WO2007098692A1 - An apparatus for testing the protocol conformance of the security accessing of network terminal and the method thereof - Google Patents

An apparatus for testing the protocol conformance of the security accessing of network terminal and the method thereof Download PDF

Info

Publication number
WO2007098692A1
WO2007098692A1 PCT/CN2007/000635 CN2007000635W WO2007098692A1 WO 2007098692 A1 WO2007098692 A1 WO 2007098692A1 CN 2007000635 W CN2007000635 W CN 2007000635W WO 2007098692 A1 WO2007098692 A1 WO 2007098692A1
Authority
WO
WIPO (PCT)
Prior art keywords
protocol
access protocol
data packet
secure access
testing
Prior art date
Application number
PCT/CN2007/000635
Other languages
French (fr)
Chinese (zh)
Inventor
Bianling Zhang
Jun Cao
Xuefeng Tu
Original Assignee
China Iwncomm Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Iwncomm Co., Ltd. filed Critical China Iwncomm Co., Ltd.
Publication of WO2007098692A1 publication Critical patent/WO2007098692A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/03Protocol definition or specification 

Definitions

  • the present invention relates to the field of network security access protocol testing, and more particularly to a method and apparatus for security access protocol compliance testing of network terminals.
  • IP Internet Protocol
  • the network carries a wide variety of services, and has been involved in all aspects of the national economy and society.
  • Wireless IP networks transmit data through radio waves, and the physical openness of the network reaches a new stage. As a result, secure access is a key issue for the secure operation of wired and wireless networks.
  • the secure access system of an IP network mainly involves three network entities: a network terminal, an access point (AP, Access Point), and an authentication server.
  • the network terminal requests to access the network and enjoy various resources provided by the network;
  • the access point is an edge device of the IP internetwork, and is an entity that provides an access service for the network user;
  • the authentication server is an entity that provides the user identity authentication service.
  • the network terminal product security access protocol test system mainly includes the WI-FI (Wireless Fidelity) Alliance for the IEEE (Institute of Electrical and Electronics Engineers) 802.11 standard interoperability test system and some auxiliary management test systems for wireless LAN applications.
  • the auxiliary management test system mainly provides information about the installation and application of the network system by monitoring the physical channel and the state of the network.
  • the interoperability test system of the WI-FI Alliance verifies the correctness of protocol implementation in the device under test by testing the interoperability of the device under test and the performance of the communication device, that is, protocol compliance detection.
  • a typical application is used for compliance testing, that is, the benchmark device and the device under test are tested by interoperability of higher layer protocols.
  • the test result is related to the implementation of the high-level protocol at both ends of the communication. There may be deviations. For example, the device security access protocol of the device under test may be implemented correctly but cannot communicate with the reference device. Such a test has incompleteness. According to the interoperability and communication performance, the test result is determined, so that the correctness of the benchmark device will seriously affect the accuracy of the test result. At the same time, even if the test result is correct, it is difficult for the tester to obtain the wrong location for the device under test that has not passed the test. information. Summary of the invention
  • the present invention solves the above technical problems in the background art, and provides a security access protocol compliance test for a network terminal, which can improve the accuracy of the test result and lower the requirement for correctness of the reference device.
  • Method and device can improve the accuracy of the test result and lower the requirement for correctness of the reference device.
  • the technical solution of the present invention is: a method for conformance testing of a secure access protocol for a network terminal, comprising the following steps:
  • the above secure access protocol is the WAPI (Wireless Local Area Network Authentication and Privacy Infrastructure) protocol or
  • the method further includes: when the terminal to be tested and the reference access point configure a WAPI-enabled combination, detecting interoperability between the terminal to be tested and the reference access point.
  • the combination of the above-mentioned terminal to be tested and the reference access point configuration WAPI enabler includes:
  • the terminal to be tested enables WAI (Wireless Local Area Network Authentication Infrastructure) WAPI security mechanism for pre-shared key authentication and key management, and the reference access point adopts WAPI security mechanism for certificate authentication and key management; or
  • the WAPI certificate authentication and key management mode WAPI security mechanism is enabled on the terminal to be tested.
  • the reference access point adopts the WAPI security mechanism of pre-shared key authentication and key management.
  • the foregoing secure access protocol data packet includes: an authentication activation frame in the WAI, an access authentication request, a certificate authentication request, a certificate authentication response, an access authentication response, a unicast key negotiation request, a unicast key negotiation response, Unicast key negotiation acknowledgement, multicast key advertisement and/or multicast key advertisement response; and/or unicast data frame in WPI (Wireless Local Area Network Security Infrastructure).
  • WAI Wired Local Area Network Security Infrastructure
  • the method further includes: if the captured secure access protocol data packet is less than the set protocol data packet, the terminal to be tested fails the test.
  • the method further includes: locally storing a terminal certificate of the terminal to be tested;
  • the analyzing and detecting the encapsulated format of the captured secure access protocol data packet includes:
  • the analysis detects the encapsulated format of the captured secure access protocol data packet, including:
  • the analysis detects that the encapsulated secure access protocol data packet encapsulation format includes:
  • MSKID Multicast Key Identifier
  • the analysis detects that the encapsulated secure access protocol data packet encapsulation format includes:
  • the present invention also provides a method for security access protocol compliance testing of a network terminal, comprising the steps of:
  • the setting condition may include: the captured secure access protocol data packet is not less than a set type of protocol data packet.
  • the setting condition may include: capturing an order of the secure access protocol data packet conforms to the protocol.
  • the setting condition may include: the field encapsulated in the secure access protocol data packet of the captured set type meets the protocol requirement;
  • the set type of secure access protocol data packet includes: an access authentication request, a key agreement response, a multicast key notification response, and/or a unicast data frame.
  • the method further includes: detecting interoperability between the terminal to be tested and the reference access point when the terminal to be tested and the reference access point are configured to be WAPI enabled.
  • the present invention also provides an apparatus for secure access protocol compliance testing of a network terminal, comprising a packet capture unit and a packet inspection unit, wherein:
  • the data packet capture unit is configured to capture a secure access authentication protocol data packet of the terminal to be tested in the secure access authentication process
  • the packet detecting unit is configured to detect whether the captured data packet meets the set condition and pass the test when the set condition is met.
  • the setting condition may include: the captured secure access protocol data packet is not less than a set type of protocol data packet.
  • the setting condition may include: capturing an order of the secure access protocol data packet conforms to the protocol.
  • the device further includes a storage unit for storing a terminal certificate of the terminal to be tested.
  • the setting may include: the field encapsulated in the captured secure access protocol data packet of the set type meets the protocol;
  • the set type of security access protocol data packet includes: an access authentication request, a key agreement response, Multicast key advertisement response and/or unicast data frame;
  • the detecting whether the captured data packet meets the set condition comprises detecting according to the terminal certificate of the terminal to be tested.
  • the secure access protocol is a WAPI protocol.
  • the invention is used for testing the correctness and consistency of the implementation of the network terminal security access protocol.
  • the invention captures and detects the security access protocol data packet of the terminal to be tested in the secure access authentication process, so that the test result is no longer related to the implementation of the high-level protocol, and can be obtained even when the implementation of the reference device is deviated.
  • the correct test results improve the accuracy of the test results;
  • the application of the present invention can not only obtain the detection result, but also accurately locate the protocol according to the detailed information obtained from the protocol data packet. Wrong place;
  • the combination of the WAPI-enabled configuration of the terminal to be tested and the reference access point can be tested, and the simulation test for the abnormal situation that may occur is added, and the products that pass the test are fully compliant with the standard regulations and interoperability. Sex.
  • FIG. 1 is a topological structural diagram of a system of the present invention
  • FIG. 2 is a flow chart of an embodiment of a compliance testing method according to the present invention.
  • FIG. 3 is a schematic structural view of the compliance testing device of the present invention.
  • the WAPI protocol or the IEEE 802.11i protocol can be applied to the method of the present invention, and the steps are as follows:
  • the present invention can be applied to the system structure shown in FIG. 1, including a monitoring console 1, a reference authentication server 4, a reference access point 3, a hub 2, and a terminal to be tested 5, a monitoring console 1, a reference authentication server 4, and a reference interface.
  • the in point 3 is connected to the hub 2, and the terminal 5 to be tested is associated with the reference access point 3 via a wireless link.
  • the terminal 5 to be tested may be a notebook computer with a network adapter.
  • the reference authentication server 4 issues an access point and a terminal certificate and installs it into the terminal 5 to be tested and the reference access point 3 and the monitoring console 1.
  • the measurement terminal 5 is associated with the reference access point 3; the monitoring console 1 captures the WAPI protocol data packet of the terminal 5 to be tested in the WAPI identity authentication process, and gives an analysis result.
  • monitoring console 1 can be a single device or other network device integrated with the monitoring console function.
  • Step S210 Activate the WAPI authentication process, that is, the terminal to be tested starts the WAPI identity authentication process.
  • Step S220 The monitoring console captures the WAPI protocol data packet in the terminal authentication process of the terminal to be tested.
  • Step S230 If the WAPI protocol packet capture is incomplete, the terminal to be tested fails the WAPI test; otherwise, the captured data is further processed according to step S240;
  • a series of WAPI protocol packets need to be exchanged with the reference device (including the reference access point and the reference authentication server) according to the protocol.
  • the tester can set which WAPI protocol packets are captured by the monitoring console according to the application needs, when the captured fails the test.
  • the WAPI protocol data packets that can be captured include: authentication activation frame in WAI, access authentication request, certificate authentication request, certificate authentication response, access Pod response, unicast key negotiation request, unicast key negotiation response, and single Broadcast key negotiation confirmation, multicast key advertisement, multicast key notification response, etc.; unicast data frames in WPI, etc.
  • Step S240 Analyze and detect the encapsulation format and protocol flow of capturing the WAPI protocol data packet.
  • the tester can set the conditions for passing the WAPI test according to the application needs. For example, the tester can set the time to capture the WAPI protocol packets in a sequence that does not comply with the protocol, or to try.
  • the following is an example of detecting whether an access authentication request, a key agreement response, a multicast key notification response, and a unicast data frame generated by the terminal to be tested are in compliance with the protocol, and some other protocol packets captured may be used. Auxiliary analysis of the correctness of the protocol packet generated by the terminal under test.
  • the analysis and detection process of the access authentication request can be as follows:
  • the analysis and detection process of the unicast key negotiation response can be as follows:
  • the analysis and detection process of the multicast key notification response can be as follows:
  • the comparison key advertisement identifier field value is the same as the key advertisement identifier field value in the multicast key advertisement packet sent by the access point;
  • the analysis and detection process of unicast data frames can be as follows:
  • the pass condition is set to pass all the above test items, and
  • the terminal can pass the protocol compliance test. That is, if one test fails, the test result of the terminal to be tested is not passed.
  • the tester can also select some of the above test items for testing as needed.
  • step S250 may be further added to test the combination of the terminal to be tested and the reference access point configuration WAPI enabled.
  • Step S250: The WAPI-enabled combination is configured in the terminal to be tested and the reference access point respectively, and the correctness of the access control function of the terminal to be tested is determined by detecting whether the terminal to be tested can communicate with the reference access point.
  • the combination of the terminal to be tested and the reference access point configuration WAPI enabled includes:
  • the WAPI pre-shared key authentication and key management mode WAPI security mechanism is enabled for the terminal to be tested, and the reference access point adopts the WAPI security mechanism of certificate authentication and key management.
  • the WAPI certificate authentication and key management mode WAPI security mechanism is enabled for the terminal to be tested, and the reference access point adopts the WAPI security mechanism of pre-shared key authentication and key management.
  • step S250 has no order relationship with step S210 to step S240.
  • Step S250 may be performed before step S210 or after step S240, and the effect is completely the same.
  • the secure access protocol compliance testing apparatus for the network terminal in the present invention may have the structure shown in FIG. 3, and includes at least a packet capturing unit 310 and a packet detecting unit 320, and may further include a storage unit 330.
  • the packet capture unit '310 captures the secure access authentication protocol packet of the terminal under test in the secure access authentication process, and outputs it to the packet detecting unit 320.
  • the packet detecting unit 320 detects whether the captured packet meets the set condition, passes the test when the set condition is met, and otherwise fails the compliance test.
  • the storage unit 330 may store the terminal certificate of the terminal to be tested.
  • the data packet detecting unit 320 reads the corresponding detection.
  • the setting conditions can be stored in the storage unit 330.
  • the setting conditions adopted by the packet detecting unit 320 may include: the number of secure access protocols captured The fields encapsulated in the protocol packet of the set type, the sequence of the secure access protocol packets, the protocol, and/or the captured type of the secure access protocol packet are in accordance with the protocol.
  • the set type of secure access protocol data packet may include an access authentication request, a key agreement response, a multicast key notification response, and/or a unicast data frame.
  • the previous method embodiment section which will not be repeated here.
  • the invention is designed based on a network terminal and can be used for testing the correctness and consistency of the security access protocol implementation of the network terminal produced by the equipment manufacturer.
  • the invention not only adopts the interoperability test of the protocol, but also tests the interoperability between the network terminal to be tested and the reference access point and the authentication server, and also captures, parses and analyzes the data through the complete secure access protocol, and on this basis.
  • the implementation of the secure access protocol process analysis and the simulation test of the abnormal situation ensure that the products that pass the test fully comply with the standards and interoperability.
  • the invention has the following advantages:
  • test results are more accurate.
  • the invention introduces the capture of relevant protocol data and a complete analysis method to make the test results more accurate.
  • test data is complete. Since the test process includes a complete data capture analysis, detailed information on the protocol data in the device under test can be given.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

An apparatus for testing the protocol conformance of the security accessing of network terminal and the method thereof, the said method comprises: acquiring the security accessing protocol data packet during the procedure of security accessing authentication of the terminal to be tested; analyzing the encapsulation format and the protocol flow of the security accessing protocol data packet that acquired by detecting. The test result is no longer associated with the application of the high layer protocol, and the correct result may be obtained even there is variance when the basis equipment is implemented and then the veracity of the testing is improved. The position that the error is occurred may be exactly located by the detailed information acquired from the protocol packet data, the simulative testing of the possibly abnormal condition is added, and it is guaranteed that all equipments that passed the test conform the rule of the standard and the inter-operability.

Description

用于网络终端的安全接入协议符合性测试的方法及装置 本申请要求于 2006 年 2 月 28 日提交中国专利局、 申请号为 200610041848.4、 发明名称为"网絡终端的安全接入协议符合性测试的方法及 ***,,的中国专利申请的优先权, 其全部内容通过引用结合在本申请中。  Method and apparatus for conformance testing of secure access protocol for network terminal This application claims to be submitted to the Chinese Patent Office on February 28, 2006, application number 200610041848.4, and the invention name is "Network Terminal Security Access Protocol Compliance Test" The method and system, the priority of the Chinese patent application, the entire contents of which is incorporated herein by reference.
技术领域 Technical field
本发明涉及网络安全接入协议测试领域,尤其是一种用于网络终端的安全 接入协议符合性测试的方法及装置。  The present invention relates to the field of network security access protocol testing, and more particularly to a method and apparatus for security access protocol compliance testing of network terminals.
背景技术 Background technique
IP ( Internet Protocol, 网际协议 ) 网络承载的业务种类日益繁多, 已介入 到国民经济和社会各个层面, 无线 IP网络通过无线电波传输数据, 更使网络 的物理开放性达到新的阶段。 由此,安全接入成为有线和无线网络安全运行的 关键问题。  IP (Internet Protocol) The network carries a wide variety of services, and has been involved in all aspects of the national economy and society. Wireless IP networks transmit data through radio waves, and the physical openness of the network reaches a new stage. As a result, secure access is a key issue for the secure operation of wired and wireless networks.
IP网络的安全接入***主要涉及到三个网络实体:网络终端、接入点(AP, Access Point )和鉴別服务器。 网络终端请求接入网络, 享受网络提供的各种 资源; 接入点是 IP互联网絡的边缘设备, 是为网络用户提供接入服务的实体; 鉴别服务器是提供用户身份鉴别服务的实体。  The secure access system of an IP network mainly involves three network entities: a network terminal, an access point (AP, Access Point), and an authentication server. The network terminal requests to access the network and enjoy various resources provided by the network; the access point is an edge device of the IP internetwork, and is an entity that provides an access service for the network user; the authentication server is an entity that provides the user identity authentication service.
目前关于网络终端产品安全接入协议测试***主要有 WI-FI (无线保真) 联盟针对 IEEE (电气与电子工程师协会) 802.11标准的互操作测试***和一 些无线局域网应用的辅助管理测试***。其中辅助管理测试***主要通过监测 物理信道和网络的状态提供网络***安装和应用的相关信息。 WI-FI联盟的互 操作测试***是通过测试待测设备与基准设备的互通性以及通信的性能来验 证待测设备中协议实现的正确性, 即协议符合性检测。  At present, the network terminal product security access protocol test system mainly includes the WI-FI (Wireless Fidelity) Alliance for the IEEE (Institute of Electrical and Electronics Engineers) 802.11 standard interoperability test system and some auxiliary management test systems for wireless LAN applications. The auxiliary management test system mainly provides information about the installation and application of the network system by monitoring the physical channel and the state of the network. The interoperability test system of the WI-FI Alliance verifies the correctness of protocol implementation in the device under test by testing the interoperability of the device under test and the performance of the communication device, that is, protocol compliance detection.
现有技术中, 采用典型的应用来进行符合性测试, 即基准设备与待测设备 之间通过高层协议的互操作性来进行测试。测试结果与通信两端高层协议的实 现相关,可能出现偏差, 例如可能出现待测设备安全接入协议实现正确但不能 与基准设备互通的情况,这样的测试具有不完整性。根据互通性和通信性能来 决定测试结果, 使得基准设备实现的正确性程度将严重影响测试结果的准确 性; 同时即使测试结果正确, 对未通过测试的待测设备, 测试人员也难以获得 错误定位信息。 发明内容 In the prior art, a typical application is used for compliance testing, that is, the benchmark device and the device under test are tested by interoperability of higher layer protocols. The test result is related to the implementation of the high-level protocol at both ends of the communication. There may be deviations. For example, the device security access protocol of the device under test may be implemented correctly but cannot communicate with the reference device. Such a test has incompleteness. According to the interoperability and communication performance, the test result is determined, so that the correctness of the benchmark device will seriously affect the accuracy of the test result. At the same time, even if the test result is correct, it is difficult for the tester to obtain the wrong location for the device under test that has not passed the test. information. Summary of the invention
本发明为解决背景技术中存在的上述技术问题,而提供一种能够提高测试 结果的准确性, P条低对基准设备实现正确性的要求的用于网络终端的安全接入 协议符合性测试的方法及装置。  The present invention solves the above technical problems in the background art, and provides a security access protocol compliance test for a network terminal, which can improve the accuracy of the test result and lower the requirement for correctness of the reference device. Method and device.
本发明的技术解决方案是:一种用于网络终端的安全接入协议符合性测试 的方法, 包括以下步驟:  The technical solution of the present invention is: a method for conformance testing of a secure access protocol for a network terminal, comprising the following steps:
捕获待测终端安全接入认证过程中的安全接入协议数据包;  Capturing a secure access protocol data packet in the secure access authentication process of the terminal to be tested;
分析检测所捕获的安全接入协议数据包的封装格式和协议流程。  Analyze and detect the encapsulation format and protocol flow of the captured Secure Access Protocol packets.
上述安全接入协议为 WAPI (无线局域网鉴别与保密基础架构)协议或 The above secure access protocol is the WAPI (Wireless Local Area Network Authentication and Privacy Infrastructure) protocol or
IEEE802.11i协议。 IEEE 802.11i protocol.
当安全接入协议为" WAPI协议时, 上述方法还包括: 当待测终端和基准接 入点配置 WAPI启用的组合时, 检测待测终端和基准接入点之间的互通性。  When the secure access protocol is the WAPI protocol, the method further includes: when the terminal to be tested and the reference access point configure a WAPI-enabled combination, detecting interoperability between the terminal to be tested and the reference access point.
上述待测终端和基准接入点配置 WAPI启用的组合包括:  The combination of the above-mentioned terminal to be tested and the reference access point configuration WAPI enabler includes:
待测终端启用 WAI (无线局域网鉴别基础结构)预共享密钥鉴别和密钥 管理方式的 WAPI 安全机制, 基准接入点采用证书鉴别和密钥管理方式的 WAPI安全机制; 或  The terminal to be tested enables WAI (Wireless Local Area Network Authentication Infrastructure) WAPI security mechanism for pre-shared key authentication and key management, and the reference access point adopts WAPI security mechanism for certificate authentication and key management; or
1.2 )待测终端启用 WAI证书鉴别和密钥管理方式的 WAPI安全机制, 基 准接入点采用预共享密钥鉴别和密钥管理方式的 WAPI安全机制。  1.2) The WAPI certificate authentication and key management mode WAPI security mechanism is enabled on the terminal to be tested. The reference access point adopts the WAPI security mechanism of pre-shared key authentication and key management.
上述安全接入协议数据包包括: WAI 中的鉴別激活帧、 接入鉴别请求、 证书鉴別请求、 证书鉴别响应、 接入鉴别响应、 单播密钥协商请求、 单播密钥 协商响应、 单播密钥协商确认、 组播密钥通告和 /或组播密钥通告响应; 和 /或 WPI (无线局域网保密基础结构) 中的单播数据帧。  The foregoing secure access protocol data packet includes: an authentication activation frame in the WAI, an access authentication request, a certificate authentication request, a certificate authentication response, an access authentication response, a unicast key negotiation request, a unicast key negotiation response, Unicast key negotiation acknowledgement, multicast key advertisement and/or multicast key advertisement response; and/or unicast data frame in WPI (Wireless Local Area Network Security Infrastructure).
所述方法还包括: 若捕获的安全接入协议数据包少于设定的协议数据包 时, 则待测终端未通过测试。  The method further includes: if the captured secure access protocol data packet is less than the set protocol data packet, the terminal to be tested fails the test.
所述方法还包括: 在本地存储待测终端的终端证书;  The method further includes: locally storing a terminal certificate of the terminal to be tested;
对接入鉴别请求,所述分析检测所捕获的安全接入协议数据包的封装格式 包括:  For the access authentication request, the analyzing and detecting the encapsulated format of the captured secure access protocol data packet includes:
检查版本号是否符合标准中的规定;  Check that the version number meets the requirements in the standard;
检查数据长度字段值是否和数据字段的长度一致; 比较鉴别标识字段的值和接入点发送的鉴别分组中的鉴别标识字段的值 是否相同; 检查 ASUE (鉴别请求者实体)询问、 ASUE密钥数据、终端身份、 ECDH (椭圆曲线密钥交换)参数、和 ASUE的签名字段的封装格式与长度与标准中 的规定是否相符。 Check if the data length field value is consistent with the length of the data field; Comparing the value of the authentication identification field with the value of the authentication identification field in the authentication packet sent by the access point; checking ASUE (authentication requester entity) inquiry, ASUE key data, terminal identity, ECDH (elliptic curve key exchange) The parameters, and the encapsulation format and length of the signature field of the ASUE match the specifications in the standard.
对密钥协商响应,所述分析检测所捕获的安全接入协议数据包的封装格式 包括:  In response to the key agreement, the analysis detects the encapsulated format of the captured secure access protocol data packet, including:
检查版本号是否符合标准中的规定;  Check that the version number meets the requirements in the standard;
检查数据长度字段值是否和数据字段的长度一致;  Check if the data length field value is consistent with the length of the data field;
验证 BKID (基密钥标识)、 USKID (单播密钥标识)、 ADDID (地址索引)、 ASUE询问和 WIE ( WAPI信息元素)字段的长度是否与标准中规定的一致; 检查 AE (鉴别器实体)询问字段的值和接入点发送的单播密钥协商请求 中的 AE询问字段的值是否相同; 和 /或 ·  Verify that the lengths of the BKID (Base Key Identifier), USKID (Unicast Key Identifier), ADDID (Address Index), ASUE Query, and WIE (WAPI Information Element) fields are consistent with those specified in the standard; Check AE (Discriminator Entity) The value of the inquiry field is the same as the value of the AE inquiry field in the unicast key negotiation request sent by the access point; and/or
检查消息鉴别码字段的长度与标准中的规定是否一致。  Check that the length of the message authentication code field is consistent with the specifications in the standard.
对组播密钥通告响应,所述分析检测所捕获的安全接入协议数据包的封装 格式包括:  In response to the multicast key advertisement, the analysis detects that the encapsulated secure access protocol data packet encapsulation format includes:
检查版本号是否符合标准中的规定;  Check that the version number meets the requirements in the standard;
检查数据长度字段值是否和数据字段的长度一致;  Check if the data length field value is consistent with the length of the data field;
比较 MSKID (组播密钥标识)字段值与接入点发送的组播密钥通告分组 中的 MSKID字段值是否相同;  Compare the MSKID (Multicast Key Identifier) field value with the MSKID field value in the multicast key advertisement packet sent by the access point;
比较 USKID字段值与接入点发送的组播密钥通告分组中的 USKID字段值 是否相同;  Comparing whether the value of the USKID field is the same as the value of the USKID field in the multicast key advertisement packet sent by the access point;
比较密钥通告标识字段值与接入点发送的组播密钥通告分组中的密钥通 告标识字段值是否相同; 和 /或  Comparing the key advertisement identifier field value with the key advertisement identifier field value in the multicast key advertisement packet sent by the access point; and/or
检查消息鉴别码字段的长度与标准中的规定是否一致。  Check that the length of the message authentication code field is consistent with the specifications in the standard.
对单播数据帧,所述分析检测所捕获的安全接入协议数据包的封装格式包 括:  For unicast data frames, the analysis detects that the encapsulated secure access protocol data packet encapsulation format includes:
检查会话密钥索引字段的值是否在标准规定的范围内; 检查数据分组序号字段的值是否在标准规定的范围内; 和 /或 Check if the value of the session key index field is within the range specified by the standard; Check if the value of the data packet sequence number field is within the range specified by the standard; and/or
判断数据分组序号字段的值是否为偶数。  Determine whether the value of the data packet sequence number field is an even number.
本发明还提供了一种用于网络终端的安全接入协议符合性测试的方法,包 括以下步骤:  The present invention also provides a method for security access protocol compliance testing of a network terminal, comprising the steps of:
捕获待测终端安全接入认证过程中的安全接入协议数据包;  Capturing a secure access protocol data packet in the secure access authentication process of the terminal to be tested;
当捕获的安全接入协议数据包符合设定条件时通过测试。  Pass the test when the captured Secure Access Protocol packet meets the set conditions.
所述设定条件可以包括:所捕获的安全接入协议数据包不少于设定种类的 协议数据包。  The setting condition may include: the captured secure access protocol data packet is not less than a set type of protocol data packet.
所述设定条件可以包括: 捕获安全接入协议数据包的顺序符合协议规定。 所述设定条件可以包括:所捕获的设定类型的安全接入协议数据包中封装 的字段符合协议规定;  The setting condition may include: capturing an order of the secure access protocol data packet conforms to the protocol. The setting condition may include: the field encapsulated in the secure access protocol data packet of the captured set type meets the protocol requirement;
所述设定类型的安全接入协议数据包包括:接入鉴别请求、密钥协商响应、 組播密钥通告响应和 /或单播数据帧。  The set type of secure access protocol data packet includes: an access authentication request, a key agreement response, a multicast key notification response, and/or a unicast data frame.
当所述安全认证协议为 WAPI协议时, 所述方法还包括: 检测当待测终端 和基准接入点配置 WAPI 启用的组合时, 待测终端和基准接入点之间的互通 性。  When the security authentication protocol is the WAPI protocol, the method further includes: detecting interoperability between the terminal to be tested and the reference access point when the terminal to be tested and the reference access point are configured to be WAPI enabled.
本发明还提供了一种用于网络终端的安全接入协议符合性测试的装置,包 括数据包捕获单元和数据包检测单元, 其中:  The present invention also provides an apparatus for secure access protocol compliance testing of a network terminal, comprising a packet capture unit and a packet inspection unit, wherein:
数据包捕获单元用来捕获待测终端在安全接入认证过程中的安全接入认 证协议数据包;  The data packet capture unit is configured to capture a secure access authentication protocol data packet of the terminal to be tested in the secure access authentication process;
数据包检测单元用来检测所捕获的数据包是否符合设定条件,在符合设定 条件时通过测试。  The packet detecting unit is configured to detect whether the captured data packet meets the set condition and pass the test when the set condition is met.
所述设定条件可以包括:所捕获的安全接入协议数据包不少于设定种类的 协议数据包。  The setting condition may include: the captured secure access protocol data packet is not less than a set type of protocol data packet.
所述设定条件可以包括: 捕获安全接入协议数据包的顺序符合协议规定。 所述装置还包括存储单元, 用来存储待测终端的终端证书。  The setting condition may include: capturing an order of the secure access protocol data packet conforms to the protocol. The device further includes a storage unit for storing a terminal certificate of the terminal to be tested.
所述设定可以条件包括:所捕获的设定类型的安全接入协议数据包中封装 的字段符合协议规定;  The setting may include: the field encapsulated in the captured secure access protocol data packet of the set type meets the protocol;
所述设定类型的安全接入协议数据包包括:接入鉴别请求、密钥协商响应、 组播密钥通告响应和 /或单播数据帧; The set type of security access protocol data packet includes: an access authentication request, a key agreement response, Multicast key advertisement response and/or unicast data frame;
所述检测所捕获的数据包是否符合设定条件包括根据待测终端的终端证 书进行检测。  The detecting whether the captured data packet meets the set condition comprises detecting according to the terminal certificate of the terminal to be tested.
所述安全接入协议为 WAPI协议。本发明用于对网絡终端安全接入协议实 现的正确性和一致性进行测试。本发明通过对待测终端在安全接入认证过程中 的安全接入协议数据包的捕获和检测,使得测试结果不再与高层协议的实现相 关, 并且即使在基准设备的实现有偏差时也能得到正确的测试结果,提高了测 试结果的准确性;  The secure access protocol is a WAPI protocol. The invention is used for testing the correctness and consistency of the implementation of the network terminal security access protocol. The invention captures and detects the security access protocol data packet of the terminal to be tested in the secure access authentication process, so that the test result is no longer related to the implementation of the high-level protocol, and can be obtained even when the implementation of the reference device is deviated. The correct test results improve the accuracy of the test results;
进一步地,通过对所捕获的安全接入协议数据包的封装与流程进行解析和 检测,使得应用本发明不但可以得到检测结果,还可以依据从协议数据包获得 的详细信息精确地定位协议实现的错误之处;  Further, by parsing and detecting the encapsulation and process of the captured secure access protocol data packet, the application of the present invention can not only obtain the detection result, but also accurately locate the protocol according to the detailed information obtained from the protocol data packet. Wrong place;
进一步地,本发明中可以对待测终端和基准接入点配置 WAPI启用的組合 情况进行测试,增加了对可能出现的异常情况的模拟测试,保障了通过测试的 产品完全符合标准的规定和互操作性。  Further, in the present invention, the combination of the WAPI-enabled configuration of the terminal to be tested and the reference access point can be tested, and the simulation test for the abnormal situation that may occur is added, and the products that pass the test are fully compliant with the standard regulations and interoperability. Sex.
附图说明 DRAWINGS
图 1为本发明的***拓朴结构图;  1 is a topological structural diagram of a system of the present invention;
图 2为本发明所述符合性测试方法实施例的流程图;  2 is a flow chart of an embodiment of a compliance testing method according to the present invention;
图 3为本发明所述符合性测试装置的结构示意图。  3 is a schematic structural view of the compliance testing device of the present invention.
具体实施方式 detailed description
WAPI协议或 IEEE802.11i协议均可适用本发明的方法, 其步驟如下: The WAPI protocol or the IEEE 802.11i protocol can be applied to the method of the present invention, and the steps are as follows:
1 )激活安全接入协议认证过程; 1) activate the secure access protocol authentication process;
2 )捕获该认证过程中产生的安全接入协议数据包;  2) capturing a secure access protocol data packet generated during the authentication process;
3 )分析检测安全接入协议数据包封装格式和协议流程。  3) Analyze and detect the data packet encapsulation format and protocol flow of the secure access protocol.
本发明可以应用于图 1所示的***结构, 包括监测控制台 1、 基准鉴别服 务器 4、 基准接入点 3、 集线器 2和待测终端 5, 监测控制台 1、 基准鉴别服务 器 4和基准接入点 3连接在集线器 2上,待测终端 5通过无线链路关联到基准 接入点 3中, 待测终端 5可以是一个带有网络适配器的笔记本电脑。  The present invention can be applied to the system structure shown in FIG. 1, including a monitoring console 1, a reference authentication server 4, a reference access point 3, a hub 2, and a terminal to be tested 5, a monitoring console 1, a reference authentication server 4, and a reference interface. The in point 3 is connected to the hub 2, and the terminal 5 to be tested is associated with the reference access point 3 via a wireless link. The terminal 5 to be tested may be a notebook computer with a network adapter.
基准鉴别服务器 4颁发接入点和终端证书并安装到待测终端 5和基准接入 点 3以及监测控制台 1中。在基准接入点 3和待测终端 5上启动 WAPI后,待 测终端 5关联到基准接入点 3; 监测控制台 1捕获待测终端 5在 WAPI身份认 证过程中的 WAPI协议数据包, 并给出分析结果。 The reference authentication server 4 issues an access point and a terminal certificate and installs it into the terminal 5 to be tested and the reference access point 3 and the monitoring console 1. After the WAPI is started on the reference access point 3 and the terminal 5 to be tested, The measurement terminal 5 is associated with the reference access point 3; the monitoring console 1 captures the WAPI protocol data packet of the terminal 5 to be tested in the WAPI identity authentication process, and gives an analysis result.
需要说明的是,监测控制台 1可以是一个单独的设备,也可以是集成了监 测控制台功能的其他网络设备。  It should be noted that the monitoring console 1 can be a single device or other network device integrated with the monitoring console function.
下面以安全接入协议为 WAPI协议时为具体实施例,其方法的整个具体测 试流程如图 2所示:  The following is a specific embodiment when the secure access protocol is the WAPI protocol. The entire specific testing process of the method is shown in Figure 2:
步骤 S210: 激活 WAPI认证过程, 即待测终端开始 WAPI身份认证过程。 步骤 S220: 监测控制台捕获待测终端认证过程中的 WAPI协议数据包。 步骤 S230: 若 WAPI协议数据包捕获不全, 则待测终端未通过 WAPI测 试; 否则继续对已捕获数据按步骤 S240进行处理;  Step S210: Activate the WAPI authentication process, that is, the terminal to be tested starts the WAPI identity authentication process. Step S220: The monitoring console captures the WAPI protocol data packet in the terminal authentication process of the terminal to be tested. Step S230: If the WAPI protocol packet capture is incomplete, the terminal to be tested fails the WAPI test; otherwise, the captured data is further processed according to step S240;
在待测终端的 WAPI 身份认证过程中, 需要按照协议的规定与基准设备 (包括基准接入点和基准鉴别服务器)交互一系列的 WAPI协议数据包。 测试 人员可以根据应用需要设定监测控制台捕获哪些 WAPI协议数据包,当捕获的 未通过测试。  During the WAPI authentication process of the terminal to be tested, a series of WAPI protocol packets need to be exchanged with the reference device (including the reference access point and the reference authentication server) according to the protocol. The tester can set which WAPI protocol packets are captured by the monitoring console according to the application needs, when the captured fails the test.
可以捕获的 WAPI协议数据包包括: WAI中的鉴别激活帧、接入鉴别请求、 证书鉴别请求、 证书鉴别响应、 接入婆别响应、 单播密钥协商请求、 单播密钥 协商响应、 单播密钥协商确认、 组播密钥通告、 组播密钥通告响应等; WPI 中的单播数据帧等。  The WAPI protocol data packets that can be captured include: authentication activation frame in WAI, access authentication request, certificate authentication request, certificate authentication response, access Pod response, unicast key negotiation request, unicast key negotiation response, and single Broadcast key negotiation confirmation, multicast key advertisement, multicast key notification response, etc.; unicast data frames in WPI, etc.
步驟 S240: 分析检测捕获 WAPI协议数据包的封装格式和协议流程。 测试人员可以根据应用需要设定是否通过 WAPI测试的条件。 例如, 测试 人员可以设定捕获 WAPI协议数据包的顺序不符合协议规定的流程时,或者当 试。  Step S240: Analyze and detect the encapsulation format and protocol flow of capturing the WAPI protocol data packet. The tester can set the conditions for passing the WAPI test according to the application needs. For example, the tester can set the time to capture the WAPI protocol packets in a sequence that does not comply with the protocol, or to try.
以下以检测待测终端产生的接入鉴别请求、 密钥协商响应、組播密钥通告 响应和单播数据帧进行是否符合协议规定为例加以说明,所捕获的一些其他协 议数据包可以用来辅助分析待测终端生成协议数据包的正确性。  The following is an example of detecting whether an access authentication request, a key agreement response, a multicast key notification response, and a unicast data frame generated by the terminal to be tested are in compliance with the protocol, and some other protocol packets captured may be used. Auxiliary analysis of the correctness of the protocol packet generated by the terminal under test.
接入鉴别请求的分析检测过程可以如下:  The analysis and detection process of the access authentication request can be as follows:
1.1 )检查版本号是否符合标准中的规定; 1.2 )检查数据长度字段值是否和数据字段的长度一致; 1.1) Check if the version number meets the requirements in the standard; 1.2) Check if the data length field value is consistent with the length of the data field;
1.3 ) 比较鉴别标识字段的值和接入点发送的鉴别分组中的鉴别标识字段 的值是否相同;  1.3) comparing the value of the authentication identifier field with the value of the authentication identifier field in the authentication packet sent by the access point;
1.5 )检查 ASUE询问、 ASUE密钥数据、终端身份、 ECDH参数、和 ASUE 的签名字段的封装格式与长度与标准中的规定是否相符。 1.5) Check whether the encapsulation format and length of the ASUE query, ASUE key data, terminal identity, ECDH parameters, and ASUE signature fields match the specifications in the standard.
单播密钥协商响应的分析检测过程可以如下:  The analysis and detection process of the unicast key negotiation response can be as follows:
2.1 )检查版本号是否符合标准中的规定;  2.1) Check if the version number meets the requirements in the standard;
2.2 )检查数据长度字段值是否和数据字段的长度一致;  2.2) Check if the data length field value is consistent with the length of the data field;
2.3 )验证 BKID、 USKID、 ADDID、 ASUE询问和 WIE字段的长度是否 与标准中规定的一致;  2.3) Verify that the lengths of the BKID, USKID, ADDID, ASUE query and WIE fields are consistent with those specified in the standard;
2.4 )检查 AE询问字段的值和接入点发送的单播密钥协商请求中的 AE询 问字段的值是否相同;  2.4) Check if the value of the AE inquiry field is the same as the value of the AE inquiry field in the unicast key negotiation request sent by the access point;
2.5 )检查消息鉴别码字段的长度与标准中的规定是否一致。  2.5) Check if the length of the message authentication code field is consistent with the standard.
组播密钥通告响应的分析检测过程可以如下:  The analysis and detection process of the multicast key notification response can be as follows:
3.1 )检查版本号是否符合标准中的规定;  3.1) Check if the version number meets the requirements in the standard;
3.2 )检查数据长度字段值是否和数据字段的长度一致;  3.2) Check if the data length field value is consistent with the length of the data field;
3.3 ) 比较 MSKID字段值与接入点发送的组播密钥通告分组中的 MSKID 字段值是否相同;  3.3) Compare the MSKID field value with the MSKID field value in the multicast key advertisement packet sent by the access point;
3.4 ) 比较 USKID字段值与接入点发送的组播密钥通告分组中的 USKID 字段值是否相同;  3.4) Compare the value of the USKID field with the value of the USKID field in the multicast key advertisement packet sent by the access point;
3.5 ) 比较密钥通告标识字段值与接入点发送的組播密钥通告分組中的密 钥通告标识字段值是否相同;  3.5) The comparison key advertisement identifier field value is the same as the key advertisement identifier field value in the multicast key advertisement packet sent by the access point;
3.6 )检查消息鉴别码字段的长度与标准中的规定是否一致。  3.6) Check that the length of the message authentication code field is consistent with the specifications in the standard.
单播数据帧的分析检测过程可以如下:  The analysis and detection process of unicast data frames can be as follows:
4.1 )检查会话密钥索引字段的值是否在标准规定的范围内;  4.1) Check if the value of the session key index field is within the range specified by the standard;
4.2 )检查数据分組序号字段的值是否在标准规定的范围内;  4.2) Check if the value of the data packet sequence number field is within the range specified by the standard;
4.3 )判断数据分组序号字段的值是否为偶数。  4.3) Determine whether the value of the data packet sequence number field is an even number.
在本例的分析检测过程中,将通过条件设定为通过上述所有检测项目,待 测终端才能通过协议符合性检测。 即若有一项检测不通过, 则该待测终端的测 试结果为不通过。 当然, 测试人员也可以根据需要选择上述检测项目中部分进 行检测。 In the analysis and detection process of this example, the pass condition is set to pass all the above test items, and The terminal can pass the protocol compliance test. That is, if one test fails, the test result of the terminal to be tested is not passed. Of course, the tester can also select some of the above test items for testing as needed.
本发明中, 还可以增加步骤 S250来对待测终端和基准接入点配置 WAPI 启用的组合进行测试。 步驟 S250: 分别在待测终端和基准接入点配置 WAPI 启用的组合情况,通过检测待测终端与基准接入点之间能否进行通信来判断待 测终端接入控制功能实现的正确性。 其中待测终端和基准接入点配置 WAPI 启用的组合情况包括:  In the present invention, step S250 may be further added to test the combination of the terminal to be tested and the reference access point configuration WAPI enabled. Step S250: The WAPI-enabled combination is configured in the terminal to be tested and the reference access point respectively, and the correctness of the access control function of the terminal to be tested is determined by detecting whether the terminal to be tested can communicate with the reference access point. The combination of the terminal to be tested and the reference access point configuration WAPI enabled includes:
5.1 )待测终端启用 WAI预共享密钥鉴别和密钥管理方式的 WAPI安全机 制, 基准接入点采用证书鉴别和密钥管理方式的 WAPI安全机制; 5.1) The WAPI pre-shared key authentication and key management mode WAPI security mechanism is enabled for the terminal to be tested, and the reference access point adopts the WAPI security mechanism of certificate authentication and key management.
5.2 )待测终端启用 WAI证书鉴别和密钥管理方式的 WAPI安全机制, 基准接入点采用预共享密钥鉴别和密钥管理方式的 WAPI安全机 制。 5.2) The WAPI certificate authentication and key management mode WAPI security mechanism is enabled for the terminal to be tested, and the reference access point adopts the WAPI security mechanism of pre-shared key authentication and key management.
在上述两种情况下, 当待测终端和基准接入点 WAPI之间不能进行通信时 通过测试。  In the above two cases, when the communication between the terminal to be tested and the reference access point WAPI cannot be communicated, the test is passed.
步骤 S250中所进行的测试与步骤 S210至步驟 S240中并无顺序关系, 步 骤 S250可在步骤 S210前执行, 也可在步驟 S240后执行, 其所起到的效果完 全相同。  The test performed in step S250 has no order relationship with step S210 to step S240. Step S250 may be performed before step S210 or after step S240, and the effect is completely the same.
本发明中用于网络终端的安全接入协议符合性测试装置可以具有图 3 所 示的结构, 至少包括数据包捕获单元 310和数据包检测单元 320, 还可以包括 存储单元 330。  The secure access protocol compliance testing apparatus for the network terminal in the present invention may have the structure shown in FIG. 3, and includes at least a packet capturing unit 310 and a packet detecting unit 320, and may further include a storage unit 330.
数据包捕获单元' 310 捕获待测终端在安全接入认证过程中的安全接入认 证协议数据包, 将其输出至数据包检测单元 320。 数据包检测单元 320检测所 捕获的数据包是否符合设定条件,在符合设定条件时通过测试, 否则不能通过 符合性测试。  The packet capture unit '310 captures the secure access authentication protocol packet of the terminal under test in the secure access authentication process, and outputs it to the packet detecting unit 320. The packet detecting unit 320 detects whether the captured packet meets the set condition, passes the test when the set condition is met, and otherwise fails the compliance test.
存储单元 330中可以存储待测终端的终端证书,当设定条件中包括需要根 据终端证书进行检测的项目时, 由数据包检测单元 320 在进行相应检测时读 取。 设定条件可以存储在存储单元 330中。  The storage unit 330 may store the terminal certificate of the terminal to be tested. When the setting condition includes an item that needs to be detected according to the terminal certificate, the data packet detecting unit 320 reads the corresponding detection. The setting conditions can be stored in the storage unit 330.
数据包检测单元 320采用的设定条件可以包括:所捕获的安全接入协议数 据包不少于设定种类的协议数据包、捕获安全接入协议数据包的顺序符合协议 规定、 和 /或所捕获的设定类型的安全接入协议数据包中封装的字段符合协议 规定。对 WAPI协议的待测终端,设定类型的安全接入协议数据包可以包括接 入鉴別请求、 密钥协商响应、 组播密钥通告响应和 /或单播数据帧。 详细说明 请参见前述方法实施例部分, 此处不再重复。 The setting conditions adopted by the packet detecting unit 320 may include: the number of secure access protocols captured The fields encapsulated in the protocol packet of the set type, the sequence of the secure access protocol packets, the protocol, and/or the captured type of the secure access protocol packet are in accordance with the protocol. For the terminal to be tested of the WAPI protocol, the set type of secure access protocol data packet may include an access authentication request, a key agreement response, a multicast key notification response, and/or a unicast data frame. For details, please refer to the previous method embodiment section, which will not be repeated here.
本发明是基于网络终端来设计的 ,可用于对设备厂商生产的网络终端进行 安全接入协议实现的正确性和一致性进行测试。本发明不仅采用了协议的互通 性测试, 来测试待测网络终端与基准接入点和鉴别服务器的互操作性,还通过 完全的安全接入协议数据的捕获、解析与分析, 以及在此基础上实现的安全接 入协议流程分析和异常情况的模拟测试,保障了通过测试的产品完全符合标准 的规定和互操作性。 本发明具有如下优点:  The invention is designed based on a network terminal and can be used for testing the correctness and consistency of the security access protocol implementation of the network terminal produced by the equipment manufacturer. The invention not only adopts the interoperability test of the protocol, but also tests the interoperability between the network terminal to be tested and the reference access point and the authentication server, and also captures, parses and analyzes the data through the complete secure access protocol, and on this basis. The implementation of the secure access protocol process analysis and the simulation test of the abnormal situation ensure that the products that pass the test fully comply with the standards and interoperability. The invention has the following advantages:
1、 测试结果更准确。 本发明引入了相关协议数据的捕获与完整的分析方 法, 使测试的结果更准确。  1. The test results are more accurate. The invention introduces the capture of relevant protocol data and a complete analysis method to make the test results more accurate.
2、 测试数据完整。 由于测试过程包括了完整的数据捕获分析, 可以给出 待测设备中协议数据的详细信息。  2. The test data is complete. Since the test process includes a complete data capture analysis, detailed information on the protocol data in the device under test can be given.
3、 可进行错误定位。 由于对协议的执行过程进行了微观的检测, 可以精 确的定位协议实现方面的错误。  3, can be mis-positioned. Due to the micro-detection of the implementation process of the protocol, it is possible to accurately locate errors in the implementation of the protocol.
以上所述的本发明实施方式, 并不构成对本发明保护范围的限定。任何在 本发明的精神和原则之内所作的修改、等同替换和改进等, 均应包含在本发明 的权利要求保护范围之内。  The embodiments of the present invention described above are not intended to limit the scope of the present invention. Any modifications, equivalent substitutions and improvements made within the spirit and scope of the invention are intended to be included within the scope of the appended claims.

Claims

权 利 要 求 Rights request
1、 一种用于网络终端的安全接入协议符合性测试的方法, 其特征在于: 该方法包括以下步驟:  A method for conformance testing of a secure access protocol for a network terminal, the method comprising the steps of:
捕获待测终端安全接入认证过程中的安全接入协议数据包;  Capturing a secure access protocol data packet in the secure access authentication process of the terminal to be tested;
分析检测所捕获的安全接入协议数据包的封装格式和协议流程。  Analyze and detect the encapsulation format and protocol flow of the captured Secure Access Protocol packets.
2、 根据权利要求 1所述的用于网络终端的安全接入协议符合性测试的方 法, 其特征在于: 所述安全接入协议为 WAPI协议或 IEEE8Q2.11i协议。  2. The method for security access protocol compliance testing of a network terminal according to claim 1, wherein: the secure access protocol is a WAPI protocol or an IEEE8Q2.11i protocol.
3、 根据权利要求 1所述的网络终端的安全接入协议符合性测试的方法, 其特征在于, 当安全接入协议为 WAPI协议时, 该方法还包括: 当待测终端和 基准接入点配置 WAPI启用的组合时,检测待测终端和基准接入点之间的互通 性。  The method for testing the compliance of the security access protocol of the network terminal according to claim 1, wherein when the secure access protocol is the WAPI protocol, the method further includes: when the terminal to be tested and the reference access point When the WAPI-enabled combination is configured, the interoperability between the terminal under test and the reference access point is detected.
4、 根据权利要求 3所述的用于网络终端的安全接入协议符合性测试的方 法, 其特征在于; 所述待测终端和基准接入点配置 WAPI启用的组合包括: 待测终端启用 WAI预共享密钥鉴别和密钥管理方式的 WAPI安全机制, 基准接入点采用证书鉴别和密钥管理方式的 WAPI安全机制; 或  The method for testing the compliance of the security access protocol for the network terminal according to claim 3, wherein the combination of the terminal to be tested and the reference access point configuration WAPI enabler comprises: enabling the WAI of the terminal to be tested WAPI security mechanism for pre-shared key authentication and key management, and the benchmark access point adopts WAPI security mechanism for certificate authentication and key management; or
待测终端启用 WAI证书鉴别和密钥管理方式的 WAPI安全机制, 基准接 入点采用预共享密钥鉴别和密钥管理方式的 WAPI安全机制。  The terminal to be tested enables the WAPI security mechanism of WAI certificate authentication and key management mode, and the reference access point adopts the WAPI security mechanism of pre-shared key authentication and key management.
5、 根据权利要求 3所述的用于网络终端的安全接入协议符合性测试的方 法, 其特征在于: 所述安全接入协议数据包包括: WAI 中的鉴别激活帧、 接 入鉴别请求、 证书鉴别请求、 证书鉴别响应、 接入鉴别响应、 单播密钥协商请 求、 单播密钥协商响应、 单播密钥协商确认、 组播密钥通告和 /或组播密钥通 告响应; 和 /或 WPI中的单播数据帧。  The method for testing the security access protocol conformity of the network terminal according to claim 3, wherein: the secure access protocol data packet comprises: an authentication activation frame in the WAI, an access authentication request, Certificate authentication request, certificate authentication response, access authentication response, unicast key negotiation request, unicast key negotiation response, unicast key negotiation confirmation, multicast key advertisement, and/or multicast key advertisement response; / or unicast data frames in WPI.
6、 根据权利要求 1所述的用于网络终端的安全接入协议符合性测试的方 法, 其特征在于: 所述方法还包括: 若捕获的安全接入协议数据包少于设定的 协议数据包时, 则待测终端未通过测试。  The method for testing the compliance of a security access protocol for a network terminal according to claim 1, wherein the method further comprises: if the captured secure access protocol data packet is less than the set protocol data. When the packet is used, the terminal to be tested fails the test.
7、 根据权利要求 5所述的用于网络终端的安全接入协议符合性测试的方 法, 其特征在于, 所述方法还包括: 在本地存储待测终端的终端证书;  The method for testing the compliance of the security access protocol for the network terminal according to claim 5, wherein the method further comprises: locally storing the terminal certificate of the terminal to be tested;
对接入鉴别请求,所述分析检测所捕获的安全接入协议数据包的封装格式 包括: 检查版本号是否符合标准中的规定; For the access authentication request, the analysis detects that the encapsulated security access protocol data packet encapsulation format includes: Check that the version number meets the requirements in the standard;
检查数据长度字段值是否和数据字段的长度一致;  Check if the data length field value is consistent with the length of the data field;
比较鉴别标识字段的值和接入点发送的鉴别分组中的鉴别标识字段的值 是否相同;  Comparing the value of the authentication identifier field with the value of the authentication identifier field in the authentication packet sent by the access point;
' 检查 ASUE询问、 ASUE密钥数据、 终端身份、 ECDH参数、 和 ASUE 的签名字段的封装格式与长度与标准中的规定是否相符。 ' Check the ASUE query, ASUE key data, terminal identity, ECDH parameters, and ASUE's signature field's encapsulation format and length to match the specifications in the standard.
8、 根据权利要求 5所述的用于网絡终端的安全接入协议符合性测试的方 法, 其特征在于: 对密钥协商响应, 所述分析检测所捕获的安全接入协议数据 包的封装格式包括:  8. The method for security access protocol compliance testing of a network terminal according to claim 5, wherein: the key negotiation response, the analyzing and detecting the encapsulated format of the captured secure access protocol data packet Includes:
检查版本号是否符合标准中的规定;  Check that the version number meets the requirements in the standard;
检查数据长度字段值是否和数据字段的长度一致;  Check if the data length field value is consistent with the length of the data field;
验证 BKID、 USKID、 ADDID、 ASUE询问和 WIE字段的长度是否与标 准中规定的一致;  Verify that the lengths of the BKID, USKID, ADDID, ASUE query, and WIE fields are the same as those specified in the standard;
检查 AE询问字段的值和接入点发送的单播密钥协商请求中的 AE询问字 段的值是否相同; 和 /或  Checking whether the value of the AE Query field is the same as the value of the AE Query field in the unicast key negotiation request sent by the access point; and/or
检查消息鉴别码字段的长度与标准中的规定是否一致。  Check that the length of the message authentication code field is consistent with the specifications in the standard.
9、 根据权利要求 5所述的用于网络终端的安全接入协议符合性测试的方 法, 其特征在于: 对组播密钥通告响应, 所述分析检测所捕获的安全接入协议 数据包的封装格式包括:  9. The method for conformance testing of a secure access protocol for a network terminal according to claim 5, wherein: responsive to the multicast key notification, said analyzing and detecting the captured secure access protocol data packet The package format includes:
检查版本号是否符合标准中的规定;  Check that the version number meets the requirements in the standard;
检查数据长度字段值是否和数据字段的长度一致;  Check if the data length field value is consistent with the length of the data field;
比较 MSKID字段值与接入点发送的组播密钥通告分组中的 MSKID字段 值是否相同;  Comparing whether the MSKID field value is the same as the MSKID field value in the multicast key advertisement packet sent by the access point;
比较 USKID字段值与接入点发送的组播密钥通告分组中的 USKID字段值 是否相同;  Comparing whether the value of the USKID field is the same as the value of the USKID field in the multicast key advertisement packet sent by the access point;
比较密钥通告标识字段值与接入点发送的组播密钥通告分组中的密钥通 告标识字段值是否相同; 和 /或  Comparing the key advertisement identifier field value with the key advertisement identifier field value in the multicast key advertisement packet sent by the access point; and/or
检查消息鉴别码字段的长度与标准中的规定是否一致。 Check that the length of the message authentication code field is consistent with the specifications in the standard.
10.根据权利要求 5所述的用于网络终端的安全接入协议符合性测试的方 法, 其特征在于: 对单播数据帧, 所述分析检测所捕获的安全接入协议数据包 的封装格式包括: The method for testing the compliance of a security access protocol for a network terminal according to claim 5, wherein: for the unicast data frame, the analyzing and detecting the encapsulation format of the captured secure access protocol data packet Includes:
检查会话密钥索引字段的值是否在标准规定的范围内;  Check if the value of the session key index field is within the range specified by the standard;
检查数据分组序号字段的值是否在标准规定的范围内; 和 /或  Check if the value of the data packet sequence number field is within the range specified by the standard; and / or
判断数据分组序号字段的值是否为偶数。  Determine whether the value of the data packet sequence number field is an even number.
11. 一种用于网络终端的安全接入协议符合性测试的方法, 其特征在于: 该方法包括以下步骤:  A method for conformance testing of a secure access protocol for a network terminal, the method comprising the steps of:
捕获待测终端安全接入认证过程中的安全接入协议数据包;  Capturing a secure access protocol data packet in the secure access authentication process of the terminal to be tested;
当捕获的安全接入协议数据包符合设定条件时通过测试。  Pass the test when the captured Secure Access Protocol packet meets the set conditions.
12. 如权利要求 11所述的用于网络终端的安全接入协议符合性测试的方 法, 其特征在于, 所述设定条件包括: 所捕获的安全接入协议数据包不少于设 定种类的协议数据包。  The method for testing a security access protocol compliance test of a network terminal according to claim 11, wherein the setting condition comprises: the captured secure access protocol data packet is not less than a set type Protocol packet.
13. 如权利要求 11所述的用于网络终端的安全接入协议符合性测试的方 法, 其特征在于, 所述设定条件包括: 捕获安全接入协议数据包的顺序符合协 议规定。  13. The method for secure access protocol compliance testing of a network terminal according to claim 11, wherein the setting condition comprises: capturing an order of the secure access protocol data packet conforms to a protocol.
14.如权利要求 11至 13任意一项所述的用于网络终端的安全接入协议符 合性测试的方法, 其特征在于, 所述设定条件包括: 所捕获的设定类型的安全 接入协议数据包中封装的字段符合协议规定;  The method for testing a security access protocol compliance test of a network terminal according to any one of claims 11 to 13, wherein the setting condition comprises: the captured type of secure access The fields encapsulated in the protocol packet conform to the protocol;
所述设定类型的安全接入协议数据包包括:接入鉴别请求、密钥协商响应、 组播密钥通告响应和 /或单播数据帧。  The set type of secure access protocol data packet includes: an access authentication request, a key agreement response, a multicast key notification response, and/or a unicast data frame.
15. 如权利要求 11所述的用于网络终端的安全接入协议符合性测试的方 法, 其特征在于: 所述安全认证协议为 WAPI协议;  The method for testing the compliance of a security access protocol for a network terminal according to claim 11, wherein: the security authentication protocol is a WAPI protocol;
所述方法还包括: 检测当待测终端和基准接入点配置 WAPI启用的组合 时, 待测终端和基准接入点之间的互通性。  The method further includes: detecting interoperability between the terminal to be tested and the reference access point when the terminal to be tested and the reference access point configure WAPI enabled combination.
16. 一种用于网络终端的安全接入协议符合性测试的装置, 其特征在于, 包括数据包捕获单元和数据包检测单元, 其中:  16. Apparatus for secure access protocol compliance testing of a network terminal, comprising: a data packet capture unit and a data packet detection unit, wherein:
数据包捕获单元用来捕获待测终端在安全接入认证过程中的安全接入认 证协议数据包; 数据包检测单元用来检测所捕获的数据包是否符合设定条件,在符合设定 条件时通过测试。 The data packet capture unit is configured to capture a secure access authentication protocol data packet of the terminal to be tested in the secure access authentication process; The packet detecting unit is configured to detect whether the captured data packet meets the set condition and pass the test when the set condition is met.
17. 如权利要求 16所述的用于网络终端的安全接入协议符合性测试的装 置, 其特征在于, 所述设定条件包括: 所捕获的安全接入协议数据包不少于设 定种类的协议 ¾据包。  The device for testing a security access protocol compliance test of a network terminal according to claim 16, wherein the setting condition comprises: the captured secure access protocol data packet is not less than a set type The agreement is based on the package.
18. 如权利要求 16所述的用于网络终端的安全接入协议符合性测试的装 置, 其特征在于, 所述设定条件包括: 捕获安全接入协议数据包的顺序符合协 议规定。  18. The apparatus for secure access protocol compliance testing of a network terminal according to claim 16, wherein the setting condition comprises: capturing an order of the secure access protocol data packet conforms to a protocol specification.
19.如权利要求 16至 18任意一项所述的用于网络终端的安全接入协议符 合性测试的装置, 其特征在于, 所述装置还包括存储单元, 用来存储待测终端 的终端证书。  The device for testing the compliance of a security access protocol for a network terminal according to any one of claims 16 to 18, wherein the device further comprises a storage unit, configured to store a terminal certificate of the terminal to be tested. .
20. 如权利要求 19所述的用于网络终端的安全接入协议符合性测试的装 置, 其特征在于, 所述设定条件包括: 所捕获的设定类型的安全接入协议数据 包中封装的字段符合协议规定;  20. The apparatus for secure access protocol compliance testing of a network terminal according to claim 19, wherein the setting condition comprises: encapsulating the captured set type of secure access protocol data packet The fields are in accordance with the agreement;
所述设定类型的安全接入协议数据包包括:接入鉴别请求、密钥协商响应、 组播密钥通告响应和 /或单播数据帧;  The set type of secure access protocol data packet includes: an access authentication request, a key agreement response, a multicast key notification response, and/or a unicast data frame;
所述检测所捕获的数据包是否符合设定条件包括根据待测终端的终端证 书进行检测。  The detecting whether the captured data packet meets the set condition comprises detecting according to the terminal certificate of the terminal to be tested.
21. 如权利要求 19所述的用于网络终端的安全接入协议符合性测试的装 置, 其特征在于, 所述安全接入协议为 WAPI协议。  21. The apparatus for secure access protocol compliance testing of a network terminal according to claim 19, wherein the secure access protocol is a WAPI protocol.
PCT/CN2007/000635 2006-02-28 2007-02-28 An apparatus for testing the protocol conformance of the security accessing of network terminal and the method thereof WO2007098692A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200610041848.4 2006-02-28
CNB2006100418484A CN100496052C (en) 2006-02-28 2006-02-28 Method and system for testing safety access protocol conformity of network terminal

Publications (1)

Publication Number Publication Date
WO2007098692A1 true WO2007098692A1 (en) 2007-09-07

Family

ID=36845097

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2007/000635 WO2007098692A1 (en) 2006-02-28 2007-02-28 An apparatus for testing the protocol conformance of the security accessing of network terminal and the method thereof

Country Status (2)

Country Link
CN (1) CN100496052C (en)
WO (1) WO2007098692A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102098668B (en) * 2010-12-20 2012-11-07 西安西电捷通无线网络通信股份有限公司 Detecting system and method for realizing negative test on robustness in WAPI (Wireless LAN Authentication and Privacy Infrastructure) equipment protocol
CN103442383B (en) 2013-09-17 2016-05-25 西安西电捷通无线网络通信股份有限公司 A kind of method of testing of authentication server and system
CN104009889B (en) 2014-06-10 2017-04-26 西安西电捷通无线网络通信股份有限公司 Communication protocol testing method and tested equipment and testing platform of communication protocol testing method
CN114205261B (en) * 2020-08-27 2024-02-20 中车株洲电力机车研究所有限公司 Automatic test method for correctness of network communication data and storage medium

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1691582A (en) * 2004-04-24 2005-11-02 华为技术有限公司 Method for implementing compatibility between WAPI protocol and 802.1X protocol

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1691582A (en) * 2004-04-24 2005-11-02 华为技术有限公司 Method for implementing compatibility between WAPI protocol and 802.1X protocol

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
SONG YUBO ET AL.: "The Research and Implementation of WAPI Authentication on WLAN Access Point", ENGINEERING SCIENCE, vol. 7, no. 9, 30 September 2005 (2005-09-30) *
ZHU ZHENHUA ET AL.: "Survey of Test Generation for Network Protocol Testing", COMPUTER ENGINEERING AND APPLICATIONS, no. 15, 31 May 2005 (2005-05-31) *

Also Published As

Publication number Publication date
CN100496052C (en) 2009-06-03
CN1812418A (en) 2006-08-02

Similar Documents

Publication Publication Date Title
WO2007098693A1 (en) Method for testing safety access protocol conformity of access point and apparatus thereof
US9019944B2 (en) Diagnosing and resolving wireless network malfunctions
KR100975163B1 (en) Monitoring a local area network
JP6019033B2 (en) Method and apparatus for fingerprinting a wireless communication device
JP5453461B2 (en) Methods and equipment for H (e) NB integrity verification and validation
EP3902012A1 (en) Fault diagnostic method and apparatus, and vehicle
WO2007098694A1 (en) Method for testing safety access protocol conformity to identification service entity and system thereof
WO2015058653A1 (en) Fault diagnosis method, device and system
US10812362B2 (en) Client device and method for analysis of a predetermined set of parameters associated with radio coupling to a WLAN
JP2018109956A (en) Monitoring device, device monitoring system, and monitoring method for plurality of networked devices
WO2009067877A1 (en) Method and system for automatically debug-testing network device
WO2007098692A1 (en) An apparatus for testing the protocol conformance of the security accessing of network terminal and the method thereof
KR101816463B1 (en) Authentication server testing method and system
CN112423299B (en) Method and system for wireless access based on identity authentication
Chowdhury et al. Packet-level and IEEE 802.11 MAC frame-level analysis for IoT device identification
WO2012019452A1 (en) Diagnosis system and method
US10075361B2 (en) Self-testing of services in an access point of a communication network
US20230164139A1 (en) Automatic discovery of access point controller
WO2012068965A1 (en) Method and system for ethernet device to establish oam connection

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 07711026

Country of ref document: EP

Kind code of ref document: A1