CN101272297B - EAP authentication method of WiMAX network user - Google Patents
EAP authentication method of WiMAX network user Download PDFInfo
- Publication number
- CN101272297B CN101272297B CN2007100892916A CN200710089291A CN101272297B CN 101272297 B CN101272297 B CN 101272297B CN 2007100892916 A CN2007100892916 A CN 2007100892916A CN 200710089291 A CN200710089291 A CN 200710089291A CN 101272297 B CN101272297 B CN 101272297B
- Authority
- CN
- China
- Prior art keywords
- eap
- authentication
- message
- user
- challenge
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
The invention relates to an EAP identification method for the WiMAX network users, which comprises: terminals establish connections with the ASN through physical layer protocol; a user inputs a user name and a password through the terminal; the ASN retransmits the corresponding terminal access request of the user by communication protocol made between the ASN and an EAP authentication server; the EAP authentication server uses the EAP-MD5 computing method to carry out identification and authentication of the user and generates the MSK and then packages the MSK into a success message after the successful identification and authentication; an air secret key is generated by the MSK according to the success message and the WiMAX network and the corresponding terminal establishe a wireless secure communication; otherwise services are refused to be provided according to a failure massage. The method of the invention extends the EAP-MD5 computing method to generate the MSK in authentication process and can apply EAP-MD5 identification to the WiMAX network, thus reducing costs of network equipment and terminals and being beneficial to the application and popularization of the WiMAX network.
Description
Technical field
The present invention relates to global microwave access intercommunication WiMAX network, be specifically related to a kind of WiMAX network user EAP authentication method.
Background technology
Global microwave access intercommunication technology World Interoperability for Microwave Access is called for short WiMAX, is the standard that the IEEE tissue is formulated simultaneously, so be also referred to as IEEE802.16; It is " WiMAX " technology, is referred to as wireless MAN WMAN technology.
Data encryption is very necessary in the wireless network, and the concrete authentication protocol of IEEE802.1x is called for short EAP by extended authentication agreement Extensible Authentication Protocol, the method decision.The EAP architecture is very flexible, and multiple authentication mode is arranged under this protocol frame, EAP-TTLS wherein, and EAP-SIM, EAP-AKA, EAP methods such as PEAP are supported mechanism such as bi-directional authentification, the anonymous transmission of user account information, the dynamic key consultative management; And authentication modes such as EAP-MD5 are supported unidirectional authentication.
The use EAP agreement of WiMAX is finished authentication at present, but EAP itself is not an authentication mechanism, but a generic structure is used for transmitting actual authentication protocol.The network work group Network Working Group of WiMAX, be called for short NWG, the technical protocol requirement of issue, at terminal UE and access device Access Service Network, be called for short ASN, between according to after 802.16 successful access networks and the initialization, authentication requester UE sends an EAPoL-Start message to ASN, the beginning of beginning 802.1x authentication.Authentication, mandate and accounting server after authentication is passed through, it is aaa server, need in authentication process, produce MSK, terminal and media gateway AGW use MSK to carry out follow-up flow process, generate follow-up secret key, be used for consulting aspects such as encryption, so the use EAP-TLS, the EAP-TTLS that stipulate in the agreement and EAP-AKA authentication arithmetic are to support what MSK generated.EAP-TTLS and EAP-TLS authentication arithmetic need PKIX PublicKeyInfrastructure, are called for short PKI, and EAP-AKA is based on SIM card.These several algorithms all are complicated algorithm very, all are to need certain cost for network side and terminal, and the most widely used at present be EAP-MD5, it provides the simple authentification of user of concentrating by authentication, mandate and accounting server.In this manner, the radius server certificate of necessity or be installed in other security information in the wireless stations not.When the user registered, radius server was just checked the user name and password, if coupling just notifies radio access point to allow this client-access network service.Though EAP-MD5 is a kind of unilateral authentication mechanism, can only guarantee that client arrives the authentication of server, do not guarantee the authentication of server to client end, the simple and extensive widely degree of EAP-MD5 authentication mechanism helps the popularization of WiMAX network.
But because cordless communication network pays much attention to data security, and standard EAP-MD5 algorithm does not generate MSK, therefore can't be directly uses in the authentication of WiMAX network and authentication.
Summary of the invention
The technical issues that need to address of the present invention provide a kind of WiMAX network user EAP authentication method, the EAP-MD5 authentication mechanism is applicable in the authentication of WiMAX network and authentication uses.
Above-mentioned technical problem of the present invention solves like this, and a kind of WiMAX network user EAP authentication method is provided, and expansion EAP-MD5 algorithm generates master session key MSK in authentication process, may further comprise the steps:
1.1) terminal connects by the access device ASN of physical layer protocol and WiMAX network;
1.2) user is by this terminal input username and password, ASN by and the EAP authentication server between communications protocol transmit this user's counterpart terminal and insert request;
1.3) the EAP authentication server uses the EAP-MD5 algorithm to carry out this user's authentication and authentication and generate MSK after success identity and authentication being packaged in successfully in the message;
1.4) Access Service Network Gateway AGW among the WiMAX network A SN and counterpart terminal utilize its MSK that carries to generate aerial secret key according to described successful message and set up secret wireless telecommunications, the WiMAX network begins to provide service for this user; Otherwise refusal provides service for this user.
According to EAP authentication method provided by the invention, described generation MSK generates according to MD5-Challenge, challenge handshake authentication protocol CHAP-ID and shared key, is encoded to successfully in the message, and the method that specifically generates is as follows:
MSK=P_hash(secret,seed)=HMAC_md5(secret,A(1)+seed)+
HMAC_md5(secret,A(2)+seed)+
HMAC_md5(secret,A(3)+seed)+
HMAC_md5(secret,A(4)+seed)
Wherein
A()is?defined?as:
A(0)=seed,
A(i)=HMAC_hash(secret,A(i-1))
The seed data are: CHAP-ID+MD5-Challenge
The secret data are: share key.
According to EAP authentication method provided by the invention, described MD5-Challenge is one 16 byte random number, is to be arranged in the EAP request MD5 challenge message EAP-Request/MD5-Challenge that the EAP-Message attribute of challenge message Access-Challenge encapsulates.
According to EAP authentication method provided by the invention, described CHAP-ID challenges message identifier in the challenge handshake authentication protocol that encapsulates in EAP MD5 challenge word, see RFC1994 for details and describe.
According to EAP authentication method provided by the invention, described shared key is the shared key between user and the EAP authentication server.
According to EAP authentication method provided by the invention, described step 1.3) also comprise the authentication and failed authentication after, the EAP authentication server is directly responded failure message; Described step 1.4) be to provide service for this user according to this failure message refusal.
According to EAP authentication method provided by the invention, described EAP authentication server is integrated in the aaa server; Described communications protocol is a radius protocol.
According to EAP authentication method provided by the invention, described failure message is a RADIUS admission reject Access-Rject message.
According to EAP authentication method provided by the invention, described successful message is that RADIUS inserts approval Access-Accept message, i.e. the Radius-Accept message of EAP-Success.
According to EAP authentication method provided by the invention, described physical layer protocol can be IEEE802.1x, specifically can be IEEE802.16.
WiMAX network user EAP authentication method provided by the invention, expansion EAP-MD5 algorithm generates master session key MSK in authentication process, the EAP-MD5 authentication mechanism is applicable in the authentication of WiMAX network and authentication to be used, thereby reduction system and terminal cost help the popularization of WiMAX network.
Description of drawings
Further the present invention is described in detail below in conjunction with the drawings and specific embodiments.
Fig. 1 is the networking structure figure that the present invention uses.
Fig. 2 is the flow chart that the present invention realizes EAP-MD5Challenge MSK.
Embodiment
As shown in Figure 1, the WiMAX network of application the inventive method comprises concrete the composition:
(1) subscriber terminal equipment in the WiMAX user terminal 11:WiMAX network, the user is by this terminal input username and password login WiMAX network, and after authentication was passed through, the user can use this equipment to use the Internet resource.
(2) in the access service network 12:WiMAX network, the user controls the user and inserts, the access network of Resources allocation.Can transmit and resolve the access authentication of user signaling in user authentication phase.
(3) aaa server 13: storage subscription authentication and authorization message receive ASN and transmit authentification of user message and carry out legitimate verification, according to authorized user message notice ASN distributing user permission.In the present invention, the double function of doing the EAP authentication server of this aaa server.
As shown in Figure 2, the present invention realizes that the flow process of EAP-MD5Challenge MSK specifically may further comprise the steps:
201) in the WiMAX terminal, hereinafter to be referred as UE, and successful between the ASN according to 802.16 successful access networks and initialization.
202) authentication requester UE begins authentication EAPoL-Start message to EAP of ASN transmission, the beginning of beginning 802.1x authentication.
203) ASN sends EAP request user ID EAP-Request/Identity message to UE, requires authentication requester that user name is sent up.
204) authentication requester is responded an EAP response user ID EAP-Response/Identity message, comprising user ID UserName.
205) ASN responds user ID EAP-Response/Identity message with EAP and is encapsulated into long-range discriminating dial-in user service RADIUS and inserts in the request Access-Request message, sends to aaa server, the request RADIUS authentication.
206) aaa server sends RADIUS challenge Access-Challenge message to ASN, encapsulation EAP request MD5 challenge EAP-Request/MD5-Challenge message in the EAP-Message attribute in challenge, wherein in fact MD5-Challenge is exactly the random number of one 16 byte.
207) ASN is by RADIUS challenge Access-Challenge message, and parsing EAP request is wherein carried MD5 challenge EAP-Request/MD5-Challenge message and sent to UE, the request challenge.
208) after UE receives that MD5 challenge EAP-Request/MD5-Challenge message is carried in the EAP request, with password and MD5 challenge carrying out MD5 computing, carry MD5 challenge, challenge password and user EAP-Response/MD5-Challenge{Challenge/Challenge-Password/ User Name} sign by the EAP response afterwards and send to ASN.
209) ASN MD5 challenge EAP-Response/MD5-Challenge message that the EAP of terminal response is carried is encapsulated into RADIUS and inserts in the request Access-Request message, is authenticated by aaa server.
210) aaa server judges according to user profile whether the user is legal, responds RADIUS authentication success/failure message then to ASN, the EAP-Message attributes encapsulation EAP success/failure result in the RADIUS message.If authentication success, response RADIUS access approval Access-Accept message carries EAP successful result and user's related service attribute and gives subscriber authorisation, wherein comprises the MSK that algorithm generates according to the present invention.If failure is responded RADIUS admission reject Access-Rject message and is carried the EAP failure result.
211) ASN responds EAP success/failure EAP-Success/EAP-Failure message to authentication requester UE, shows authentication success, behind the authentication success, enters the IP address assignment flow process, starts charging process.If authentification failure, the refusing user's access network.
At last, stress that once more the present invention generates the specific algorithm of MSK, generate MSK by stage A AA server according to MD5-Challenge, CHAP-ID, shared key at authentication, be encoded in the Radius-Accept message that comprises EAP-Success, the generation method is as follows:
MSK=P_hash(secret,seed)=HMAC_md5(secret,A(1)+seed)+
HMAC_md5(secret,A(2)+seed)+
HMAC_md5(secret,A(3)+seed)+
HMAC_md5(secret,A(4)+seed)
Wherein
A()is?defined?as:
A(0)=seed,
A(i)=HMAC_hash(secret,A(i-1))
The seed data are: CHAP-ID+MD5-Challenge
The secret data are: share key between user and AAA.
Claims (6)
1. a global microwave access intercommunication technology WiMAX network user extended authentication agreement EAP authentication method is characterized in that, expansion EAP-MD5 algorithm generates MSK in authentication process, may further comprise the steps:
1.1) terminal connects by the access device ASN of physical layer protocol and WiMAX network;
1.2) user is by this terminal input username and password, ASN by and the EAP authentication server between communications protocol transmit this user's counterpart terminal and insert request;
1.3) the EAP authentication server uses the EAP-MD5 algorithm to carry out this user's authentication and authentication and generate MSK after success identity and authentication being packaged in successfully in the message;
1.4) utilize MSK to generate aerial key according to described successful message, WiMAX network and counterpart terminal are set up secret wireless telecommunications; Otherwise refusal provides service for this user;
Described generation MSK generates according to MD5-Challenge, CHAP-ID and shared key, is encoded to successfully in the message, and the method that specifically generates is as follows:
MSK=P_hash(secret,seed)=HMAC_md5(secret,A(1)+seed)+
HMAC_md5(secret,A(2)+seed)+
HMAC_md5(secret,A(3)+seed)+
HMAC_md5(secret,A(4)+seed)
Wherein
A()is?defined?as:
A(0)=seed,
A(i)=HMAC_hash(secret,A(i-1))
The seed data are: CHAP-ID+MD5-Challenge
The secret data are: share key between user and EAP authentication server
Described MD5-Challenge is one 16 byte random number, is arranged in the EAP request MD5 challenge message EAP-Request/MD5-Challenge that the EAP-Message attribute of challenge message Access-Challenge encapsulates;
Described CHAP-ID challenges message identifier in the challenge handshake authentication protocol that encapsulates in EAP MD5 challenge word.
2. according to the described EAP authentication method of claim 1, it is characterized in that described step 1.3) also comprise the authentication and failed authentication after, the EAP authentication server is directly responded failure message; Described step 1.4) be to provide service for this user according to this failure message refusal.
3. according to the described EAP authentication method of claim 1, it is characterized in that described EAP authentication server is integrated in the aaa server; Described communications protocol is a radius protocol.
4. according to the described EAP authentication method of claim 2, it is characterized in that described failure message is a RADIUS admission reject Access-Rject message.
5. according to the described EAP authentication method of claim 1, it is characterized in that described successful message is that RADIUS inserts approval Access-Accept message.
6. according to the described EAP authentication method of claim 1, it is characterized in that described physical layer protocol is IEEE802.1x.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2007100892916A CN101272297B (en) | 2007-03-20 | 2007-03-20 | EAP authentication method of WiMAX network user |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2007100892916A CN101272297B (en) | 2007-03-20 | 2007-03-20 | EAP authentication method of WiMAX network user |
Publications (2)
Publication Number | Publication Date |
---|---|
CN101272297A CN101272297A (en) | 2008-09-24 |
CN101272297B true CN101272297B (en) | 2011-10-26 |
Family
ID=40006004
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN2007100892916A Expired - Fee Related CN101272297B (en) | 2007-03-20 | 2007-03-20 | EAP authentication method of WiMAX network user |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN101272297B (en) |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102111759A (en) * | 2009-12-28 | 2011-06-29 | ***通信集团公司 | Authentication method, system and device |
US9344888B2 (en) | 2013-05-22 | 2016-05-17 | Convida Wireless, Llc | Machine-to-machine network assisted bootstrapping |
CN103987037A (en) * | 2014-05-28 | 2014-08-13 | 大唐移动通信设备有限公司 | Secret communication implementation method and device |
CN113904856B (en) * | 2021-10-15 | 2024-04-23 | 广州威戈计算机科技有限公司 | Authentication method, switch and authentication system |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1439667A2 (en) * | 2003-01-14 | 2004-07-21 | Samsung Electronics Co., Ltd. | Method for fast roaming in a wireless network |
CN1845490A (en) * | 2005-04-06 | 2006-10-11 | 华为技术有限公司 | Access authentication system and method for global access mutual operation network |
-
2007
- 2007-03-20 CN CN2007100892916A patent/CN101272297B/en not_active Expired - Fee Related
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1439667A2 (en) * | 2003-01-14 | 2004-07-21 | Samsung Electronics Co., Ltd. | Method for fast roaming in a wireless network |
CN1845490A (en) * | 2005-04-06 | 2006-10-11 | 华为技术有限公司 | Access authentication system and method for global access mutual operation network |
Also Published As
Publication number | Publication date |
---|---|
CN101272297A (en) | 2008-09-24 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
AU2003243680B2 (en) | Key generation in a communication system | |
US7707412B2 (en) | Linked authentication protocols | |
EP1997292B1 (en) | Establishing communications | |
US8094821B2 (en) | Key generation in a communication system | |
CN101616410B (en) | Access method and access system for cellular mobile communication network | |
TWI293844B (en) | A system and method for performing application layer service authentication and providing secure access to an application server | |
KR101068424B1 (en) | Inter-working function for a communication system | |
US20090217048A1 (en) | Wireless device authentication between different networks | |
KR20060067263A (en) | Fast re-authentication method when handoff in wlan-umts interworking network | |
CN101536480A (en) | Device and/or user authentication for network access | |
KR20080047587A (en) | Distributed authentication functionality | |
CN101304319A (en) | A method and apparatus of security and authentication for mobile telecommunication system | |
WO2007131426A1 (en) | Aaa system and authentication method of multi-hosts network | |
CN101272297B (en) | EAP authentication method of WiMAX network user | |
KR100527631B1 (en) | System and method for user authentication of ad-hoc node in ad-hoc network | |
CN115278660A (en) | Access authentication method, device and system | |
KR101068426B1 (en) | Inter-working function for a communication system | |
Kucharzewski et al. | Mobile identity management system in heterogeneous wireless networks | |
KR20080004920A (en) | An improved ticket-based eap-aka protocol for interworking of umts, wlan, and wibro |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20111026 Termination date: 20150320 |
|
EXPY | Termination of patent right or utility model |