment of the present invention and the 2nd AP are associated；

Figure 11 a and Figure 11 b is that STA provided in an embodiment of the present invention and AC, radius server carry out access authentication and shown It is intended to；

Figure 12 a and Figure 12 b are the schematic diagrames that STA provided in an embodiment of the present invention and the 2nd AP carries out key agreement；

Figure 13 is PTK provided in an embodiment of the present invention structural representation；

Figure 14 a and Figure 14 b are the interaction figures of another method for fast roaming provided in an embodiment of the present invention；

Figure 15 is the structural representation of AP provided in an embodiment of the present invention characteristic information；

Figure 16 is the structural representation of the message of the random number of carrying STA generations provided in an embodiment of the present invention；

Figure 17 is the structural representation of key in 802.11r provided in an embodiment of the present invention；

Figure 18 is the schematic diagram of data message generating process provided in an embodiment of the present invention；

Figure 19 is a kind of structural representation of fast roaming device provided in an embodiment of the present invention；

Figure 20 is a kind of structural representation of access point provided in an embodiment of the present invention；

Figure 21 is a kind of structural representation of movement station provided in an embodiment of the present invention；

Figure 22 a and Figure 22 b are a kind of structural representations of fast roaming system provided in an embodiment of the present invention.

Embodiment

To make the object, technical solutions and advantages of the present invention clearer, below in conjunction with accompanying drawing to embodiment party of the present invention Formula is described in further detail.

Mobile office is clerical workforce's (English at any time：Anytime), any place (English：Anywhere) place The reason anything related to business (English：Anything), also referred to as " 3A offices ".This brand-new office mode allows office Personnel break away from the constraint in time and space, can access enterprise network at an arbitrary position and complete work.

Fig. 1 applies the schematic diagram in mobile office scene for method for fast roaming provided in an embodiment of the present invention.Referring to figure 1, the first AP 10 and the 2nd AP 20 access same enterprise network 30, and enterprise network 30 is substantially a WLAN (English：Wireless Local Are Networks, referred to as：WLAN).Network 41 and data where enterprise network 30, client Center 42 is respectively connected to carrier network 50.(ellipse representation is used in Fig. 1 in the coverage that STA 60 is currently located at the 2nd AP 20 Each AP coverage) in, the accesses of STA 60 the 2nd AP 20 (the 2nd AP 20 is referred to as STA 60 current AP), the 2nd AP 20 access enterprise networks 30, the visit to network 41 where client and data center 42 can be realized by carrier network 50 Ask；STA 60 is moved in the first AP 10 coverage (Fig. 1 represents STA moving direction with straight line with the arrow) afterwards, STA 60 is switched to the first AP 10 (the first AP 10 is referred to as STA 60 target AP), and the first AP 10 also accesses enterprise network 30, STA 60 can continue network 41 and data center 42 where accessing client, realize mobile office.STA 60 is from the 2nd AP During 20 are switched to the first AP 10, fast roaming is realized using method provided in an embodiment of the present invention.

Fig. 2 is the network architecture diagram that AP switchings are implemented under the application scenarios shown in Fig. 1.As shown in Fig. 2 three One AP 10 and the 2nd AP 20 is arranged in diverse location, the neighbours that three the first AP 10 are the 2nd AP 20.Wherein, two each other The AP of neighbours is by same access controller (English：Access Controller, referred to as：AC) control and service set (English Text：Service Set Identifier, referred to as：SSID it is) identical.STA can be in the AP of neighbours each other internetwork roaming, i.e., from one Individual AP is switched to another AP.The first AP quantity is only for example shown in Fig. 2, and the embodiment of the present invention is without limitation.

In fig. 2, STA 60 is currently accessed the 2nd AP 20, and STA 60 may be switched to some the first AP 10 after moving. 2nd AP 20 and all first AP 10 is (English with access controller：Access Controller, referred to as：AC) 70 connection (generally use wired connection), configurations of the AC 70 to each AP, radio frequency, user's access etc. is managed and controlled.AC 70 is also With remote authentication dial-in user service (English：Remote Authentication Dial-In User Service, referred to as： RADIUS) server 80 connects (generally use wired connection), and radius server 80 is used as certification, authorization and accounting (English Text：Authentication, Authorization, Accounting, referred to as：AAA) server, access authentication of user is realized.

The present invention sets up a fast roaming device 90 in the above-mentioned network architecture, is mainly switched to the first AP in STA 60 The information exchange between the AP 10 of STA 60 and the first is realized before 10.Specifically, fast roaming device can be arranged on AC 70 On, it can also be arranged on each AP, can also be set independently of AC 70 and AP.In Fig. 2 with fast roaming device 90 independently of AC and AP settings are illustrative, and in actual applications, fast roaming device 90 can also be arranged on AC or each AP On.

In the specific implementation, the generally clients of STA 60, can be equipped with the computer of wireless network card or match somebody with somebody Wireless Fidelity (the English being equipped with：Wireless-Fidelity, referred to as：Wi-Fi) smart mobile phone of module, tablet personal computer etc..The One AP 10, the 2nd AP 20, AC 70 are the network equipment, such as router.

It should be noted that the framework shown in Fig. 1 and Fig. 2 is merely illustrative, the present invention is not restricted to this.

With reference to specific hardware configuration to realize fast roaming device provided in an embodiment of the present invention, the first AP and STA is illustrated.

Referring to Fig. 3, fast roaming device 90 can be the network equipments such as router.Fast roaming device 9 can include one Individual or more than one processing core processor 91, one or more computer-readable recording mediums memory 92, And the grade part of communication interface 93, processor 91 can be connected with bus 94 with memory 92 and communication interface 93.This area skill Art personnel are appreciated that the restriction of the structure shown in Fig. 3 not structure twin installation, can include more more or less than illustrating Part, either combine some parts or different parts arrangement.Wherein：

Processor 91 is the control centre of fast roaming device 90, utilizes various interfaces and the whole fast roaming of connection The various pieces of device 90, by running or performing the software program and/or module that are stored in memory 92, and call and deposit The data in memory 92 are stored up, perform the various functions and processing data of fast roaming device 90, so as to be filled to fast roaming Put 90 carry out integral monitorings.Alternatively, processor 91 can include one or more than one processing unit, and the processing unit can Be CPU (English：Central Processing Unit, referred to as：CPU) or network processing unit is (English： Network Processor, referred to as：NP) etc..

Memory 92 can be used for storing software program, and the software program can be performed by processor 91.Memory 92 can be led To include storing program area and storage data field, wherein, storing program area can storage program area, AP data obtaining modules, AP Information sending module, STA data obtaining modules, STA information sending modules；Storage data field can be stored according to fast roaming device 90 use created data, such as pairwise master key, pair temporal key etc..In addition, memory 92 can be included at a high speed Random access memory, can also include nonvolatile memory, a for example, at least disk memory, flush memory device or Other volatile solid-state parts.Correspondingly, memory 92 can also include Memory Controller, right to provide processor 91 The access of memory 92.

Communication interface 93 can include wired network interface (such as Ethernet interface) and radio network interface (such as WLAN At least one of interface).When fast roaming device 90 is set up when on AC or independently of AC and AP, communication interface 93 includes Wired network interface；When fast roaming device 90 is set up when on AP, communication interface includes wired network interface and wireless network Interface.Communication interface 93 is controlled by processor 91.

Alternatively, fast roaming device 90 can also include output equipment 95 and input equipment 96.The He of output equipment 95 Input equipment 96 is connected with processor 91.Output equipment 95 can be display, the power amplifier of broadcasting sound for display information Equipment or printer etc., output equipment 95 can also include o controller, to provide output to display screen, power amplifying device Or printer.Input equipment 96 can be such as mouse for user's input information, keyboard, electronic touch pen or touch The equipment for controlling panel etc, input equipment 96 can also include o controller for receive and handle from mouse, keyboard, The input of the equipment such as electronic touch pen or contact panel.

Referring to Fig. 4, the first AP 10 can be the network equipments such as router.First AP 10 can include one or one The processor 11 of above processing core, the memory 12 of one or more computer-readable recording mediums and communication connect 13 grade parts of mouth, processor 11 can be connected with bus 14 with memory 12 and communication interface 13.Those skilled in the art can be with Understand, the restriction of the structure shown in Fig. 4 not structure twin installation, can include than illustrating more or less parts, or Combine some parts, or different parts arrangement.Wherein：

Processor 11 is the first AP 10 control centre, utilizes each of whole first AP 10 of various interfaces and connection Individual part, by running or performing the software program and/or module that are stored in memory 12, and call and be stored in memory Data in 12, the first AP 10 various functions and processing data are performed, so as to carry out integral monitoring to the first AP 10.It is optional Ground, processor 11 can include one or more than one processing unit, and the processing unit can be CPU (English Text：Central Processing Unit, referred to as：CPU) or network processing unit is (English：Network Processor, letter Claim：NP) etc..

Memory 12 can be used for storing software program, and the software program can be performed by processor 11.Memory 12 can be led To include storing program area and storage data field, wherein, storing program area can storage program area, access preparation module, message Receiving module, deciphering module, determining module；Storage data field can store the created data that use according to the first AP 10, example Such as pairwise master key, pair temporal key.In addition, memory 12 can include high-speed random access memory, can also wrap Include nonvolatile memory, a for example, at least disk memory, flush memory device or other volatile solid-state parts. Correspondingly, memory 12 can also include Memory Controller, to provide access of the processor 11 to memory 12.

Communication interface 13 can include wired network interface (such as Ethernet interface) and radio network interface (such as WLAN Interface).Communication interface 13 is controlled by processor 11.

Alternatively, the first AP 10 can also include output equipment 15 and input equipment 16.Output equipment 15 and input are set Standby 16 are connected with processor 11.Output equipment 15 can be for display information display, play sound power amplifying device or Person's printer etc., output equipment 15 can also include o controller, to provide output to display screen, power amplifying device or beat Print machine.Input equipment 16 can be such as mouse, keyboard, electronic touch pen or the contact panel that information is inputted for user Etc equipment, input equipment 16 can also touch including o controller for receiving and handling from mouse, keyboard, electronics Control the input of the equipment such as pen or contact panel.

Fig. 5 shows the hardware configuration for realizing STA provided in an embodiment of the present invention.STA 60 can be smart mobile phone, put down Plate computer, notebook computer etc..By taking smart mobile phone as an example, STA 60 can include radio frequency (Radio Frequency, abbreviation RF) Circuit 61, the memory 62 for including one or more computer-readable recording mediums, input block 63, display unit 64th, sensor 65, voicefrequency circuit 66, Wireless Fidelity (wireless fidelity, abbreviation WiFi) module 67, include one Or the part such as the processor 68 of more than one processing core and power supply 69.It will be understood by those skilled in the art that in Fig. 5 The hardware configuration shown does not form the restriction to STA, can include parts more more or less than diagram, or combine some Part, or different parts arrangement.Wherein：

Processor 68 is STA 60 control centre, utilizes each portion of various interfaces and the whole STA 60 of connection Point, by running or performing the software program and/or module that are stored in memory 62, and call and be stored in memory 62 Data, perform STA 60 various functions and processing data, so as to STA 60 carry out integral monitoring.Optionally, processor 68 may include one or more processing cores；Preferably, processor 68 can integrate application processor and modem processor, its In, application processor mainly handles operating system, user interface and application program etc., and modem processor is mainly handled wirelessly Communication.It is understood that above-mentioned modem processor can not also be integrated into processor 68.

Memory 62 can be used for storing various data, such as various configuration parameters, storage software program and module, processing Device 68 is stored in the software program and module of memory 62 by operation, so as to perform at various function application and data Reason.Memory 62 can mainly include storing program area and storage data field, wherein, storing program area can storage program area, connect Enter preparation module, module is completed in access；Storage data field can store uses created data according to STA 60, such as in pairs Master key, pair temporal key etc..In addition, memory 62 can include high-speed random access memory, can also include non-easy The property lost memory, a for example, at least disk memory, flush memory device or other volatile solid-state parts.Correspondingly, Memory 62 can also include Memory Controller, to provide the access of processor 68 and input block 63 to memory 62.

RF circuits 61 can be used for receive and send messages or communication process in, the reception and transmission of signal, especially, by under base station After row information receives, transfer to one or more than one processor 68 is handled.Generally, RF circuits 61 include but is not limited to antenna, At least one amplifier, tuner, one or more oscillators, subscriber identity module (Subscriber Identity Module, abbreviation SIM) card, transceiver, coupler, low-noise amplifier (Low Noise Amplifier, abbreviation LNA), Duplexer etc..In addition, RF circuits 61 can also be communicated by radio communication with network and other equipment.The radio communication can be with Use any communication standard or agreement, including but not limited to global system for mobile communications (Global System of Mobile Communication, abbreviation GSM), general packet radio service (General Packet Radio Service, referred to as GPRS), CDMA (Code Division Multiple Access, abbreviation CDMA), WCDMA (Wideband Code Division Multiple Access, abbreviation WCDMA), Long Term Evolution (Long Term Evolution, referred to as LTE), Email, Short Message Service (Short Messaging Service, abbreviation SMS) etc..

Referring to Fig. 6, it illustrates a kind of method for fast roaming provided in an embodiment of the present invention, this method is shown in Fig. 1 Under application scenarios, fast roaming is realized using the network architecture shown in Fig. 2.As shown in fig. 6, this method includes：

Step S301：STA accesses the 2nd AP.

In the present embodiment, can include referring to Fig. 7, step S301：

Step S301a, STA have found the 2nd AP；

Step S301b, STA and the 2nd AP carry out link authentication；

Step S301c, in link authentication by the way that afterwards, STA and the 2nd AP are associated；

Step S301d, AC carry out access authentication using radius server to STA；

Step S301e, in access authentication by the way that afterwards, STA and the 2nd AP carry out key agreement.

Wherein, AC is used to managing and controlling AP.

Link authentication is that AP license STA use Radio Link between the two.

Association is to consult the configuration parameter of Radio Link, establishes the Radio Link for meeting data transportation requirements.

Access authentication is that STA identity is verified, obtains STA and AP corresponding pairwise master key (English jointly： Pairwise Master Key, referred to as：PMK), PMK communicates the source of all keys used between STA and AP.For example, The key that the key that STA1 and AP1 is in communication with each other using PMK1 generations, STA1 and AP2 are in communication with each other using PMK2 generations, STA2 The key that the key being in communication with each other with AP1 using PMK3 generations, STA2 and AP2 are in communication with each other using PMK4 generations.

Key agreement is to obtain pair temporal key (English based on the STA and AP information interacted and PMK：Pairwise Temporal Key, referred to as：PTK), PTK is used for the data encryption to being transmitted between STA and AP.

In a kind of implementation of the present embodiment, referring to Fig. 8 a, step S301a can include：

1st, STA sends probe requests thereby (English successively on the channel of support：Probe Request)；

2nd, the 2nd AP receives probe requests thereby, and probe response (English is sent to STA：Probe Response).

In such a implementation, accessible AP around STA active scans, to determine the accessible AP of surrounding, find AP speed.

Further, the service set (English that probe requests thereby can be including AP：Service Set Identifier, Referred to as：SSID), each AP for receiving probe requests thereby can be by the SSID in probe requests thereby compared with the SSID of itself, such as Two SSDI of fruit are identical then to send probe response to STA, therefore now there was only SSID and the SSID identicals AP in probe requests thereby It can send and respond to STA, be easy to AP needed for STA discoveries.

In another implementation of the present embodiment, referring to Fig. 8 b, step S301a can include：

1st, the 2nd AP sends beacon (English every the setting cycle：Beacon) frame；

2nd, STA receives the beacon frame of the 2nd AP transmissions.

In such a implementation, STA passively waits the beacon frame that AP accessible around is sent, to determine that surrounding can connect The AP entered, compared with actively sending probe requests thereby, passive received beacon frame can greatly save the electric energy of STA consumption, economize on electricity Feature is also widely used such a implementation.

In the specific implementation, the setting cycle can be 100ms, beacon frame can include AP SSID, supporting rate etc..

In a kind of implementation of the present embodiment, referring to Fig. 9 a, step S301b can include：

1st, STA is to the 2nd AP transmission link certification requests；

2nd, the 2nd AP is to STA transmission link authentication responses.

Such a implementation is referred to as open system authentication (English：Open System Authentication), as long as STA Certification request is sent, AP can allow its certification success, be widely used at present.

In another implementation of the present embodiment, referring to Fig. 9 b, step S301b can include：

1st, STA is to the 2nd AP transmission link certification requests；

2nd, the 2nd AP generations challenge phrase, and it is sent to STA；

3rd, challenge phrase is encrypted using the key being pre-configured with by STA, and the challenge phrase after encryption is sent to 2nd AP；

4th, the challenge phrase for being sent to STA is encrypted using the key being pre-configured with by the 2nd AP, and is added what is obtained Challenge phrase after close is contrasted with the challenge phrase after the encryption of reception；

5th, when two challenge phrases it is identical when, the 2nd AP is to STA transmission link authentication responses.

In actual applications, it is that (phase must be used to symmetric key by sending and receiving the both sides of data in the key being pre-configured with Same key to being encrypted and decrypted computing in plain text) in the case of, the 2nd AP can also use what is be pre-configured with the 4th step Challenge phrase after key pair encryption is decrypted, and the challenge phrase after decryption is carried out with being sent to STA challenge phrase Contrast, can equally realize link authentication.

Such a implementation is referred to as shared key authentication (English：Shared-key Authentication), only The key being pre-configured with STA and the 2nd AP is identical, could be higher by link authentication, security.

Alternatively, can include referring to Figure 10, step S301c：

1st, STA sends association request to the 2nd AP；

2nd, the 2nd AP receives association request, and associated response is sent to STA.

Wherein, association request includes STA supporting rate, channel, service quality (English：Quality of Service, Referred to as：QoS), access authentication mode, AES etc..If usual AP can meet requirements of the STA in association request, Associated response is sent to STA, and data are transmitted according to requirements of the STA in association request, to ensure that data can be accurately safe Transmit on ground.It is to be appreciated that after association, the wireless link between STA and AP is completed.

In a kind of implementation of the present embodiment, referring to Figure 11 a, step S301d can include：

1st, STA sends access authentication request to AC；

2nd, AC receives certification request, and identity request is sent to STA；

3rd, STA receives identity request, and STA identity information is sent to AC, and identity information identifies including user；

4th, STA identity information is transmitted to radius server by AC；

5th, radius server receives identity information, and the certificate for the server for including public key is sent to AC；

6th, the certificate of the server including public key is transmitted to STA by AC；

7th, STA receives the certificate of the server including public key, and the certificate of server is verified, is produced after being proved to be successful A raw random cipher string (also known as pre- master key (English：Pre-master-secret)), and using public key to random cipher String is encrypted, and concatenates into PMK based on random cipher；

8th, STA to AC send STA certificate and encryption after random cipher string；

9th, the random cipher string after STA certificate and encryption is transmitted to radius server by AC；

10th, radius server checking STA certificate, uses the random cipher string after private key pair encryption to enter after being proved to be successful Row decryption, and PMK is concatenated into based on random cipher；

11st, radius server sends access authentication response to AC and PMK, AC obtain PMK；

12nd, AC responds to STA forwarding access authentications.

In another implementation of the present embodiment, referring to Figure 11 b, step S301d can include：

1st, STA sends access authentication request to AC；

2nd, AC receives certification request, and identity request is sent to STA；

4th, STA identity information is transmitted to radius server by AC；

5th, radius server receives identity information, and sending certification to AC starts message；

6th, certification is started message and is transmitted to STA by AC；

7th, STA receives certification and starts message, sends certification message to AC, certification message includes AES list, peace Full transport layer (English：Transport Layer Security, referred to as：TLS) protocol version, session identification etc.；

8th, AC forwards certification message to radius server；

9th, radius server receives authentication information, and the certificate for the server for including public key is sent to AC；

10th, the certificate of the server including public key is transmitted to STA by AC；

11st, STA receives the certificate of the server including public key, the certificate of server is verified, after being proved to be successful A random cipher string is produced, and random cipher string is encrypted using public key, and PMK is concatenated into based on random cipher；

12nd, STA to AC send STA certificate and encryption after random cipher string；

13rd, the random cipher string after STA certificate and encryption is transmitted to radius server by AC；

14th, radius server checking STA certificate, uses the random cipher string after private key pair encryption to enter after being proved to be successful Row decryption, and PMK is concatenated into based on random cipher；

15th, radius server sends access authentication response to AC and PMK, AC obtain PMK；

16th, AC responds to STA forwarding access authentications.

It should be noted that after AC obtains PMK, you can PMK is informed into corresponding AP, therefore it is equal on final AP and STA Set PMK.

Further, by taking the certificate of authentication server as an example, checking certificate can be realized in the following way：

Descriptive information is encrypted using private key for radius server, is signed, descriptive information include issuing organization, Expired time etc.；

Descriptive information, the public key matched with private key and signature composition digital certificate are sent to STA by RADIUS；

STA receives digital certificate, and the signature in digital certificate is decrypted using the public key in digital certificate, and will Decrypted result is contrasted with the descriptive information in digital certificate；

When decrypted result is consistent with the descriptive information in digital certificate, it is proved to be successful；

When the descriptive information difference in decrypted result and digital certificate, authentication failed.

It is to be appreciated that checking STA certificate can be similar with said process, will not be described in detail herein.

Alternatively, can include referring to Figure 12 a, step S301e：

1st, STA and the 2nd AP generate random number respectively；

2nd, the 2nd AP random numbers generated are sent to STA by the 2nd AP；

3rd, the medium access control (English of STA is generated based on the 2nd AP random number, the 2nd AP：Media Access Control, referred to as：MAC) address, the random number of STA generations, STA MAC Address, PMK, using Hash (English：Hash) calculate Method generates PTK；

4th, STA sends the random number of STA generations to the 2nd AP；

5th, the 2nd AP is generated based on STA random number, STA MAC Address, the random numbers of the 2nd AP generations, the 2nd AP MAC Address, PMK, PTK is generated using hash algorithm；

6th, the 2nd AP sends installation PTK notice to STA；

7th, STA receives installation PTK notice, installs PTK and installation PTK notice is sent to the 2nd AP；

8th, the 2nd AP receives installation PTK notice, installs PTK.

Figure 13 is PTK structural representation.As shown in figure 13, when using counter mode cryptographic block message integrity code agreement (English：Counter Cipher Block Chaining Message Authentication Code Protocol, letter Claim：When CCMP), PTK 0~127 bit (English：Bit it is) Key Confirmation Key (English：Key Confirmation Key, Referred to as：KCK), 128~255 bits are key-encrypting key (English：Key Encryption Key, referred to as：), 256 KEK~ 383 bits are temporary encryption keys (English：Temporal Encryption Key, referred to as：TEK)；When complete using temporary key Whole property agreement (English：Temporal Key Integrity Protocol, referred to as：When TKIP), PTK 0~127 bit is KCK, 128~255 bits are KEK, and 256~383 bits are TEK, and 384~511 bits are interim message integrity check keys (English：Temporal Message Integrity Check Key, referred to as：TMK).

Preferably, can also include referring to Figure 12 b, step S301e：

1st, the 2nd AP generation groups master key (English：Group Master Key, referred to as：GMK), group is calculated based on GMK Temporary key (English：Group Transient Key, referred to as：GTK), and using PTK GTK is encrypted；

2nd, the 2nd AP sends the GTK after encryption to STA；

3rd, the GTK after encryption is decrypted using PTK by STA, is obtained GTK and is installed；

4th, STA sends instruction installation GTK notice to the 2nd AP；

5th, the 2nd AP receives instruction installation GTK notice, installs GTK.

Wherein, GMK is one group of random number, for generating GTK；GTK is used for encrypted group broadcast and broadcasting packet；PTK is used for adding Close unicast message.

It should be noted that in STA and AP, the installation of the key such as PTK, GTK refers to by key storage in equipment, with For using at any time.

Complete service discovery, link authentication, association, access authentication, key agreement are experienced because STA accesses the 2nd AP Five processes, therefore the 2nd AP is usually the AP that STA is accessed first in a wlan.

After step S301, an AP (being the 2nd AP in the present embodiment) that STA has been accessed in WLAN illustrates STA Through the access authentication by WLAN, STA legitimacy has obtained preliminary guarantee.In order to avoid real due to carrying out multiple message negotiation Existing access authentication and take a substantial amount of time, therefore when STA due to position mobile handoff to other AP in the WLAN when, The process of STA accesses can be simplified, and mainly transmit while safety and precise is established between STA and the AP being switched to the nothing of data Wired link.Specifically, the present embodiment using fast roaming device before STA is switched to AP, realizes STA in roam procedure Information exchange between AP, STA and AP get the MAC Address of other side, configured PMK and generate PTK, complete STA Link authentication, access authentication and key agreement between AP；In addition, after STA determines to be switched to AP, AP is according to STA Whether the internal information of first data message sent to AP is consistent, completes the association between STA and AP.Specifically see below：

Step S302：First AP characteristic information is sent to fast roaming device by the first AP.Step S302 and step The S301 no sequencing of execution.

In the present embodiment, the first AP is the 2nd AP neighbours.First AP characteristic information includes the first AP MAC Address With the random number (English of the first AP generations：Nonce).Wherein, random number is that the STA that the first AP is next access is generated.

Alternatively, the first AP characteristic information can also include AES, bandwidth, the frequency that the first AP is used, specifically Information that can be interactive according to needed for STA accesses AP is set.

In the specific implementation, step S302 can include：

Fast roaming device determines that STA accesses the 2nd AP；

Fast roaming device determines all first AP according to each AP position, and sends characteristic information to all first AP Obtain request；

First AP receives characteristic information and obtains request, and the characteristic information of oneself is sent into fast roaming device.

Specifically, when fast roaming device is set up when on AC, AC and the 2nd AP wired connections, the 2nd AP can be carried out Control and management, therefore AC can determine that STA accesses the 2nd AP by way of actively inquiring the 2nd AP, can also pass through reception The information that 2nd AP is reported determines that STA accesses the 2nd AP.

Simultaneously because AC is control and management AP, therefore the position of each AP known to AC, and then determine as second All first AP of AP neighbours, send characteristic information to each first AP respectively and obtain request, and receive the first AP and receive Characteristic information obtains the characteristic information that request is replied afterwards.

When fast roaming device sets up fast roaming device when on AP, set up on the 2nd AP it is of course possible to determine STA Access the 2nd AP.

Simultaneously because the 2nd AP and AC wired connections, AC can be controlled and manage to each AP, understand all AP's Position, therefore the 2nd AP can get all first AP of the neighbours as the 2nd AP by way of sending request to AC, Plus between each AP and wired connection, and then characteristic information can be sent to each first AP and obtains request, and receive the One AP receives characteristic information and obtains the characteristic information that request is replied afterwards.

When fast roaming device is set independently of AC and AP, fast roaming device can with AC, each AP wired connections, Determine that STA accesses the 2nd AP and gets all first of the neighbours as the 2nd AP by way of sending request to AC AP, it can also determine that STA accesses the 2nd AP and gets neighbours' as the 2nd AP by way of being sent to each AP All first AP, and then send characteristic information to each first AP again and obtain request, and receive the first AP and receive characteristic information Obtain the characteristic information that request is replied afterwards.

Fig. 6 is in the case where fast roaming device is independently of AC and AP, realizes STA from the 2nd AP fast roamings to first The schematic diagram of AP process；In the case where fast roaming device is arranged on AC, realize that the process of fast roaming may refer to Figure 14 a；In the case where fast roaming device is arranged on each AP, realize that the process of fast roaming may refer to Figure 14 b.

Step S303：First AP characteristic information is transmitted to STA by fast roaming device.Step S303 is in step S301 Perform afterwards.

Specifically, when fast roaming device, which is set up, to be set on AC or independently of AC and AP, AC is by the first AP spy Reference breath is sent to the 2nd AP, and STA is sent to by the 2nd AP；It is fast on the 2nd AP when fast roaming device is set up when on AP First AP characteristic information is directly sent to STA by fast roaming device.

In the specific implementation, the characteristic information for the first AP that fast roaming device is sent can include AP marks, physics spy Sign, security feature, radio frequency features, random number.For example, with reference to Figure 15, fast roaming device the first AP sent feature Information is AP ID1 (AP marks), MAC1 (physical features), Advanced Encryption Standard (English：Advanced Encryption Standard, referred to as：AES (security feature), frequency 2.418G (radio frequency features), Nounce1 (random number)) are encrypted；It is quick unrestrained Swimming the characteristic information for another the first AP that device is sent includes AP ID2 (AP marks), MAC2 (physical features), AES encryption (security feature), frequency 2.438G (radio frequency features), Nounce2 (random number).

Step S304：STA generates random number and is sent to fast roaming device.

Specifically, when fast roaming device, which is set up, to be set on AC or independently of AC and AP, STA generates STA Random number is sent to the 2nd AP, and the STA random numbers generated are transmitted into AC by the 2nd AP；When fast roaming device is set up on AP When, the STA random numbers generated are directly sent to the fast roaming device set up on the 2nd AP by STA.

It should be noted that the first AP as the 2nd AP neighbours may have it is multiple, now STA can be directed to each the One AP, a random number is generated, and issue corresponding first AP.Wherein, random number corresponding to each first AP may be identical, May be different.When realizing, due to the first AP MAC Address can be carried when the random number for generating STA is sent to an AP, therefore Fast roaming device can distinguish the first AP corresponding to each random number according to the first AP of carrying MAC Address.

In the specific implementation, AP marks, random number can be included for the message that each first AP is sent.For example, with reference to Figure 16, it is AP ID1 (AP marks), Nounce1 (random number) for the first AP message sent；For another first The message that AP is sent is AP ID2 (AP marks), Nounce2 (random number).

Step S305：STA determines each first AP PMK, and the PMK based on each first AP calculates PTK.

As it was previously stated, PMK is jointly corresponding with STA and AP, due to relating only to a STA in the present embodiment, therefore directly Each PMK is distinguished using AP.

Alternatively, STA determines the first AP PMK, can include：

STA is according to the first AP MAC Address, it is determined whether is cached with the first AP PMK security associations (English：PMK Security Association, referred to as：PMKSA)；

When STA is cached with the first AP PMKSA, the first AP of caching PMKID is got；

As PMKSAs of the STA without the first AP of caching, the first AP PMK is determined by 802.1X negotiation steps.

In actual applications, be related to multiple Frame switch due to obtaining PMK by 802.1X negotiation steps, spend the time compared with It is long, therefore STA can carry out caching to obtained PMK and avoid carrying out 802.1X negotiation steps again, what STA was specifically cached is exactly PMKSA.PMKSA includes AP MAC Address, PMK life cycle and PMK mark (English：PMK Identifier, letter Claim：PMKID), PMKID carries out Hash calculation by the information such as MAC Address of PMK, AP MAC Address, STA and obtained.

In 802.11r standards, referring to Figure 17, key is divided into three layers, three layers of key be respectively PMK_R0, PMK_R1, PTK.PMK_R0 is second layer key, and each AP PMK_R0 is identical；PMK_R1 is first layer key, and PMK_R1 is based on Information (such as AP mark) different with each AP numerical value PMK_R0 are calculated, and each AP PMK_R1 is different；PTK is Second layer key, PTK are calculated based on PMK_R1.So on the one hand when STA is roamed, transmission is PMK_R1, due to each Individual AP PMK_R1 is different, therefore even if PMK_R1 is cracked, also only an AP is impacted, security is higher；Separately On the one hand, in the case of known AP PMK_R1, PMK_R0, then the letter based on PMK_R0 He another AP can be obtained Breath, you can obtain the PMK_R1 of the AP, and then PTK is negotiated based on PMK_R1, avoid carrying out time-consuming 802.1x certifications again, contract Handoff times short.

In the scenario above, STA determines the first AP PMK, can include：

Marks of the STA based on PMK_R0 and the first AP, calculate the first AP PMK_R1.

It is for instance possible to use key-function (the English defined in 802.11r：Key Derivation Function, referred to as：KDF), (English of the service set based on access：Service Set Identifier, referred to as： SSID length), SSID, Message Digest 5 mark (English：Message DigestAlgorithm Identifier, letter Claim：MDID), the information such as the length of PMK_R0 support containers, mark of PMK_R0 support containers, calculates PMK_R0；And then adopt With the KDF defined in 802.11r, based on information such as PMK_R0, the marks of container for carrying PMK_R1, PMK_R1 is calculated.

Specifically, the PMK based on each first AP calculates PTK, can include：

MAC Address of the STA based on the first AP, the random number of the first AP generations, STA MAC Address, STA generate random The PMK of number and the first AP, PTK is calculated using hash algorithm.

As it was previously stated, when being switched to other AP from the AP accessed, can be with simple flow, it is only necessary to it is necessary to obtain some Parameter establish safety and precise transmission data Radio Link, can establish in actual applications, in STA cache list record The parameter needed for Radio Link is established, as shown in following table one：

Table one

Shown in table each first AP MAC Address, STA generation random number, the first AP generation random number, PMKID, PMK_R1, encryption key, summary key, effective time.Wherein, encryption key is the TEK in PTK, and summary key is in PTK TMK.It should be noted that the project in table can be deleted according to the actually required parameters of access AP.

Step S306：Fast roaming device obtains STA characteristic information.

In the present embodiment, MAC Address of the STA characteristic information including STA, the random number of STA generations and STA are The PMK of first AP generations characteristic value.

In the specific implementation, STA generation random number fast roaming device is sent to by STA, while carry STA generation STA MAC Address can be carried in the message of random number, fast roaming device can obtain STA MAC Address from message.Separately Outside, fast roaming device can also determine STA MAC Address by the 2nd AP.STA is the PMK of the first AP generations characteristic value Usually the first AP PMKID or the first AP PMK_R1, radius server can use and determine the with STA in step S305 One AP PMK identical modes determine the characteristic value for the PMK that STA is the first AP generations, then PMK characteristic value is sent into AC. If fast unit is set up on AC, the characteristic value for the PMK that STA is the first AP generations can be directly obtained；It is if quick Roaming device is set up in AP or when being set independently of AC and AP, then can be by obtaining STA with interact for AC as the first AP generations PMK characteristic value.

Step S307：STA characteristic information is sent to the first AP by fast roaming device.

Specifically, wired connection between each AP, wired connection between each AP and AC, fast roaming device are arranged on AC Or on AP, STA characteristic information directly can be sent to AP.When fast roaming device is set independently of AC and AP, soon Fast roaming device and AC and each AP wired connections, directly can be sent to AP by STA characteristic information.

Step S308：First AP receives STA characteristic information, and the characteristic information based on STA calculates PTK.

Specifically, step S308 can include：

First MAC Address of the AP based on the first AP, the first AP generation random number, STA MAC Address, STA generation with Machine number and STA and the first AP PMK, PTK is calculated using hash algorithm.

In actual applications, cache list is also had in AP, as shown in following table two：

Table two

Shown in table STA MAC Address, STA generation random number, the first AP generation random number, PMKID, PMK_R1, Encryption key, summary key, effective time.Wherein, encryption key is the TEK in PTK, and summary key is the TMK in PTK.Need It is noted that the project in table can be deleted according to the actually required parameters of access AP.

In actual applications, if each list item has record in cache list, indicate that the link between STA and AP is recognized Card, access authentication and key agreement are completed.Can also be notified by fast roaming device STA and AP link authentications, access authentication and Key agreement is completed.

As it was previously stated, the present embodiment in roam procedure, simplifies to access procedure, realized using fast roaming device Information exchange between STA and AP, obtain the MAC Address, configuration PMK, generation PTK of other side.It is readily apparent that, passes through above-mentioned steps Information exchange in S302- steps S308 between fast roaming device and STA, each AP, link authentication is completed, access is recognized Card and key agreement.

Step S309：Determine that after the 2nd AP is switched to the first AP STA is added using PTK to data message in STA It is close, and send the data message after encryption to the first AP.

In the present embodiment, data message includes data summarization and data.Data summarization is by being extracted to all data Finger print information is to realize the functions such as data signature, data integrity verifying.Data summarization algorithm is referred to as hash algorithm, hash is calculated Method, common algorithm have CRC (English：Cyclic RedundancyCheck, referred to as：CRC), eap-message digest is calculated (the English of method version 5：Message-Digest Algorithm 5, referred to as：MD5), SHA (English：Secure Hash Algorithm, referred to as：SHA).

Specifically, in Advanced Encryption Standard (English：Advanced Encryption Standard, referred to as：AES in), Cryptographic block message integrity code agreement (English can be used：Cipher Block Chaining Message Authentication Code, referred to as：CBC-MAC) as summary.

Further, it is as follows referring to Figure 18, the generating process of data message：

Data are calculated using data summarization algorithm, data summarization is obtained and is added in behind data；

802.11 heads are added before data；

Plus Frame Check Sequence (English behind data summarization：Frame Check Sequence, referred to as：FCS).

In actual applications, the busy extent that STA can be based on signal intensity or channel, it is determined whether carry out cutting for AP The AP for changing and being switched to.

Specifically, data message is encrypted using PTK by STA, can be included：

Data message is encrypted using the PTK for the first AP for determining to be switched to.

Step S310：First AP receives the data message after encryption, and the data message after encryption is solved using PTK It is close, data and data summarization after being decrypted.

Specifically, step S310 can include：

Select PTK that the data message after encryption is decrypted according to STA MAC Address, the data after being decrypted are plucked Will and data.

Step S311：First AP is calculated the data after decryption using data summarization algorithm, and the number that will be calculated Contrasted according to the data summarization after summary and decryption.

As it was previously stated, the present embodiment is in roam procedure, it will associate and be reduced to the data transmitted between STA and AP accurately i.e. Can.When the data summarization calculated is consistent with the data summarization after decryption, it may be said that the radio chains between bright STA and the first AP Road can transmit data safety and precise, therefore association is completed between STA and the first AP, and STA accesses the first AP.

The embodiment of the present invention by STA access the 2nd AP after, STA and as the 2nd AP neighbours the first AP it Between interaction establish the information such as MAC Address, PMK, PTK of wireless link, complete link authentication during STA accesses the first AP, Access authentication, key agreement, greatly reduce the time spent by interactive information in STA roam procedures.Simultaneously when STA determines switching During to an AP, whether AP is consistent according to the internal information of STA to AP first data message sent, completes STA and first Association between AP so that do not have the consumption (i.e. the time of roaming switch reduces to 0) of time in STA roam procedure, switched Journey is fast, can meet the business demands such as VoIP, effective guarantee Consumer's Experience completely.

The execution of above-mentioned steps can be performed by base station according to aforementioned software program.For example, step S302 is by quickly overflowing Swim AP data obtaining module of the device in Fig. 3 to perform, step S303 is sent out by AP information of the fast roaming device in Fig. 3 Module is sent to perform, step S304 and step S305 are performed by access preparation modules of the STA in Fig. 6, and step S306 is by quick STA data obtaining module of the roaming device in Fig. 3 is performed, and step S307 is believed by STA of the fast roaming device in Fig. 3 Sending module is ceased to perform, step S308 is performed by access preparation modules of the first AP in Fig. 4, step S309 by STA according to Access in Fig. 5 is completed module and performed, and step S310 is held by message receiving modules of the first AP in Fig. 4 and deciphering module OK, step S311 is performed by determining modules of the first AP in Fig. 4.

Referring to Figure 19, the embodiments of the invention provide a kind of fast roaming device, the device can by software, hardware or The all or part being implemented in combination with as base station of both persons.The device includes：AP information acquisition units 601, AP information Transmitting element 602, STA information acquisition units 603 and STA information transmitting units 604.

Wherein, AP information acquisition units 601 are used for the characteristic information for obtaining the first AP, and the first AP characteristic information includes the One AP MAC Address and the random number of the first AP generations.AP information transmitting units 602 be used for it is determined that STA access the 2nd AP it Afterwards, the first AP characteristic information is sent to STA, the first AP is the 2nd AP neighbours, STA is generated and sent random number, is based on The characteristic information generation PTK for random number, STA MAC Address, PMK and the first AP that STA is generated.STA information acquisition units 603 are used to obtaining STA characteristic information, STA characteristic information include STA MAC Address, STA generations random number and PMK characteristic value.STA information transmitting units 604 are used for the characteristic information that STA is sent to the first AP, make the first AP based on STA's Characteristic information and the first AP characteristic information generate PTK, link authentication, access authentication and key between STA and the first AP Consult to complete.

Alternatively, the device can be arranged on AP or on access controller AC, and AC is used to controlling and managing AP.

The embodiment of the present invention by STA access the 2nd AP after, STA and as the 2nd AP neighbours the first AP it Between interaction establish the information such as MAC Address, PMK, PTK of wireless link, complete link authentication during STA accesses the first AP, Access authentication, key agreement, greatly reduce the time spent by interactive information in STA roam procedures.

Referring to Figure 20, the embodiments of the invention provide a kind of AP, the AP can pass through the combination of software, hardware or both It is implemented as all or part of base station.The AP includes：Access preparatory unit 701, message receiving unit 702, decryption list Member 703 and determining unit 704.

Wherein, link authentication, access authentication, key agreement that preparatory unit 701 is used to complete between STA are accessed, is obtained To STA MAC Address, PMK and PTK.Message receiving unit 702 be used for receive STA it is determined that from the 2nd AP be switched to the AP it Data message after what is sent afterwards encrypted using PTK, the AP are the 2nd AP neighbours.Decryption unit 703 is used to add using PTK Duis Data message after close is decrypted.Determining unit 704 be used for according to the internal information of the data message after decryption whether Unanimously, the association between the STA and the AP is completed.

Optionally it is determined that unit 704 can be used for calculating the data after decryption using data summarization algorithm, obtain The data summarization calculated；Data summarization after the data summarization calculated and decryption is contrasted；When the data calculated When making a summary consistent with the data summarization after decryption, the association between STA and the first AP is completed.

The embodiment of the present invention is by the way that before STA determines to be switched to the AP from the 2nd AP, the link completed between STA is recognized Card, access authentication, key agreement, obtain STA MAC Address, PMK and PTK, STA determine from the 2nd AP be switched to the AP it Afterwards, the data message sent after STA is encrypted using PTK is received, the data message after encryption is decrypted using PTK, and root It is whether consistent according to the internal information of the data message after decryption, complete the association between STA and the first AP so that STA roaming During there is no the consumption (i.e. the time of roaming switch reduces to 0) of time, handoff procedure is fast, can meet the business such as VoIP completely Demand, effective guarantee Consumer's Experience.

Referring to Figure 21, the embodiments of the invention provide a kind of STA, the STA can pass through the knot of software, hardware or both Close all or part for being implemented as base station.The STA includes：Access preparatory unit 801 and unit 802 is completed in access.

Wherein, access preparatory unit 801 be used for after the 2nd AP access, completion and the first AP between link authentication, Access authentication, key agreement, obtain the first AP MAC Address, PMK and PTK, and the first AP is the 2nd AP neighbours.Access is completed Unit 802 is used for after it is determined that being switched to the first AP, is sent to the first AP using the data message after PTK encryptions.

The embodiment of the present invention is by before STA determines to be switched to the first AP from the 2nd AP, completing between the first AP Link authentication, access authentication, key agreement, the first AP MAC Address, PMK and PTK is obtained, determine to switch from the 2nd AP in STA To after the AP, sent to STA using the data message after PTK encryptions, make the first AP using PTK to the data message after encryption It is decrypted, and it is whether consistent according to the internal information of data message after decryption, the association between STA and the first AP is completed, is made Obtaining in STA roam procedure does not have the consumption (i.e. the time of roaming switch reduces to 0) of time, and handoff procedure is fast, can expire completely The business demands such as sufficient VoIP, effective guarantee Consumer's Experience.

Referring to Figure 22 a and Figure 22 b, it illustrates fast roaming system provided in an embodiment of the present invention, the system includes fast Fast roaming device 901, STA 902, at least one first AP 903, the 2nd AP 904, the first AP 903 are the 2nd AP's 904 Neighbours.

Specifically, fast roaming device 901 can be identical with the fast roaming device that embodiment illustrated in fig. 19 provides, STA 902 can be identical with the STA that embodiment illustrated in fig. 21 provides, the AP phases that the first AP 903 can provide with embodiment illustrated in fig. 20 Together, will not be described in detail herein.

Alternatively, when fast roaming device 901 is arranged on AC or independently of AC and AP, fast roaming device 901 with First AP 903 and the wired connections of the 2nd AP 904, the first AP 903 and the wired connections of the 2nd AP 904, the AP of STA 902 and the first 903 wireless connections；When fast roaming device 901 is arranged on AP, the first AP 903 and the wired connections of the 2nd AP 904, STA 902 and the first AP 903 wireless connections.

It should be noted that：Above-described embodiment provide fast roaming device, fast roaming system in fast roaming, only With the division progress of above-mentioned each functional module for example, in practical application, can as needed and by above-mentioned function distribution by Different functional module is completed, i.e., the internal information structure of device and system is divided into different functional modules, with complete with The all or part of function of upper description.In addition, above-described embodiment provide fast roaming device, fast roaming system with it is quick Loaming method embodiment belongs to same design, and its specific implementation process refers to embodiment of the method, repeats no more here.

The embodiments of the present invention are for illustration only, do not represent the quality of embodiment.

One of ordinary skill in the art will appreciate that hardware can be passed through by realizing all or part of step of above-described embodiment To complete, by program the hardware of correlation can also be instructed to complete, described program can be stored in a kind of computer-readable In storage medium, storage medium mentioned above can be read-only storage, disk or CD etc..

The foregoing is only presently preferred embodiments of the present invention, be not intended to limit the invention, it is all the present invention spirit and Within principle, any modification, equivalent substitution and improvements made etc., it should be included in the scope of the protection.

Claims

1. a kind of method for fast roaming, it is characterised in that methods described includes：

Fast roaming device obtains the first access point AP characteristic information, and the characteristic information of the first AP includes the first AP Medium access control MAC Address and the first AP generation random number；

The fast roaming device sends the spy of the first AP to the STA it is determined that after the 2nd AP of movement station STA accesses Reference ceases, and the first AP is the neighbours of the 2nd AP；

The STA generates and sends random number, based on the STA generation random number, the STA MAC Address, in pairs lead it is close Key PMK and the first AP characteristic information generation pair temporal key PTK；

The fast roaming device obtains the characteristic information of the STA, and the characteristic information of the STA is with including the MAC of the STA The characteristic value of location, the random number of STA generations and the PMK；

The characteristic information of characteristic information and first AP of first AP based on the STA generates the PTK, the STA Link authentication, access authentication and key agreement between the first AP are completed；

The STA is sent using the data after PTK encryptions after it is determined that being switched to the first AP to the first AP Message；

The data message after encryption is decrypted using the PTK by first AP；

Whether the first AP is consistent according to the internal information of the data message after decryption, completes the STA and described Association between one AP.

2. according to the method for claim 1, it is characterised in that the data message includes data and data summarization, described Whether the first AP is consistent according to the internal information of the data message after decryption, completes between the STA and the first AP Association, including：

First AP is calculated the data after decryption using data summarization algorithm, and the data calculated are plucked Will；

When the data summarization calculated is consistent with the data summarization after decryption, the STA and the first AP it Between association complete.

3. method according to claim 1 or 2, it is characterised in that the characteristic information of the first AP also includes described the One AP cipher mode, the frequency of the first AP, at least one of the bandwidth of the first AP.

4. a kind of method for fast roaming, it is characterised in that methods described includes：

The fast roaming device sends the spy of the first AP to the STA it is determined that after the 2nd AP of movement station STA accesses Reference ceases, and the first AP is the neighbours of the 2nd AP, the STA is generated and sent random number, is generated based on the STA Random number, the MAC Address of the STA, pairwise master key PMK and the first AP characteristic information generation it is interim in pairs Key PTK；

The fast roaming device sends the characteristic information of the STA to the first AP, the first AP is based on the STA Characteristic information and the characteristic information of the first AP generate the PTK, the link between the STA and the first AP is recognized Card, access authentication and key agreement are completed.

5. a kind of method for fast roaming, it is characterised in that methods described includes：

First access point AP completes link authentication, access authentication, the key agreement between movement station STA, obtains the STA's MAC Address, pairwise master key PMK and pair temporal key PTK；

First AP receives the STA it is determined that being switched to the use PTK that is sent after the first AP from the 2nd AP Data message after encryption, the first AP are the neighbours of the 2nd AP；

The data message after encryption is decrypted using the PTK by first AP；

6. according to the method for claim 5, it is characterised in that the data message includes data and data summarization, described Whether the first AP is consistent according to the internal information of the data message after decryption, completes between the STA and the first AP Association, including：

7. a kind of method for fast roaming, it is characterised in that methods described includes：

Movement station STA completes link authentication, access authentication, key between the first AP after the second access point AP is accessed Consult, obtain MAC Address, pairwise master key PMK and the pair temporal key PTK of the first AP, the first AP is described 2nd AP neighbours；

The STA is sent using the data after PTK encryptions after it is determined that being switched to the first AP to the first AP Message.

8. a kind of fast roaming system, it is characterised in that the system includes fast roaming device, movement station STA, the first access Point AP, the 2nd AP, the first AP are the neighbours of the 2nd AP；

The fast roaming device, for obtaining the first AP characteristic information, and it is determined that the STA accesses the second access point AP The STA is sent to afterwards, and the characteristic information of the first AP includes medium access control MAC Address and the institute of the first AP State the random number of the first AP generations；

The STA, for generating and sending random number, based on the STA generation random number, the STA MAC Address, into To master key PMK and the first AP characteristic information generation pair temporal key PTK；

The fast roaming device, it is additionally operable to obtain the characteristic information of the STA and is sent to the first AP, the STA's Characteristic information includes the characteristic value of the MAC Address of the STA, the random number of STA generations and the PMK；

First AP, the PTK, institute are generated for the characteristic information based on the STA and the first AP characteristic information Link authentication, access authentication and the key agreement stated between STA and the first AP are completed；

The STA, it is additionally operable to after it is determined that being switched to the first AP, sends to the first AP and encrypted using the PTK Data message afterwards；

First AP, it is additionally operable to that the data message after encryption is decrypted using the PTK；According to the institute after decryption State whether the internal information of data message is consistent, complete the association between the STA and the first AP.

9. system according to claim 8, it is characterised in that the first AP is used for,

The data after decryption are calculated using data summarization algorithm, the data summarization calculated；

The data summarization calculated and the data summarization after decryption are contrasted；

10. system according to claim 8 or claim 9, it is characterised in that the characteristic information of the first AP also includes described the One AP cipher mode, the frequency of the first AP, at least one of the bandwidth of the first AP.

11. a kind of fast roaming device, it is characterised in that described device includes：

AP information acquisition units, for obtaining the first access point AP characteristic information, the characteristic information of the first AP includes institute State the first AP medium access control MAC Address and the random number of the first AP generations；

AP information transmitting units, for it is determined that after the 2nd AP of movement station STA accesses, the first AP to be sent to the STA Characteristic information, the first AP be the 2nd AP neighbours, the STA is generated and sent random number, based on the STA The random number of generation, the MAC Address of the STA, pairwise master key PMK and the first AP characteristic information generation are paired Temporary key PTK；

STA information acquisition units, for obtaining the characteristic information of the STA, the characteristic information of the STA includes the STA's The characteristic value of MAC Address, the random number of STA generations and the PMK；

STA information transmitting units, for sending the characteristic information of the STA to the first AP, the first AP is set to be based on institute The characteristic information of the characteristic information and the first AP of stating STA generates the PTK, the chain between the STA and the first AP Road certification, access authentication and key agreement are completed.

12. a kind of access point AP, it is characterised in that the AP includes：

Preparatory unit is accessed, for completing link authentication, access authentication, key agreement between movement station STA, is obtained described STA medium access control MAC Address, pairwise master key PMK and pair temporal key PTK；

Message receiving unit, for receiving the STA it is determined that being switched to from the 2nd AP described in the use sent after the AP Data message after PTK encryptions, the AP are the neighbours of the 2nd AP；

Decryption unit, for the data message after encryption to be decrypted using the PTK；

Determining unit, it is whether consistent for the internal information according to the data message after decryption, complete the STA and described Association between AP.

13. access point according to claim 12, it is characterised in that the determining unit is used for,

14. a kind of movement station STA, it is characterised in that the STA includes：

Preparatory unit is accessed, for after the second access point AP is accessed, completing the link authentication between the first AP, access is recognized Card, key agreement, obtain medium access control MAC Address, pairwise master key PMK and the pair temporal key of the first AP PTK, the first AP are the neighbours of the 2nd AP；

Unit is completed in access, for after it is determined that being switched to the first AP, sending to the first AP and being added using the PTK Data message after close.

15. a kind of fast roaming device, it is characterised in that described device includes processor, memory and communication interface；It is described Memory is used to store software program and module, the processor by run or perform be stored in it is soft in the memory Part program and/or module are realized：

The first access point AP characteristic information is obtained, the characteristic information of the first AP includes the medium access control of the first AP MAC Address processed and the random number of the first AP generations；

After it is determined that movement station STA accesses the 2nd AP, the characteristic information of the first AP is sent to the STA, described first AP is the neighbours of the 2nd AP, the STA is generated and sent random number, the random number, described based on STA generations The characteristic information generation pair temporal key PTK of STA MAC Address, pairwise master key PMK and the first AP；

The characteristic information of the STA is obtained, MAC Address of the characteristic information including the STA, the STA of the STA are generated The characteristic value of random number and the PMK；

The characteristic information of the STA is sent to the first AP, makes characteristic informations of the first AP based on the STA and described First AP characteristic information generates the PTK, link authentication, access authentication, Yi Jimi between the STA and the first AP Key is consulted to complete.

16. a kind of access point AP, it is characterised in that the AP includes processor, memory and communication interface；The memory For storing software program and module, the processor is by running or performing the software program being stored in the memory And/or module is realized：

Complete and movement station STA between link authentication, access authentication, key agreement, obtain the STA MAC Address, in pairs Master key PMK and pair temporal key PTK；

Receive the STA it is determined that be switched to from the 2nd AP sent after the AP using the PTK encrypt after datagram Text, the first AP are the neighbours of the 2nd AP；

The data message after encryption is decrypted using the PTK；

It is whether consistent according to the internal information of the data message after decryption, complete the association between the STA and the AP.

17. a kind of movement station STA, it is characterised in that the STA includes processor, memory and communication interface；The storage Device is used to store software program and module, the software journey that the processor is stored in the memory by running or performing Sequence and/or module are realized：

After the second access point AP is accessed, link authentication, access authentication, key agreement between the first AP are completed, is obtained MAC Address, pairwise master key PMK and the pair temporal key PTK of first AP, the first AP are the neighbour of the 2nd AP Occupy；

After it is determined that being switched to the first AP, sent to the first AP using the data message after PTK encryptions.