CN104270752A - Key negotiation method and device for wireless network - Google Patents

Key negotiation method and device for wireless network Download PDF

Info

Publication number
CN104270752A
CN104270752A CN201410519532.6A CN201410519532A CN104270752A CN 104270752 A CN104270752 A CN 104270752A CN 201410519532 A CN201410519532 A CN 201410519532A CN 104270752 A CN104270752 A CN 104270752A
Authority
CN
China
Prior art keywords
key
message4
wireless client
message
message3
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201410519532.6A
Other languages
Chinese (zh)
Other versions
CN104270752B (en
Inventor
傅嘉嘉
吴蔷
刘琛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou H3C Technologies Co Ltd
Original Assignee
Hangzhou H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou H3C Technologies Co Ltd filed Critical Hangzhou H3C Technologies Co Ltd
Priority to CN201410519532.6A priority Critical patent/CN104270752B/en
Publication of CN104270752A publication Critical patent/CN104270752A/en
Application granted granted Critical
Publication of CN104270752B publication Critical patent/CN104270752B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • H04L9/0841Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses a key negotiation method and device for a wireless network. The key negotiation method comprises the steps that A, an AP sends an EAPOL-Key message Message3 to a wireless client side, and timing is conducted; B, if the AP still does not successively receive an EAPOL-Key message Message4 sent by the wireless client after a preset time interval, and a first operation or a second operation is executed; the step A and the step B are repeated until the number of the retransmission times of the Message3 exceeds a preset threshold value of the retransmission times, and it is determined that key negotiation fails, wherein the first operation is key installation or installation of a new key, the second operation is key uninstallation or installation of an old key, when the step B is executed for the (2N-1)th time, the first operation is executed, when the step B is executed for the 2Nth time, the second operation is executed, and N is a natural number larger than 0. According to the key negotiation method and device for the wireless network, the AP finally can right decrypt the Message4 replied by the wireless client and conducts processing on the basis of successive key negotiation, and therefore the wireless client can achieve success identification and have access to the AP.

Description

Cryptographic key negotiation method in wireless network and device
Technical field
The application relates to radio network technique field, the cryptographic key negotiation method particularly in a kind of wireless network and device.
Background technology
AP (Access Point, WAP (wireless access point)) is a kind of wireless transmitting-receiving equipments, and be the access point of wireless network, its one end connects wireless client by wireless network, and the other end is connected with spider lines (such as Internet).AP is forwarded to cable network after can converting the wireless signal from wireless client received to data, and is transmitted to wireless client after the data transaction from cable network received is become wireless signal.In order to the fail safe of wireless network, wireless client and AP need when communicating to use double secret key message to be encrypted, and like this, when wireless client is reached the standard grade, can carry out key agreement with AP, both sides negotiate identical key, carry out encryption and decryption process to message.Further, after wireless client is reached the standard grade successfully, also regularly key updating can be carried out with AP.
At present, RSN (Robust Security Network, Guan County's network) pattern and WPA (Wi-Fi Protected Access, Wi-Fi protects access) pattern is mainly contained.In RSN pattern, by four EAPOL-Key (Extensible Authentication Protocol Over LAN-Key between wireless client and AP, Extensible Authentication Protocol-key based on local area network (LAN)) message mutual, carry out key PTK (the Pairwise Transient Key for being encrypted unicast message, pair temporal key) and the negotiation of key GTK (Group Temporal Key, Group Temporal Key) for being encrypted non-unicast message; The cipher key agreement process of WPA pattern and RSN Pattern Class are seemingly, difference is, by the negotiation completing PTK and GTK alternately of six EAPOL-Key messages between wireless client and AP, wherein front four EAPOL-Key messages mutual in only complete the negotiation of PTK, also need afterwards to consult GTK alternately again by twice EAPOL-Key message.
Generally, wireless client is installation key after sending Message4, but, some wireless client can shift to an earlier date installation key, that is, reply before Message4, with regard to installation key after receiving Message3 and to AP, in this case, the Message4 that wireless client is replied is the message of encryption, and AP now not yet installation key, cannot the Message4 of encryption be decrypted, the Message4 of encryption can only be abandoned, now think and successfully do not receive Message4.Like this, AP constantly will retransmit Message3, until when exceeding number of retransmissions threshold value, according to key agreement failure handling.Finally, cause wireless client authentication failure, cannot AP be accessed.
Summary of the invention
In view of this, this application provides the cryptographic key negotiation method in a kind of wireless network and device.
The technical scheme of the application is as follows:
On the one hand, provide the cryptographic key negotiation method in a kind of wireless network, comprising:
A, AP send EAPOL-Key message Message3 to wireless client, and timing;
If B is after arrival predetermined time interval, AP is the unsuccessful EAPOL-Key message Message4 receiving wireless client and send still, then perform the first operation or the second operation;
Repeated execution of steps A and step B, until when the number of retransmissions of Message3 exceedes default number of retransmissions threshold value, confirms key agreement failure;
Wherein, the first operation is installation key, and the second operation is unloading key, or new key is installed in the first operation, and old key is installed in the second operation; The 2N-1 time perform step B time, perform first operation, the 2N time perform step B time, perform second operate, N be greater than 0 natural number.
On the other hand, additionally provide the key agreement device in a kind of wireless network, on the AP of this application of installation in wireless network, this device comprises:
Receiver module, for receiving the EAPOL-Key message Message4 that wireless client is sent;
Processing module, for performing steps A and step B, wherein, steps A comprises: send EAPOL-Key message Message3 to wireless client, and timing; Step B comprises: if after arrival predetermined time interval, receiver module is the unsuccessful EAPOL-Key message Message4 receiving wireless client and send still, then perform the first operation or the second operation;
Unsuccessfully confirm module, for control treatment module repeated execution of steps A and step B, until when the number of retransmissions of Message3 exceedes default number of retransmissions threshold value, confirm key agreement failure;
Wherein, the first operation is installation key, and the second operation is unloading key, or new key is installed in the first operation, and old key is installed in the second operation; Processing module the 2N-1 time perform step B time, perform first operation, processing module the 2N time perform step B time, perform second operate, N be greater than 0 natural number.
In the above technical scheme of the application, shift to an earlier date the abnormal conditions of installation key at wireless client under, AP starts timing when sending Message3 first, after wireless client receives Message3, and it is front with regard to installation key to reply Message4, therefore, the Message4 replied is the ciphertext message after encryption, AP cannot decipher the Message4 of this ciphertext, discard processing can be done, therefore, before predetermined time interval T arrives, AP successfully cannot receive Message4, then retransmit Message3 after installation key and start timing, the Message3 of now this re-transmission is ciphertext message, wireless client correctly can be deciphered the Message3 of this ciphertext received and reply the Message4 of ciphertext, the key of installation can be used correctly to decipher after AP receives the Message4 of this ciphertext, thus, before predetermined time interval T arrives, AP successfully have received Message4, then can conventionally perform follow-up relevant treatment, confirm key agreement success.Visible, according to the method described above, AP finally correctly can decipher the Message4 of ciphertext that wireless client is replied, and successfully processes according to key agreement, makes wireless client can success identity access AP.
Accompanying drawing explanation
Fig. 1 is the schematic flow sheet of the cipher key agreement process of the RSN pattern of prior art;
Fig. 2 is the schematic flow sheet of the cryptographic key negotiation method in the wireless network of the embodiment of the present application;
Fig. 3 is the schematic diagram of the cipher key agreement process first in the embodiment of the present application when wireless client shifts to an earlier date installation key;
Fig. 4 is the structural representation of the key agreement device in the wireless network of the embodiment of the present application.
Embodiment
As shown in Figure 1, the cipher key agreement process of the RSN pattern of prior art comprises following four steps:
Step S102, AP send the EAPOL-Key message Message1 carrying random number ANonce to wireless client;
Step S104, after wireless client receives Message1, use the random number SNonce that wireless client generates, PMK (the Pairwise Master Key consulted, pairwise master key), and the random number ANonce carried in Message1, calculate and generate PTK, then KCK (the EAPOL-Key Confirmation Key in the PTK of generation is used, Extensible Authentication Protocol-Key Confirmation Key based on local area network (LAN)) obtain MIC (Message Integrity Check, Information integrity checkout), the EAPOL-Key message Message2 carrying random number SNonce and MIC is sent to AP,
Step S106, after AP receives Message2, use the random number SNonce carried in random number ANonce, PMK and Message2 that consult, calculate and generate PTK, then the KCK in the PTK of generation is used to obtain MIC, carry out MIC verification to Message2, that is, the MIC carried in MIC and the Message2 generated by AP compares, if these two MIC are identical, then MIC verification succeeds, otherwise MIC verifies unsuccessfully.After MIC verification succeeds, use random value GMK (Group Master Key, group's master key) and MAC (the Media Access Control of AP, media interviews control) address generates GTK, and sends the EAPOL-Key message Message3 carrying mark for notifying wireless client installation key, MIC and GTK to wireless client;
Step S108, after wireless client receives Message3, first carries out MIC verification to Message3, then, sends the EAPOL-Key message Message4 carrying and confirm mark and MIC for installation key to AP, afterwards, installs PTK and GTK;
After step S110, AP receive Message4, first MIC verification is carried out to Message4, then, after verification succeeds, PTK and GTK is installed.
Therefore, in RSN pattern, if wireless client shifts to an earlier date installation key, that is, reply before Message4 after receiving Message3 and to AP, with regard to installation key, the Message4 that then wireless client is replied is the message of encryption, and AP now not yet installation key, cannot the Message4 of encryption be decrypted, can only abandon the Message4 of encryption, now AP thinks and does not successfully receive Message4.Like this, AP constantly will retransmit Message3, until when exceeding number of retransmissions threshold value, according to key agreement failure handling.Equally, in WPA pattern, when wireless client shifts to an earlier date installation key, when the number of retransmissions of Message3 exceedes number of retransmissions threshold value, also can according to key agreement failure handling.
In order to solve the above-mentioned problems in the prior art, in the application's following examples, provide the cryptographic key negotiation method in a kind of wireless network, and a kind of can device to apply the method.
The wireless network of following examples comprises: wireless client and AP.The method of following examples can be applied to first in cipher key agreement process, in cipher key agreement process when also can be applied to follow-up key updating; Can be applied in RSN pattern, also can be applied in WPA pattern.
As shown in Figure 2, the cryptographic key negotiation method of the embodiment of the present application is performed by AP, and the method comprises the following steps:
Step S202, AP send EAPOL-Key message Message1 to wireless client;
Step S204, AP receive the EAPOL-Key message Message2 that wireless client is sent;
The embodiment of step S202 ~ step S204 see prior art, can repeat no more here.
Step S206, AP send EAPOL-Key message Message3 to wireless client, and timing;
In actual implementation process, retransmission timer can be used to carry out timing.The embodiment sending EAPOL-Key message Message3 to wireless client see prior art, can repeat no more here.
Step S208, AP judges before arrival predetermined time interval, whether successfully have received the EAPOL-Key message Message4 that wireless client is sent, if before arrival predetermined time interval, successfully have received Message4, then perform step S210, if after arrival predetermined time interval, still unsuccessfully receive Message4, then perform step S212;
Wherein, can confirm successfully to have received Message4 according to following two kinds of situations:
Situation one: wireless client and AP have all installed key
Now, the Message4 that wireless client is sent is through the ciphertext message after secret key encryption, and AP successfully have received Message4 and refers to: AP uses the key of current installation correctly to decipher the Message4 of the ciphertext received.
Situation two: all non-installation key of wireless client and AP
Now, the Message4 that wireless client is sent is the plaintext message of non-key-encrypted, and AP successfully have received Message4 and refers to: AP have received the Message4 of this plaintext.
Step S210, carries out relevant treatment according to the Message4 received;
Said relevant treatment comprises herein: in RSN pattern, carries out MIC verification succeeds to the Message4 received, and confirms key agreement success; In WPA pattern, MIC verification succeeds is carried out to the Message4 received, with wireless client carry out again twice EAPOL-Key message mutual after, confirm key agreement success.
Step S212, performs the first operation or the second operation;
Wherein, if cipher key agreement process first, then when performing step S212 the 2N-1 time, execution be the first operation: installation key, when performing step S212 the 2N time, execution be the second operation: unload key.If derive subsequent keys upgrade time cipher key agreement process, then the 2N-1 time perform step S212 time, execution be the first operation: install new key, the 2N time execution step S212 time, execution be the second operation: old key is installed.N be greater than 0 natural number.
After each time-out of existing retransmission timer, timing time can be extended and wait for time-out next time, that is, after each time-out, the timing time of oneself can be extended.Because AP is after receiving Message4, there are two kinds of modes of operation according to different situations, carry out again after now needing that back off time prolongation is set as performing a different operating respectively, thus the turn-on time avoiding back off time between different operating elongated caused extends.In the method for the embodiment of the present application, after every twice time-out of retransmission timer, the timing time of oneself is extended.Such as, the timing time of retransmission timer is respectively 5 seconds, 5 seconds, 6 seconds, 6 seconds, 8 seconds, 8 seconds ...
In the technical scheme of the embodiment of the present application, AP sends EAPOL-Key message Message3 to wireless client, and timing, if after arrival predetermined time interval, the still unsuccessful EAPOL-Key message Message4 receiving wireless client and send, then AP performs the first operation or the second operation; Repeat above-mentioned steps, until when the number of retransmissions of Message3 exceedes default number of retransmissions threshold value, confirm key agreement failure; Wherein, the first operation is installation key, and the second operation is unloading key, or new key is installed in the first operation, and old key is installed in the second operation; The 2N-1 time perform above-mentioned steps time, perform first operation, the 2N time perform above-mentioned steps time, perform second operate, N be greater than 0 natural number.
Like this, under normal circumstances, AP starts timing when sending Message3 first, because wireless client is installation key after reply Message4, therefore, the Message4 replied is the plaintext message of not encrypted, thus AP is before predetermined time interval T arrives, have received the Message4 of this plaintext, then conventionally perform follow-up relevant treatment, confirm key agreement success, make wireless client can success identity access AP.
Shift to an earlier date the abnormal conditions of installation key at wireless client under, AP starts timing when sending Message3 first, after wireless client receives Message3, and it is front with regard to installation key to reply Message4, therefore, the Message4 replied is the ciphertext message after encryption, AP cannot decipher the Message4 of this ciphertext, discard processing can be done, therefore, before predetermined time interval T arrives, AP successfully cannot receive Message4, then retransmit Message3 after installation key and start timing, the Message3 of now this re-transmission is ciphertext message, wireless client correctly can be deciphered the Message3 of this ciphertext received and reply the Message4 of ciphertext, the key of installation can be used correctly to decipher after AP receives the Message4 of this ciphertext, thus, before predetermined time interval T arrives, AP successfully have received Message4, then can conventionally perform follow-up relevant treatment, confirm key agreement success.Visible, according to the method described above, AP finally correctly can decipher the Message4 of ciphertext that wireless client is replied, and successfully processes according to key agreement, makes wireless client can success identity access AP.
Under the abnormal conditions that first Message3 loses, AP starts timing when sending Message3 first, because this Message3 loses in transmitting procedure, wireless client can not receive this Message3 then can not reply Message4, therefore, before predetermined time interval T arrives, AP does not receive Message4, then retransmit Message3 after installation key and start timing, the Message3 of now this re-transmission is ciphertext message, due to wireless client not yet installation key, therefore cannot correctly decipher after wireless client receives the Message3 of this ciphertext, the Message3 of this ciphertext can be abandoned, Message4 can not be replied, thus, before predetermined time interval T arrives, AP does not receive Message4, again retransmit Message3 after then unloading key and start timing, the Message3 of now this re-transmission is plaintext message, wireless client replys Message4 and installation key after receiving the Message3 of this plaintext, AP have received the Message4 of this plaintext before predetermined time interval T arrives, then can conventionally perform follow-up relevant treatment, confirm key agreement success, make wireless client can success identity access AP.
Under the abnormal conditions that first Message4 loses, AP starts timing when sending Message3 first, wireless client replys Message4 expressly and installation key after receiving this Message3, because the Message4 of this plaintext lost in transmitting procedure, therefore, AP did not receive the Message4 of this plaintext before predetermined time interval T arrives, then retransmit Message3 after installation key and start timing, the Message3 of now this re-transmission is ciphertext message, wireless client can use the key of installation correctly to decipher the Message3 of the ciphertext received, and reply the Message4 of ciphertext, AP is before predetermined time interval T arrives, have received the Message4 of this ciphertext and use the key installed correctly to decipher, then can conventionally perform follow-up relevant treatment, confirm key agreement success, make wireless client can success identity access AP.
Below with in the cipher key agreement process first under RSN pattern, instantiation when wireless client shifts to an earlier date installation key is to describe said method in detail.
As shown in Figure 3, cryptographic key negotiation method now comprises the following steps:
Step S302, AP send EAPOL-Key message Message1 to wireless client;
After wireless client receives Message1, send EAPOL-Key message Message2 to AP;
Step S304, AP receive the EAPOL-Key message Message2 that wireless client is sent;
Step S306, AP send EAPOL-Key message Message3 to wireless client, and the Message3 now sent is plaintext message; While sending, open retransmission timer;
After wireless client receives Message3, installation key, send the EAPOL-Key message Message4 after encryption to AP, the Message4 now sent is ciphertext message;
Step S308, due to AP now not yet installation key, therefore, the Message4 of the ciphertext that wireless client is sent is dropped, and AP thinks and do not receive Message4;
Step S310, when retransmission timer time-out, owing to successfully not receiving the Message4 that wireless client is sent, then installation key, because the number of retransmissions of now Message3 has not exceeded default number of retransmissions threshold value, therefore, Message3 is retransmitted, the Message3 now sent is ciphertext message, opens retransmission timer simultaneously;
After wireless client receives the Message3 of ciphertext, owing to having installed key, therefore, correctly can decipher the Message3 of this ciphertext, and conventionally reply the Message4 of ciphertext;
Step S312, AP receives the Message4 of ciphertext, owing to having installed key, therefore, the Message4 of this ciphertext can correctly be deciphered, namely, before retransmission timer time-out, successfully have received Message4, after MIC verification succeeds is carried out to the Message4 deciphering the plaintext obtained, perform relevant treatment, confirm key agreement success.
Suppose, the number of retransmissions threshold value of the time-out time average out to t of retransmission timer, Message3 is n.Then, in prior art, when wireless client shifts to an earlier date installation key, time T (wireless client the shifts to an earlier date installation key)=t × n needed for key agreement success; And after adopting the method for the embodiment of the present application, time T (wireless client shifts to an earlier date installation key)=t × 2 needed for key agreement success.
Such as, t=800ms, n=7, then, after adopting the method for the embodiment of the present application, the time needed for key agreement success can shorten 4s.
Visible, when wireless client shifts to an earlier date installation key, use the method for the embodiment of the present application, AP finally correctly can decipher the Message4 of the ciphertext that wireless client is replied, and successfully process according to key agreement, make wireless client can success identity access AP.
Below be only described for RSN pattern, under WPA pattern, the process of carrying out key agreement is similar, repeats no more.
For the method for above-described embodiment, additionally provide the key agreement device in a kind of wireless network in the embodiment of the present application, this application of installation is on AP.
As shown in Figure 4, this device comprises with lower module: receiver module 10, processing module 20, unsuccessfully confirmation module 30 and successfully confirmation module 40, wherein:
Receiver module 10, for receiving the EAPOL-Key message Message4 that wireless client is sent;
Processing module 20, for performing steps A and step B, wherein, steps A comprises: send EAPOL-Key message Message3 to wireless client, and timing; Step B comprises: if after arrival predetermined time interval, receiver module 10 is the unsuccessful EAPOL-Key message Message4 receiving wireless client and send still, then perform the first operation or the second operation;
Failure confirms module 30, for control treatment module 20 repeated execution of steps A and step B, until when the number of retransmissions of Message3 exceedes default number of retransmissions threshold value, confirms key agreement failure;
Success confirms module 40, if before arriving predetermined time interval at the timing time of processing module 20, receiver module 10 successfully have received the EAPOL-Key message Message4 that wireless client is sent, then carry out relevant treatment according to this Message4, confirms key agreement success;
Wherein, the first operation is installation key, and the second operation is unloading key, or new key is installed in the first operation, and old key is installed in the second operation; Processing module 20 the 2N-1 time perform step B time, perform first operation, processing module 20 the 2N time perform step B time, perform second operate, N be greater than 0 natural number;
Wherein, when the first operation is installation key, when the second operation is unloading key, in the steps A that processing module 20 performs for the 2N-1 time, the Message3 to wireless client transmission is the plaintext message of non-key-encrypted; In the steps A that processing module 20 performs for the 2N time, the Message3 sent to wireless client is through the ciphertext message after secret key encryption.
Wherein, when new key is installed in the first operation, the second operation is when installing old key, and in the steps A that processing module 20 performs for the 2N-1 time, the Message3 sent to wireless client is through the ciphertext message after old secret key encryption; In the steps A that processing module 20 performs for the 2N time, to the ciphertext message be through after new key encryption that wireless client sends.
Wherein, success confirms module 40, when Message4 specifically for sending when wireless client is the ciphertext message after encryption, receiver module 10 uses the key of current installation correctly to decipher the Message4 of the ciphertext received, then determine successfully to have received the Message4 that wireless client is sent; When the Message4 that wireless client is sent is the plaintext message of non-key-encrypted, receiver module 10 have received the Message4 of this plaintext, then determine successfully to have received the Message4 that wireless client is sent.
Wherein, after processing module 20 often performs twice step B, extend predetermined time interval.
To sum up, the above embodiment of the application can reach following technique effect:
Shift to an earlier date the abnormal conditions of installation key at wireless client under, AP starts timing when sending Message3 first, after wireless client receives Message3, and it is front with regard to installation key to reply Message4, therefore, the Message4 replied is the ciphertext message after encryption, AP cannot decipher the Message4 of this ciphertext, discard processing can be done, therefore, before predetermined time interval T arrives, AP successfully cannot receive Message4, then retransmit Message3 after installation key and start timing, the Message3 of now this re-transmission is ciphertext message, wireless client correctly can be deciphered the Message3 of this ciphertext received and reply the Message4 of ciphertext, the key of installation can be used correctly to decipher after AP receives the Message4 of this ciphertext, thus, before predetermined time interval T arrives, AP successfully have received Message4, then can conventionally perform follow-up relevant treatment, confirm key agreement success.Visible, according to the method described above, AP finally correctly can decipher the Message4 of ciphertext that wireless client is replied, and successfully processes according to key agreement, makes wireless client can success identity access AP.
The foregoing is only the preferred embodiment of the application, not in order to limit the application, within all spirit in the application and principle, any amendment made, equivalent replacements, improvement etc., all should be included within scope that the application protects.

Claims (12)

1. the cryptographic key negotiation method in wireless network, is characterized in that, comprising:
A, wireless access point AP send the Extensible Authentication Protocol-key EAPOL-Key message Message3 based on local area network (LAN) to wireless client, and timing;
If B is after arrival predetermined time interval, described AP is the unsuccessful EAPOL-Key message Message4 receiving wireless client and send still, then perform the first operation or the second operation;
Repeated execution of steps A and step B, until when the number of retransmissions of Message3 exceedes default number of retransmissions threshold value, confirms key agreement failure;
Wherein, the first operation is installation key, and the second operation is unloading key, or new key is installed in the first operation, and old key is installed in the second operation; The 2N-1 time perform described step B time, perform first operation, the 2N time perform described step B time, perform second operate, N be greater than 0 natural number.
2. method according to claim 1, is characterized in that, also comprises:
If before arrival predetermined time interval, successfully have received described Message4, then described AP carries out relevant treatment according to described Message4, confirm key agreement success.
3. method according to claim 1, is characterized in that, when the first operation is installation key, when the second operation is unloading key,
In the steps A to perform for the 2N-1 time, the Message3 sent to described wireless client is the plaintext message of non-key-encrypted;
In the steps A of the 2N time execution, the Message3 sent to described wireless client is through the ciphertext message after secret key encryption.
4. method according to claim 1, is characterized in that, when new key is installed in the first operation, the second operation is when installing old key,
In the steps A of the 2N-1 time execution, the Message3 sent to described wireless client is through the ciphertext message after old secret key encryption;
In the steps A of the 2N time execution, to the ciphertext message be through after new key encryption that described wireless client sends.
5. method according to claim 2, is characterized in that, describedly successfully have received described Message4, comprising:
When the Message4 that described wireless client is sent is through the ciphertext message after secret key encryption, AP uses the key of current installation correctly to decipher the Message4 of the ciphertext received, then determine successfully to have received the Message4 that described wireless client is sent;
When the Message4 that described wireless client is sent is the plaintext message of non-key-encrypted, AP have received the Message4 of this plaintext, then determine successfully to have received the Message4 that described wireless client is sent.
6. method according to claim 1, is characterized in that, after often performing step B described in twice, extends described predetermined time interval.
7. the key agreement device in wireless network, is characterized in that, be applied in the wireless access point AP in described wireless network, described device comprises:
Receiver module, for receiving the Extensible Authentication Protocol based on local area network (LAN)-key EAPOL-Key message Message4 that wireless client is sent;
Processing module, for performing steps A and step B, wherein, steps A comprises: send EAPOL-Key message Message3 to wireless client, and timing; Step B comprises: if after arrival predetermined time interval, described receiver module is the unsuccessful EAPOL-Key message Message4 receiving wireless client and send still, then perform the first operation or the second operation;
Unsuccessfully confirming module, for controlling described processing module repeated execution of steps A and step B, until when the number of retransmissions of Message3 exceedes default number of retransmissions threshold value, confirming key agreement failure;
Wherein, the first operation is installation key, and the second operation is unloading key, or new key is installed in the first operation, and old key is installed in the second operation; Described processing module the 2N-1 time perform described step B time, perform first operation, described processing module the 2N time perform described step B time, perform second operate, N be greater than 0 natural number.
8. device according to claim 7, is characterized in that, also comprises:
Successfully confirm module, if for before arriving described predetermined time interval at the timing time of described processing module, described receiver module successfully have received described Message4, then carry out relevant treatment according to described Message4, confirms key agreement success.
9. device according to claim 7, is characterized in that, when the first operation is installation key, when the second operation is unloading key,
In the steps A that described processing module the 2N-1 time performs, the Message3 sent to described wireless client is the plaintext message of non-key-encrypted;
In the steps A that described processing module performs for the 2N time, the Message3 sent to described wireless client is through the ciphertext message after secret key encryption.
10. device according to claim 7, is characterized in that, when new key is installed in the first operation, the second operation is when installing old key,
In the steps A that described processing module performs for the 2N-1 time, the Message3 sent to described wireless client is through the ciphertext message after old secret key encryption;
In the steps A that described processing module performs for the 2N time, to the ciphertext message be through after new key encryption that described wireless client sends.
11. devices according to claim 8, it is characterized in that, describedly successfully confirm module, during specifically for being through the ciphertext message after secret key encryption as the Message4 that described wireless client is sent, described receiver module uses the key of current installation correctly to decipher the Message4 of the ciphertext received, then determine successfully to have received the Message4 that described wireless client is sent; When the Message4 that described wireless client is sent is the plaintext message of non-key-encrypted, described receiver module have received the Message4 of this plaintext, then determine successfully to have received the Message4 that described wireless client is sent.
12. devices according to claim 7, is characterized in that, after described processing module often performs step B described in twice, extend described predetermined time interval.
CN201410519532.6A 2014-09-30 2014-09-30 Cryptographic key negotiation method and device in wireless network Active CN104270752B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410519532.6A CN104270752B (en) 2014-09-30 2014-09-30 Cryptographic key negotiation method and device in wireless network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410519532.6A CN104270752B (en) 2014-09-30 2014-09-30 Cryptographic key negotiation method and device in wireless network

Publications (2)

Publication Number Publication Date
CN104270752A true CN104270752A (en) 2015-01-07
CN104270752B CN104270752B (en) 2017-10-27

Family

ID=52162223

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410519532.6A Active CN104270752B (en) 2014-09-30 2014-09-30 Cryptographic key negotiation method and device in wireless network

Country Status (1)

Country Link
CN (1) CN104270752B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104917595A (en) * 2015-06-16 2015-09-16 四川长虹通信科技有限公司 Secret key switching method and system in encryption communication process
CN107959552A (en) * 2017-10-27 2018-04-24 浙江众合科技股份有限公司 Single channel realizes the method and system of request confirmation operation

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5506905A (en) * 1994-06-10 1996-04-09 Delco Electronics Corp. Authentication method for keyless entry system
US6590981B2 (en) * 2000-02-22 2003-07-08 Zyfer, Inc. System and method for secure cryptographic communications
CN1689268A (en) * 2003-05-22 2005-10-26 富士通株式会社 Encrypted data reception device and decryption key updating method
CN102025685A (en) * 2009-09-21 2011-04-20 华为技术有限公司 Authentication processing method and device
CN103888941A (en) * 2012-12-20 2014-06-25 杭州华三通信技术有限公司 Method and device for key negotiation of wireless network

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5506905A (en) * 1994-06-10 1996-04-09 Delco Electronics Corp. Authentication method for keyless entry system
US6590981B2 (en) * 2000-02-22 2003-07-08 Zyfer, Inc. System and method for secure cryptographic communications
CN1689268A (en) * 2003-05-22 2005-10-26 富士通株式会社 Encrypted data reception device and decryption key updating method
CN102025685A (en) * 2009-09-21 2011-04-20 华为技术有限公司 Authentication processing method and device
CN103888941A (en) * 2012-12-20 2014-06-25 杭州华三通信技术有限公司 Method and device for key negotiation of wireless network

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104917595A (en) * 2015-06-16 2015-09-16 四川长虹通信科技有限公司 Secret key switching method and system in encryption communication process
CN104917595B (en) * 2015-06-16 2018-04-27 四川长虹通信科技有限公司 Key switching method and system during a kind of coded communication
CN107959552A (en) * 2017-10-27 2018-04-24 浙江众合科技股份有限公司 Single channel realizes the method and system of request confirmation operation
CN107959552B (en) * 2017-10-27 2023-08-22 浙江浙大网新众合轨道交通工程有限公司 Method and system for realizing request confirmation operation in single channel

Also Published As

Publication number Publication date
CN104270752B (en) 2017-10-27

Similar Documents

Publication Publication Date Title
Vanhoef et al. Key reinstallation attacks: Forcing nonce reuse in WPA2
CN1826754B (en) Key synchronization mechanism for wireless lan (wlan)
CN101720539B (en) Key refresh sae/lte system
EP2272271B1 (en) Method and system for mutual authentication of nodes in a wireless communication network
CN106656510B (en) A kind of encryption key acquisition methods and system
CN101272616B (en) Safety access method of wireless metropolitan area network
CN102783081B (en) For the method for one-way transmission signal safely
CN107113287B (en) Method of performing device-to-device communication between user equipments
EP2288195A2 (en) Method and apparatus for reducing overhead for integrity check of data in wireless communication system
CN110476399B (en) Mutual authentication system
CN103098435A (en) Relay node device authentication mechanism
CN103828414A (en) Security gateway communication
WO2007059558A1 (en) Wireless protocol for privacy and authentication
CA2758332C (en) Method and apparatus for transmitting and receiving secure and non-secure data
US9047449B2 (en) Method and system for entity authentication in resource-limited network
JP7064653B2 (en) Communications system
JP4550759B2 (en) Communication system and communication apparatus
AU2010284792B2 (en) Method and apparatus for reducing overhead for integrity check of data in wireless communication system
CN105245338A (en) Authentication method, authentication device and authentication system
CN113221136B (en) AIS data transmission method, AIS data transmission device, electronic equipment and storage medium
KR102322605B1 (en) Method for setting secret key and authenticating mutual device of internet of things environment
CN104270752A (en) Key negotiation method and device for wireless network
US20170295488A1 (en) Method for generating a key and method for secure communication between a household appliance and an appliance
CN105828330B (en) Access method and device
JP7141723B2 (en) Apparatus, system and method for controlling actuators via wireless communication system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information
CB02 Change of applicant information

Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No.

Applicant after: Xinhua three Technology Co., Ltd.

Address before: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No.

Applicant before: Huasan Communication Technology Co., Ltd.

GR01 Patent grant
GR01 Patent grant