WAPI-XG1 access and fast switch authentication method

Abstract

The invention provides a method used for authentificating the access and quick switching over of WAPI-XG1, belonging to the field of wireless communication. The method comprises the steps as follows: an authentication protocol is accessed and used for establishing a connection between an STA and a first AP, the session key with the first AP is established, and keys used for quick switching over with an ASU are established; when the STA moves to the control domain of a second AP, a safety correlation establishing protocol and a unicall session key updating protocol under quick switching over are carried out. The method can solve the problems that the WAPI-XG1 can not support the quick switching over and the forward secrecy can not be ensured and the offline dictionary attack can not be resisted under a pre-shared key authentication mode; meanwhile, the method needs not change the authentication framework of the WAPI-XG1needs not changing, the two authentication modes based on the certificate and shared key are integrated into one authentication proposal; furthermore, when the switching over occurs on the client terminal, only the quick switching over safety correlation establishment protocol runs with the destination access point for the authentication mode based on the certificate, without re-authentication or pre-authentication.

Description

technical field [0001] The invention belongs to the field of wireless communication, and in particular relates to a WAPI-XG1 access and fast switching authentication method. Background technique [0002] China's first national standard GB 15629.11-2003 in the field of Wireless Local Area Network (WLAN) was officially implemented on November 1, 2003, and the security solution in it is called WLAN Authentication and Privacy Infrastructure (WAPI). In March 2004, the National Broadband Wireless IP Standard Working Group (BWIPS) of the China IT Standardization Technical Committee released the implementation plan of WAPI, which corrected some security defects of the original national standard WAPI. Considering the coexistence of different WLAN security solutions (such as IEEE 802.11i), Lai Xiaolong and others proposed a new WLAN security solution on the basis of WAPI and its implementation, and it was approved by China Broadband Wireless IP on July 31, 2006. The standard working ...

AI Technical Summary

Problems solved by technology

[0027] The shortcoming of the prior art 1 is: the security association in the fast handover is a very important problem in WLAN, and it is also a problem that needs to be solved urgently

[0036] The shortcoming of prior art two is: (1) IEEE 802.11i and 11r and WAPI are completely different security standards

Therefore 11i and 11r cannot be used to solve the problem in WAPI

(2) The four-step handshake protocol cannot guarantee forward secrecy

For the active attacker, the consequences are more serious, because the loss of the long-term key means that the entity is completely compromised, and the active attacker can forge and tamper with all the data between the STA and the AP

(3) The efficiency of authentication and key agreement is poor

(4) Lack of effective user identity protection mechanism

(5) IEEE 802.11i and 11r still have some other problems, such as the security of management frames, DoS attacks in four-step handshake, and the lack of error recovery mechanisms, etc.

[0063] The shortcoming of prior art three is: (1) this scheme and WAPI are completely different security schemes

Therefore, it cannot be used to solve the problems existing in WAPI-XG1

(2) The pre-authentication method is more complicated

In this way, when the original legal terminal requests to access the network, it cannot access the network due to the use of outdated data.

(4) Lack of integrity protection

In the initial authentication protocol proposed by this scheme and the authentication protocol in handover, all messages are only encrypted without integrity protection. Any modification of the message by the attacker will cause the key inconsistency between the server and the user, and then it will not work normally afterwards. communication

(5) K0 is a long-term shared key, which also has the problem of forward secrecy

Therefore, once K0 is lost, all session keys are compromised

(6) The participation of the AS is required when switching, and the delay is relatively large

In case of switching, it is necessary to go to the authentication server to request to switch the key. The authentication server may be far away from the current AP, and the communication delay is relatively large, so this will have a great impact on the fast switching

[0064] It can be seen from the above analysis that there is no effective solution for the security association part of WAPI-XG1 fast switching

Images