CN100527668C - Method for implementing compatibility between WAPI protocol and 802.1X protocol - Google Patents
Method for implementing compatibility between WAPI protocol and 802.1X protocol Download PDFInfo
- Publication number
- CN100527668C CN100527668C CNB2004100349042A CN200410034904A CN100527668C CN 100527668 C CN100527668 C CN 100527668C CN B2004100349042 A CNB2004100349042 A CN B2004100349042A CN 200410034904 A CN200410034904 A CN 200410034904A CN 100527668 C CN100527668 C CN 100527668C
- Authority
- CN
- China
- Prior art keywords
- sta
- wapi
- eap
- message
- agreement
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Small-Scale Networks (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses a method for realizing the compatibility between the WAPI and 802.1X protocols for allowing the non WAPI terminals to access the WAPI supporting wireless local network. The method comprises the steps of: supporting the wireless access point of WAPI protocol and 802.1X protocol to send distinguish active message to the terminal station point; the access point judge if the terminal station point support the WAPI protocol, if does, the access point and terminal station point will distinguish according to the specification of the WAPI; if not, the access point and terminal station point will terminate distinguishing try and distinguish according to the specification of the 802.1X.
Description
Technical field
The present invention relates to wireless local area network technology, relate in particular to the method for a kind of WAPI of realization agreement and 802.1X protocol-compliant.
Background technology
Wireless lan (wlan) is mainly used in transmitting internet agreement (IP) packet data package, and promptly access point (AP) provides the wireless access of user terminal, finishes the transmission of IP bag then by network controller and connection device.
WLAN (wireless local area network) comprises multiple different technologies, and a widely used technical standard is IEEE802.11b at present, and it adopts the 2.4GHz frequency range, and the maximum data transmission rate can reach 11Mbps.Use the IEEE 802.11g and bluetooth (Bluetooth) technology in addition of this frequency range, wherein, 802.11g the maximum data transmission rate can reach 54Mbps.Other new technology such as IEEE 802.11a and ETSI BRAN Hiperlan2 use the 5GHz frequency range, and maximum transmission rate also can reach 54Mbps.
Rise and development along with the WLAN technology, WLAN and various wireless mobile communication network, such as: the intercommunication of GSM, code division multiple access (CDMA) system, Wideband Code Division Multiple Access (WCDMA) (WCDMA) system, time division duplex-S-CDMA (TD-SCDMA) system and CDMA2000 system is just becoming the emphasis of current research.Insert the 3GPP/3GPP2 network for WLAN user, third generation partner program (3GPP) and third generation partner program 2 (3GPP2) standardization body are carrying out related work.
The 3GPP tissue has determined that employing EAP-SIM (Extensible Authentication Protocol-contracted user's identification module) or EAP-AKA (Extensible Authentication Protocol-Authentication and Key Agreement) mechanism realize the access intercommunication of wlan network and 3GPP network.
For the access intercommunication of WLAN-3GPP2 network, EAP-AKA, mechanism such as EAP-CAVE are just under discussion.
Said method all adopts based on the intercommunication that realizes the WLAN-3GPP/3GPP2 network on the basis of the existing access authentication mechanism of 3GPP/3GPP2.
China has formulated wlan network access security standard at present, promptly based on the access authentication mechanism of WAPI (WAPI) system.For the WAPI mechanism compatibility with 802.11i (802.11i is based on 802.1X's) network, the AP that especially supports WAPI is compatible dissimilar STA how, is a new problem at present.
WAPI is made up of wireless local area network authentication infrastructure (WAI) and wireless local area network security foundation structure (WPI).WAI finishes authentication function, and WPI provides the encryption function of eating dishes without rice or wine.WAPI mechanism adopts public key cryptography technology to realize the client identity authentication discriminating.Asu (authentication service unit) (ASU) distributes public key certificate for each user.
The form of authentication public key is as follows:
| Public key certificate version number |
| The sequence number of certificate |
| The signature algorithm that the certificate authority person adopts |
| Certificate authority person title |
| Certificate authority person's public key information |
| The term of validity of certificate |
| Certificate holder title |
| Certificate holder's public key information |
| Certificate type |
| Reserved field |
| The certificate authority person is to the signature of certificate |
The implication of part field is as follows in the table:
The sequence number of certificate: each public key certificate of being issued by ASU all needs to distribute a unique number.
The signature algorithm that the certificate authority person adopts: the signature algorithm of having specified the certificate authority person to be adopted comprises the PKI length that signature algorithm title, signature length and signer adopt.
The issuer title of certificate is specified the identity of issuer.
Certificate holder title is specified certificate holder's identity.
Certificate type: expression certificate holder's device type, the i.e. point of termination station of WLAN (STA), AP or ASU.
The certificate authority person is to the signature of certificate: this field is signed to all the field items on this certificate by the certificate authority person and is obtained.
The detailed process of WAI is as shown in Figure 1:
(1) AP sends for WLAN terminal (referring to STA herein) and differentiates activation message.
(2) after the WLAN terminal receives and differentiates activation message, the public key certificate of wlan client is differentiated that by inserting request message sends to AP.
(3) AP receives after access that wlan client sends differentiates request message, extracts the certificate of wlan client, and the signature of its public key certificate together with AP self, AP is encapsulated in the request of certificate authentication message, sends to ASU.
(4) after ASU receives request of certificate authentication message, the signature of checking AP and the validity of AP certificate, if incorrect, then discrimination process failure; Otherwise, further verify the certificate of wlan client.
(5) ASU sends to AP with the signature formation certificate identification response message of wlan client certificate identification result, AP certificate identification result and ASU.
(6) AP carries out signature verification to the certificate discriminating response that ASU returns, and obtains the identification result of wlan client, according to this result wlan client is carried out access control and (promptly when wlan client is differentiated successfully, allows wlan client to insert; Otherwise, refuse this wlan client and insert).Simultaneously, AP differentiates that with certificate response sends to wlan client, and wlan client is verified the signature of ASU, obtains the identification result of AP, and (promptly when AP differentiated successfully, this wlan client can insert AP to determine whether to insert AP according to this result; Otherwise this wlan client does not insert from this AP).
(7) wlan client and AP carry out key agreement, obtain being used to the encrypted secret key of eating dishes without rice or wine.
The wlan network access authentication of wlan client adopts WAI mechanism, and in the case, ASU issues the PKI digital certificate for each WLAN client, and wlan client adopts the public key certificate indicating self.After wlan client is by the WAI authentication, promptly can visit Internet network or other proprietary network, wlan client is when inserting WLAN, and air interface adopts WPI mechanism to encrypt, with the communication security of protection wlan network.
For the STA that does not support WAPI, for example roam into the WLAN user of China from other country, its terminal is not supported can't discern WAPI message yet, after setting up incidence relation between STA and the AP, support the AP of WAPI still will issue " differentiate and an activate " message, just can't further differentiate, cause terminal can't be linked into the WAPI network this moment with encrypted negotiation.
WLAN if run, must support roaming as present GSM/CDMA network, satisfies domestic and overseas user's access demand.When WLAN must adopt WAI authentication system, how the STA of compatible non-WAPI was a problem anxious to be solved at present.
Summary of the invention
The invention provides the method for a kind of WAPI of realization agreement and 802.1X protocol-compliant, can not insert the problem of the WLAN (wireless local area network) of supporting WAPI to separate the point of termination station of WAPI by no means.
For addressing the above problem, the invention provides following technical scheme:
A kind of method that realizes WAPI agreement and 802.1X protocol-compliant, the method comprising the steps of:
Support the WAP (wireless access point) (AP) of WAPI agreement and 802.1X agreement to send discriminating activation message to point of termination station (STA);
AP judges whether STA supports the WAPI agreement, if AP and STA carry out authentication by the flow process of WAPI regulation, otherwise, stop WAPI between AP and the STA and differentiate trial, and carry out authentication by the flow process of 802.1X regulation.
According to said method:
When STA judges that local terminal can't be discerned the discriminating activation message of receiving, initiatively send the message that starts the EAP identification flow to AP, AP judges that according to this message STA does not support the WAPI agreement.
When AP activates the WAPI response message of not receiving STA when message reaches pre-determined number yet in the transmission discriminating, judge that then this STA does not support the WAPI agreement, and initiatively send EAP request message startup EAP flow process to STA; Reach the response that pre-determined number is not received STA yet when AP sends beginning EAP identification flow to STA, then termination process and refusal insert.
AP and STA generate key and negotiate cryptographic algorithm in authorizing procedure.
In flow process authentication process, also carry other identification flow based on EAP by the 802.1X regulation; Described other identification flow comprise the EAP-SIM and the EAP-AKA flow process of WLAN and GSM/WCDMA fusion protocol.
The present invention has the ability recognition function to STA, and authenticates accordingly and encryption flow according to the STA ability by strengthening the intelligent processing capacity of AP, thus convenient various types of users' access.
Adopt the present invention, after China put teeth in WAPI standard and network complete upgrading, the upgrading terminals if domestic old user is not able to do in time also can access network.
For external roamer, can't realize international roaming by existing WAPI mode, adopt the present invention then can help operator to solve the problem how WAPI supports international roaming, thereby realize collecting international roaming user's Internet utilization fee.
Description of drawings
Fig. 1 supports the point of termination station of WAPI to insert identification flow figure in the prior art;
Fig. 2 is the state machine diagram of the enhancement mode AP of the embodiment of the invention one;
Fig. 3 is that the point of termination station of the embodiment of the invention one inserts identification flow figure;
Fig. 4 is EAP-SIM identifying procedure figure;
Fig. 5 is EAP-AKA identifying procedure figure;
Fig. 6 is the state machine diagram of the enhancement mode AP of the embodiment of the invention two;
Fig. 7 is that the point of termination station of the embodiment of the invention two inserts identification flow figure.
Embodiment
After China puts teeth in WLAN authentication and privacy infrastructure (WAPI) standard, if all upgrading, all WAP (wireless access point) (AP) in the wireless lan (wlan) support WAPI, then existing great amount of terminals website (STA) is in order to insert the WAPI network, also must upgrading support WAPI, for not having to such an extent that upgrade or, then can't inserting the WAPI network from the STA that external roaming is come.
The present invention increases the way of identification STA automatically in AP, judge by message content whether STA supports WAPI, if AP issues WAPI message to behind the STA, do not obtain the WAPI message response, and what receive is 802.1X message, determine thus that then this STA does not support WAPI, but can support 802.1X, differentiate and encryption flow so start 802.1X.
When STA does not support the WAPI function, carry out the 802.1X identification flow between STA and the AP and can initiatively initiate by STA, also can initiatively initiate by AP.Below this dual mode is described respectively.
Ask as Fig. 2, in AP protocol processes state machine, increase by one and handle the function (increasing part sees in the frame) that branch strengthens AP, make AP except supporting WAPI, support also that simultaneously (802.1X is a kind of security protocol that IEEE formulates to 802.1X, and 802.11i just is based on 802.1X's at present.)。When inserting, walk normal WAPI for the point of termination station (STA) of supporting WAPI and differentiate and encryption flow,, then initiatively start the identification flow of 802.1X according to default configuration for the STA that does not support WAPI.
Consult Fig. 3 and in conjunction with shown in Figure 2, concrete handling process is as follows:
(1) carries out conventional negotiation between STA and the AP, comprise and inquire after (Probe), authentication (Authentication) and related (Association) three-way handshake process.
(2) set up association after, the AP that supports the WAPI function sends to ST and differentiates and activate message.
(3) after WLAN terminal (STA) receives and differentiates activation message,, then walk normal WAPI and differentiate and ciphering process (as shown in Figure 1) if STA itself supports the WAPI function.
(4), then can't discern authentication and activate message if STA does not support WAPI.This moment, STA can start the 802.1X process according to default configuration, initiatively initiated to start EAPoL_Start (the local area network (LAN) carrying EAP agreement begins) message that EAP differentiates to AP.
(5) because AP supports WAPI agreement and 802.1X agreement, AP learns that this STA does not support WAPI, thereby begins to carry out authentication by 802.1X according to the EAPoL_Start message of terminal.
If generate key and consulted corresponding cryptographic algorithm being undertaken by the 802.1X agreement in the authentication process, then between STA and AP, start and encrypt (WEP, TKIP or AES).
WLAN authentication process according to the 3GPP/3GPP2 definition can also carry EAP-SIM, EAP-AKA flow process in carrying out the 802.1X authentication process.EAP-SIM, EAP-AKA flow process are the WLAN of 3GPP definition and the flow process (specifically referring to 3GPP agreement TS 23.234) that GSM/WCDMA merges.Two flow processs of EAP-SIM and EAP-AKA and point of interface of the present invention are: EAP Request/Identity message.
The EAP-SIM flow process is that the WLAN and the GSM/GPRS of 3GPP definition merges realization flow, by 802.1X carrying SIM identifying procedure, thereby realizes the purpose that the user authenticates and charges by SIM card.In the 802.1X authentication process, carry EAP-SIM flow process (step 1 among Fig. 4 is the three-way handshake process between STA and the AP) as shown in Figure 4.
The EAP-AKA flow process is a kind of flow process of 3GPP definition, by 802.1X carrying CAVE identifying procedure, thereby realizes the purpose that the user authenticates and charges by usim card, (step 1 among Fig. 5 is the three-way handshake process between STA and the AP) as shown in Figure 5.
Consult shown in Figure 6ly, the function (increasing part sees empty frame in) that strengthens AP to there not being response message to increase follow-up processing flow in AP protocol processes state machine makes AP except support WAPI, also supports 802.1X simultaneously.When AP issues " differentiate activate " back until authentication is overtime when all not receiving the WAPI response message, think that terminal do not support WAPI, AP initiatively issues an EAP Request/Identity message to STA, attempts starting the 802.1X identifying procedure; If receive the EAP response message of STA, then continue the 802.1X flow process between AP and the STA; If can not receive response, and authentication do not have overtimely, then retransmits by planning; If overtimely all do not meet with a response until authentication, termination process then, refusal inserts.
Consult shown in 7, concrete flow process is as follows:
(1) carries out conventional negotiation between STA and the AP, comprise Probe, Authentication and Association three-way handshake process.
(2) set up association after, the AP that supports the WAPI function sends to ST and differentiates and activate message.
(3) if AP receives the WAPI response message in the official hour interval, show that then STA supports the WAPI function, then walk normal WAPI and differentiate and ciphering process (as shown in Figure 1).
(4) if the AP side can not get receiveing the response of STA always, still can not get receiveing the response after retransmitting several times according to default configuration, determine that then this STA does not support WAPI message, stop the WAPI flow process, issue an EAP Request/Identity message and give STA, begin to carry out authentication by 802.1X.
(5) if the back flow process can normally be carried out, then according to the WLAN authentication process of 3GPP/3GPP2 definition, in carrying out the 802.1X authentication process, the agreement of EAP carrying comprises flow processs such as EAP-SIM, EAP-AKA.
If, then between STA and AP, start and encrypt 802.1X carry out generating key in the authentication process and having consulted corresponding cryptographic algorithm.
(6) if after AP issues EAP Request/Identity message, still the not normal response of STA, then stop this identifying procedure, refusal inserts.
The present invention has the ability recognition function to STA, and authenticates accordingly and encryption flow according to the STA ability by strengthening the intelligent processing capacity of AP, thus convenient various types of users' access.Domestic old user after the network complete upgrading, if be not able to do in time upgrading terminals, also can access network; External roamer can't realize international roaming by the WAPI mode, if this moment, AP had the Intelligent treatment function, can greatly make things convenient for their access and roaming.Adopt operator of the present invention can solve problem how to support international roaming, thereby collect international roaming user's Internet utilization fee.
Claims (7)
1, a kind of method that realizes WAPI agreement and 802.1X protocol-compliant is characterized in that the method comprising the steps of:
Support the wireless access point AP of WAPI agreement and 802.1X agreement to send discriminating activation message to point of termination station STA;
AP judges whether STA supports the WAPI agreement, if, carry out authentication by the flow process of WAPI regulation between AP and the STA, otherwise, stop WAPI between AP and the STA and differentiate trial, and carry out authentication by the flow process of 802.1X regulation.
2, the method for claim 1 is characterized in that, when STA judges that local terminal can't be discerned the discriminating activation message of receiving, initiatively sends the message that starts the EAP identification flow to AP, and AP judges that according to this message STA does not support the WAPI agreement.
3, the method for claim 1, it is characterized in that,, judge that then this STA does not support the WAPI agreement when AP does not receive STA yet when transmission differentiates that activating message reaches pre-determined number WAPI response message, and initiatively send the EAP request message to STA, start the EAP flow process.
4, method as claimed in claim 3 is characterized in that, reaches the response that pre-determined number is not received STA yet when AP sends beginning EAP identification flow to STA, and then termination process and refusal insert.
As each described method of claim 1 to 3, it is characterized in that 5, AP and STA generate key and negotiate cryptographic algorithm in authorizing procedure.
6, method as claimed in claim 5 is characterized in that, also carries other identification flow based on EAP in the flow process authentication process by the 802.1X regulation.
7, method as claimed in claim 6 is characterized in that, described other identification flow comprise the EAP-SIM and the EAP-AKA flow process of WLAN and GSM/WCDMA fusion protocol.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2004100349042A CN100527668C (en) | 2004-04-24 | 2004-04-24 | Method for implementing compatibility between WAPI protocol and 802.1X protocol |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2004100349042A CN100527668C (en) | 2004-04-24 | 2004-04-24 | Method for implementing compatibility between WAPI protocol and 802.1X protocol |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1691582A CN1691582A (en) | 2005-11-02 |
| CN100527668C true CN100527668C (en) | 2009-08-12 |
Family
ID=35346744
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2004100349042A Expired - Fee Related CN100527668C (en) | 2004-04-24 | 2004-04-24 | Method for implementing compatibility between WAPI protocol and 802.1X protocol |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100527668C (en) |
Families Citing this family (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1805441B (en) * | 2005-11-23 | 2011-01-05 | 西安电子科技大学 | Integrated WLAN authentication architecture and method of implementing structural layers |
| CN100388664C (en) * | 2005-12-16 | 2008-05-14 | 西安电子科技大学 | Access method for realizing WLAN multi mode safety identification |
| CN100496052C (en) * | 2006-02-28 | 2009-06-03 | 西安西电捷通无线网络通信有限公司 | Method and system for testing safety access protocol conformity of network terminal |
| JP4878006B2 (en) * | 2007-06-15 | 2012-02-15 | シャープ株式会社 | COMMUNICATION DEVICE, COMMUNICATION METHOD, COMMUNICATION PROGRAM, AND COMPUTER-READABLE RECORDING MEDIUM CONTAINING THE SAME |
| CN101335621B (en) * | 2007-06-26 | 2011-03-16 | 中国科学院声学研究所 | 802.11i key management method |
| CN101577978B (en) | 2009-02-27 | 2011-02-16 | 西安西电捷通无线网络通信股份有限公司 | Method for realizing convergence WAPI network architecture in local MAC mode |
| CN101577904B (en) | 2009-02-27 | 2011-04-06 | 西安西电捷通无线网络通信股份有限公司 | Method for realizing convergence WAPI network architecture in separated MAC mode |
| CN101577905B (en) | 2009-02-27 | 2011-06-01 | 西安西电捷通无线网络通信股份有限公司 | Method for realizing convergence WAPI network architecture in separated MAC mode |
| CN101730097B (en) * | 2009-11-18 | 2012-10-10 | 中兴通讯股份有限公司 | Method and system for accessing wireless terminal to wireless network |
| CN101969639B (en) * | 2010-10-19 | 2013-02-06 | 广州杰赛科技股份有限公司 | Multi-certificate and multi-certification mode combined access authentication method and system |
| CN103987039B (en) * | 2013-02-07 | 2017-11-28 | 华为终端有限公司 | WPS consults the processing method and equipment of access |
-
2004
- 2004-04-24 CN CNB2004100349042A patent/CN100527668C/en not_active Expired - Fee Related
Non-Patent Citations (1)
| Title |
|---|
| Wireless Medium Access Control(MAC) andphysicallayer(PHY) specifications: Specification forEnhancedSecurity,IEEE Std 802.11i/D3.0. IEEE 802 CommitteeInstitute of Electrical and ElectronicsEngineers,Inc.Draft Supplement to STANDARD FOR Telecommunications and Information Exchange Between Systems-LAN/MAN Specific Requirements-Part 11. 2002 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1691582A (en) | 2005-11-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7450554B2 (en) | Method for establishment of a service tunnel in a WLAN | |
| KR100754458B1 (en) | Authentication in a packet data network | |
| CA2792490C (en) | Key generation in a communication system | |
| CN100539521C (en) | A kind of method that realizes radio local area network authentication | |
| EP1540878B1 (en) | Linked authentication protocols | |
| TWI234978B (en) | System, method and machine-readable storage medium for subscriber identity module (SIM) based pre-authentication across wireless LAN | |
| CN101562814A (en) | Access method and system for a third-generation network | |
| CN106921965B (en) | Method for realizing EAP authentication in W L AN network | |
| US20070269048A1 (en) | Key generation in a communication system | |
| CN101366299A (en) | Bootstrapping authentication using distinguished random challenges | |
| WO2005083910A1 (en) | Method and apparatus for access authentication in wireless mobile communication system | |
| CN100527668C (en) | Method for implementing compatibility between WAPI protocol and 802.1X protocol | |
| CN100334850C (en) | A method for implementing access authentication of wireless local area network | |
| KR100907825B1 (en) | Authentication method for roaming in heterogeneous wireless interworking system | |
| US8811272B2 (en) | Method and network for WLAN session control | |
| CN1327648C (en) | Method for realizing high-srate grouped data business identification | |
| CN109743716A (en) | A kind of Wireless LAN Verification System and method based on NFC | |
| EP1486036B1 (en) | Compatibility between various w-lan standards | |
| CN105282740A (en) | Portal authentication method, mobile terminal, authentication server and Portal authentication system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20090812 |
|
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20090812 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |