METHOD, DEVICE AND SYSTEM OF ID BASED WIRELESS MULTI-HOP NETWORK AUTHENTICATION ACCESS

US 20100293378A1
Filed: 01/22/2009
Published: 11/18/2010
Est. Priority Date: 01/23/2008
Status: Abandoned Application

First Claim

Patent Images

1. A method for ID-based authentication access of a wireless multi-hop network, comprising the steps of:

broadcasting, by a coordinator, a beacon frame comprising suites of ID-based authentication and key management;

authenticating, by the coordinator, a terminal device supporting the suite of ID-based authentication and key management upon reception of a connection request command transmitted from the terminal device;

enabling, by the coordinator, a controlled port and providing the terminal device with an access to the wireless multi-hop network upon successful authentication; and

transmitting, by the coordinator, to the terminal device a connection response command for instructing the terminal device to access the wireless multi-hop network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, device and system of ID based wireless multi-hop network authentication access are provided, which are used for security application protocol when the WAPI frame method (TePA, Triple-Element and Peer Authentication based access control method) is applied over the specific network including the wireless LAN, wireless WAN and wireless private network. The method includes the following steps: defining non-controlled port and controlled port; the coordinator broadcasts the beacon frame, the terminal device sends the connection request command; the coordinator and the terminal device perform the authentication procedure; the coordinator opens the controlled port and sends the connection response command at the same time if the authentication is successful; the terminal device receives the connection response command and opens the controlled port in order to access the network. The method of the present invention solves the technical problem of the presence of the security trouble in the present wireless multi-hop network authentication access method, improves the security and performance of accessing the wireless multi-hop network from the terminal device, and ensures the communication safety between the terminal device and the coordinator.

Citations

20 Claims

1. A method for ID-based authentication access of a wireless multi-hop network, comprising the steps of:
- broadcasting, by a coordinator, a beacon frame comprising suites of ID-based authentication and key management;
  
  authenticating, by the coordinator, a terminal device supporting the suite of ID-based authentication and key management upon reception of a connection request command transmitted from the terminal device;
  
  enabling, by the coordinator, a controlled port and providing the terminal device with an access to the wireless multi-hop network upon successful authentication; and
  
  transmitting, by the coordinator, to the terminal device a connection response command for instructing the terminal device to access the wireless multi-hop network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method for ID-based authentication access of a wireless multi-hop network according to claim 1, further comprising:
    - transmitting, by the terminal device, the connection request command to the coordinator upon reception of the beacon frame transmitted from the coordinator; and
      
      enabling, by the terminal device, a controlled port and accessing the wireless multi-hop network upon reception of the connection response command transmitted from the coordinator.
  - 3. The method for ID-based authentication access of a wireless multi-hop network according to claim 2, further comprising:
    - defining uncontrolled and controlled ports for the coordinator and the terminal device so that the coordinator and the terminal device have their uncontrolled ports passing authentication protocol data packets and management information and controlled ports passing application data packets.
  - 4. The method for ID-based authentication access of a wireless multi-hop network according to claim 2, wherein the process of authenticating the terminal device comprises:
    - generating, by the coordinator, an authentication inquiry of the coordinator and transmitting to the terminal device an authentication activation composed of the authentication inquiry of the coordinator and a public key of the coordinator in response to reception of the connection request command transmitted from the terminal device;
      
      verifying, by the terminal device, validity of the public key of the coordinator upon reception of the authentication activation, and if verification is passed, then generating an authentication inquiry of the terminal device, an public key revocation query identifier and a temporary public key of the terminal device, and transmitting an authentication request composed of five pieces of information and a signature of the terminal device on the five pieces of information, wherein the five pieces of information include the authentication inquiry of the terminal device, the public key revocation query identifier, the temporary public key of the terminal device, the authentication inquiry of the coordinator and a public key of the terminal device;
      
      verifying, by the coordinator, validity of the signature in the authentication request, consistency of the authentication inquiry of the coordinator and validity of the temporary public key of the terminal device upon reception of the authentication request; and
      
      if verification is passed, then deciding from the public key revocation query identifier whether to perform a public key revocation query, and if the public key revocation query is performed, then setting by the coordinator the public key revocation query identifier, generating a public key revocation query inquiry of the coordinator, and transmitting to a trusted center a public key revocation query request composed of the public key revocation query inquiry of the coordinator, the public key revocation query identifier and the public key of the terminal device;
      
      receiving, by the coordinator, a public key revocation query response transmitted from the trusted center composed of the public key revocation query inquiry of the coordinator, the public key revocation query identifier and a public key revocation result of the terminal device;
      
      verifying, by the coordinator, the public key revocation query identifier in the public key revocation query response, verifying consistency of the public key revocation query inquiry of the coordinator and the public key revocation query identifier, and verifying the public key revocation result of the terminal device; and
      
      if verification is passed, then generating a temporary public key of the coordinator and an access result, and transmitting an authentication response composed of five pieces of information and a signature of the terminal device on the five pieces of information, wherein the five pieces of information include the public key revocation query identifier, the authentication inquiry of the terminal device, the temporary public key of the coordinator, an identifier of the terminal device and the access result; and
      
      generating by the coordinator a base key between the terminal device and the coordinator from the temporary public key of the terminal device and a temporary private key of the coordinator; and
      
      verifying, by the terminal device, the public key revocation query identifier in the authentication response, verifying validity of the signature in the authentication response, verifying consistence of the authentication inquiry of the terminal device, the public key revocation query identifier and the identifier of the terminal device and verifying the access result upon reception of the authentication response; and
      
      if verification is passed, then generating the base key between the terminal device and the coordinator from the temporary public key of the terminal device and the temporary private key of the coordinator, thereby succeeding in authentication.
  - 5. The method for ID-based authentication access of a wireless multi-hop network according to claim 4, wherein the process of authenticating the terminal device further comprises:
    - if it is decided from the public key revocation query identifier to perform no public key revocation query, then generating by the coordinator the temporary public key of the coordinator and the access result, and transmitting to the terminal device the authentication response composed of four pieces of information and a signature of the coordinator on the four pieces of information, wherein the four pieces of information include the public key revocation query identifier, the authentication inquiry of the terminal device, the temporary public key of the coordinator and the access result; and
      
      verifying, by the terminal device, validity of the signature of the authentication response, consistency of the authentication inquiry of the terminal device, and the access result upon reception of the authentication response transmitted from the coordinator; and
      
      if verification is not passed, then failing with authentication;
      
      otherwise, generating by the terminal device the base key between the terminal device and the coordinator from the temporary public key of the terminal device and the temporary private key of the coordinator, thereby succeeding in authentication.
  - 6. The method for ID-based authentication access of a wireless multi-hop network according to claim 4, wherein the process of authenticating the terminal device further comprises:
    - upon reception of the public key revocation query request transmitted from the coordinator, verifying by the trusted center the public key revocation query identifier, verifying validity of the public key of the terminal device, generating the public key revocation result of the terminal device, and transmitting to the coordinator the public key revocation query response composed of the public key revocation query inquiry of the coordinator, the public key revocation query identifier and the public key revocation result of the terminal device.
  - 7. The method for ID-based authentication access of a wireless multi-hop network according to claim 2, wherein the process of authenticating the terminal device comprises:
    - generating, by the coordinator, an authentication inquiry of the coordinator and transmitting to the terminal device an authentication activation composed of the authentication inquiry of the coordinator and a public key of the coordinator in response to reception of the connection request command transmitted from the terminal device;
      
      verifying, by the terminal device, validity of the public key of the coordinator upon reception of the authentication activation, and if verification is passed, then generating an authentication inquiry of the terminal device, an public key revocation query identifier and a temporary public key of the terminal device, and transmitting to the coordinator an authentication request composed of five pieces of information and a signature of the terminal device on the five pieces of information, wherein the five pieces of information include the authentication inquiry of the terminal device, the authentication inquiry of the coordinator, a public key of the terminal device, the public key revocation query identifier and the temporary public key of the terminal device;
      
      verifying, by the coordinator, validity of the signature of the authentication request, consistency of the authentication inquiry of the coordinator and validity of the temporary public key of the terminal device upon reception of the authentication request; and
      
      if verification is passed, then deciding from the public key revocation query identifier whether to perform a public key revocation query, and if the public key revocation query is performed, then setting by the coordinator the public key revocation query identifier, generating a public key revocation query inquiry of the coordinator, and transmitting to a trusted center a public key revocation query request composed of the public key revocation query inquiry of the coordinator, the authentication inquiry of the terminal device, the public key revocation query identifier and the public key of the coordinator;
      
      receiving, by the coordinator, a public key revocation query response transmitted from the trusted center composed of the public key revocation query inquiry of the coordinator, the public key revocation query identifier, a public key revocation query result of the coordinator and a public key revocation query signature;
      
      verifying, by the coordinator, the public key revocation query identifier in the public key revocation query response, verifying consistency of the public key revocation query inquiry of the coordinator and the public key revocation query identifier and verifying validity of the public key revocation query result of the coordinator and the public key revocation query signature upon reception of the public key revocation query response; and
      
      if verification is passed, then generating by the coordinator a temporary public key of the coordinator and an access result, and transmitting to the terminal device an authentication response composed of seven pieces of information and a signature of the seven pieces of information, wherein the seven pieces of information include the public key revocation query identifier, the authentication inquiry of the terminal device, the temporary public key of the coordinator, an identifier of the terminal device, the access result, the public key revocation query result of the coordinator and the public key revocation query signature; and
      
      generating by the coordinator a base key between the terminal device and the coordinator from the temporary public key of the terminal device and a temporary private key of the coordinator; and
      
      verifying, by the terminal device, the public key revocation query identifier in the authentication response, verifying validity of the signature of the authentication response, verifying consistence of the authentication inquiry of the terminal device, the public key revocation query identifier and the identifier of the terminal device and verifying the access result upon reception of the authentication response; and
      
      if verification is passed, then generating by the terminal device the base key between the terminal device and the coordinator from the temporary public key of the terminal device and the temporary private key of the coordinator after verifying that the public key revocation query result of the coordinator and the public key revocation query signature are valid, thereby succeeding in authentication.
  - 8. The method for ID-based authentication access of a wireless multi-hop network according to claim 7, wherein the process of authenticating the terminal device further comprises:
    - if the coordinator decides from the public key revocation query identifier to perform no public key revocation query, then generating the temporary public key of the coordinator and the access result, and transmitting from the coordinator to the terminal device the authentication response composed of four pieces of information and a signature of the coordinator on the four pieces of information, wherein the four pieces of information include the public key revocation query identifier, the authentication inquiry of the terminal device, the temporary public key of the coordinator and the access result; and
      
      verifying, by the terminal device, validity of the signature of the authentication response, consistency of the authentication inquiry of the terminal device, and the access result upon reception of the authentication response; and
      
      if verification is passed, then generating by the terminal device the base key between the terminal device and the coordinator from the temporary public key of the terminal device and the temporary private key of the coordinator, thereby succeeding in authentication.
  - 9. The method for ID-based authentication access of a wireless multi-hop network according to claim 7, wherein the process of authenticating the terminal device further comprises:
    - upon reception of the public key revocation query request transmitted from the coordinator, verifying by the trusted center the public key revocation query identifier in the public key revocation query request, verifying validity of the public key of the coordinator, generating the public key revocation query result of the coordinator, calculating a signature on the public key revocation query result of the coordinator using a private key of the trusted center to generate a public key revocation query signature, and transmitting to the coordinator a public key revocation query response composed of the public key revocation query inquiry of the coordinator, the public key revocation query identifier, the public key revocation query result of the coordinator and the public key revocation query signature.
  - 10. The method for ID-based authentication access of a wireless multi-hop network according to claim 2, wherein the process of authenticating the terminal device comprises:
    - generating, by the coordinator, an authentication inquiry of the coordinator and transmitting to the terminal device an authentication activation composed of the authentication inquiry of the coordinator and a public key of the coordinator in response to reception of the connection request command transmitted from the terminal device;
      
      verifying, by the terminal device, validity of the public key of the coordinator in the authentication activation upon reception of the authentication activation, and if verification is passed, then generating an authentication inquiry of the terminal device, an public key revocation query identifier and a temporary public key of the terminal device, and transmitting to the coordinator an authentication request composed of five pieces of information and a signature of the five pieces of information, wherein the five pieces of information include the authentication inquiry of the terminal device, the authentication inquiry of the coordinator, a public key of the terminal device, the public key revocation query identifier and the temporary public key of the terminal device;
      
      verifying, by the coordinator, validity of the signature in the authentication request, consistency of the authentication inquiry of the coordinator and validity of the temporary public key of the terminal device upon reception of the authentication request; and
      
      if authentication is passed, then deciding from the public key revocation query identifier whether to perform a public key revocation query, and if the public key revocation query is performed, then setting by the coordinator the public key revocation query identifier, generating a public key revocation query inquiry of the coordinator, and transmitting to a trusted center a public key revocation query request composed of the public key revocation query inquiry of the coordinator, the authentication inquiry of the terminal device, the public key revocation query identifier, the public key of the terminal device and the public key of the coordinator;
      
      receiving, by the coordinator, a public key revocation query response transmitted from the trusted center composed of the public key revocation query inquiry of the coordinator, the public key revocation query identifier, a public key revocation result of the terminal device, a public key revocation query result of the coordinator and a public key revocation query signature;
      
      verifying, by the coordinator, the public key revocation query identifier in the public key revocation query response, verifying consistency of the public key revocation query inquiry of the coordinator and the public key revocation query identifier, verifying validity of the public key revocation query result of the coordinator and the public key revocation query signature and verifying the public key revocation result of the terminal device; and
      
      if verification is passed, then generating by the coordinator a temporary public key of the coordinator and an access result, and transmitting to the terminal device an authentication response composed of seven pieces of information and a signature of the seven pieces of information, wherein the seven pieces of information include the public key revocation query identifier, the authentication inquiry of the terminal device, the temporary public key of the coordinator, an identifier of the terminal device, the access result, the public key revocation query result of the coordinator and the public key revocation query signature; and
      
      generating by the coordinator a base key between the terminal device and the coordinator from the temporary public key of the terminal device and a temporary private key of the coordinator; and
      
      verifying, by the terminal device, the public key revocation query identifier in the authentication response, verifying validity of the signature of the authentication response, verifying consistence of the authentication inquiry of the terminal device, the public key revocation query identifier and the identifier of the terminal device and verifying the access result upon reception of the authentication response; and
      
      if verification is passed, then generating by the terminal device the base key between the terminal device and the coordinator from the temporary public key of the terminal device and the temporary private key of the coordinator after verifying that the public key revocation query result of the coordinator and the public key revocation query signature are valid, thereby succeeding in authentication.
  - 11. The method for ID-based authentication access of a wireless multi-hop network according to claim 10, wherein the process of authenticating the terminal device further comprises:
    - if no public key revocation query is performed, then generating by the coordinator the temporary public key of the coordinator and the access result, and transmitting from the coordinator to the terminal device the authentication response composed of four pieces of information and a signature of the coordinator on the four pieces of information, wherein the four pieces of information include the public key revocation query identifier, the authentication inquiry of the terminal device, the temporary public key of the coordinator and the access result; and
      
      verifying, by the terminal device, validity of the signature of the authentication response, consistency of the authentication inquiry of the terminal device, and the access result upon reception of the authentication response; and
      
      if verification is passed, then generating by the terminal device the base key between the terminal device and the coordinator from the temporary public key of the terminal device and the temporary private key of the coordinator, thereby succeeding in authentication.
  - 12. The method for ID-based authentication access of a wireless multi-hop network according to claim 10, wherein the process of authenticating the terminal device further comprises:
    - upon reception of the public key revocation query request transmitted from the coordinator, verifying by the trusted center the public key revocation query identifier, verifying validity of the public key of the terminal device, generating the public key revocation result of the terminal device, verifying validity of the public key of the coordinator, generating the public key revocation query result of the coordinator, calculating a signature on the public key revocation query result of the coordinator to generate the public key revocation query signature, and transmitting to the coordinator the public key revocation query response composed of the public key revocation query inquiry of the coordinator, the public key revocation query identifier, the public key revocation result of the terminal device, the public key revocation query result of the coordinator and the public key revocation query signature.
  - 13. The method for ID-based authentication access of a wireless multi-hop network according to claim 2, further comprising:
    - performing, by the coordinator, unicast key negotiation with the terminal device upon successful authentication.
  - 14. The method for ID-based authentication access of a wireless multi-hop network according to claim 13, wherein the process of the coordinator performing unicast key negotiation with the terminal device comprises:
    - when the coordinator is to create or update a unicast key upon successful authentication, generating by the coordinator a unicast key negotiation inquiry of the coordinator, and transmitting to the terminal a unicast key negotiation request composed of the uni-cast key negotiation inquiry of the coordinator;
      
      upon reception of the unicast key negotiation request, generating by the terminal device a unicast key negotiation inquiry of the terminal device, generating the unicast key between the terminal device and the coordinator from a base key, the unicast key negotiation inquiry of the coordinator and the unicast key negotiation inquiry of the terminal device, and transmitting to the coordinator a unicast key negotiation response composed of the uni-cast key negotiation inquiry of the coordinator, the unicast key negotiation inquiry of the terminal device and a message authentication code, wherein the message authentication code is calculated by the terminal device from the unicast key negotiation inquiry of the coordinator and the unicast key negotiation inquiry of the terminal device;
      
      calculating, by the coordinator, the unicast key from the base key, the unicast key negotiation inquiry of the coordinator and the unicast key negotiation inquiry of the terminal device and verifying consistency of the unicast key negotiation inquiry of the coordinator and validity of the message authentication code of the terminal device upon reception of the uni-cast key negotiation response, and if verification is passed, then transmitting from the coordinator to the terminal device a unicast key negotiation acknowledgement composed of the uni-cast key negotiation inquiry of the coordinator and the message authentication code calculated from the unicast key negotiation inquiry of the terminal device; and
      
      verifying by the terminal device the uni-cast key negotiation inquiry of the terminal device for consistency and the message authentication code of the coordinator for validity upon reception of the uni-cast key negotiation acknowledgement, and if verification is passed, then succeeding in uni-cast key negotiation.
  - 15. The method for ID-based authentication access of a wireless multi-hop network according to claim 13, further comprising:
    - performing, by the coordinator, multi-cast key notification with the terminal device upon successful unicast key negotiation.
  - 16. The method for ID-based authentication access of a wireless multi-hop network according to claim 15, wherein the process of multi-cast key notification comprises:
    - when the coordinator is to create up update a multi-cast key upon successful unicast key negotiation, calculating the multi-cast key from a notification master key, encrypting the notification master key using an encryption key in a unicast key, generating a multi-cast key notification identifier, and transmitting to the terminal device multi-cast key notification composed of the multi-cast key notification identifier, the encrypted multi-cast notification master key and a message authentication code, wherein the message authentication code is calculated by the coordinator from the multi-cast key notification identifier and the encrypted multi-cast notification master key using an authentication key in the multi-cast key;
      
      verifying, by the terminal device, whether the multi-cast key notification identifier is identical to a locally calculated multi-cast key notification identifier upon reception of the multi-cast key notification, and if the multi-cast key notification identifier is identical to the locally calculated multi-cast key notification identifier, then calculating the multi-cast key from the notification master key, and further verifying validity of the message authentication code of the coordinator, and if verification is passed, then transmitting from the terminal device to the coordinator a multi-cast key response composed of the multi-cast key notification identifier and a message authentication code, wherein the message authentication code is calculated by the terminal device from the multi-cast key notification identifier using an authentication key in a locally generated multi-cast key; and
      
      verifying, by the coordinator, consistency of the multi-cast key notification identifier and validity of the message authentication code of the terminal device upon reception of the multi-cast key response, and if verification is passed, then succeeding in multi-cast key negotiation.

17. A coordinator, comprising:
- a broadcast unit adapted to broadcast a beacon frame comprising suites of ID-based authentication and key management;
  
  an authentication unit is adapted to authenticate a terminal device supporting the suite of ID-based authentication and key management upon reception of a connection request command transmitted from the terminal device; and
  
  a transmission unit is adapted to transmit to the terminal device a connection response command for instructing the terminal device to access a wireless multi-hop network.
- View Dependent Claims (18)
- - 18. The coordinator according to claim 17, further comprising:
    - a defining unit adapted to predefine uncontrolled and controlled ports for the coordinator and the terminal device so that the coordinator and the terminal device have their uncontrolled ports passing authentication protocol data packets and management information and controlled ports passing application data packets.

19. A terminal device, comprising:
- a connection request transmission unit adapted to transmit a connection request command to a coordinator upon reception of a beacon frame transmitted from the coordinator, wherein the beacon frame comprises suites of ID-based authentication and key management; and
  
  an access unit is adapted to enable a controlled port and access the wireless multi-hop network upon reception of a connection response command transmitted from the coordinator.

20. A system for ID-based authentication of an access to a wireless multi-hop network, comprising a coordinator and a terminal device, wherein:
- the coordinator comprises;
  
  a broadcast unit adapted to broadcast a beacon frame comprising suites of ID-based authentication and key management;
  
  an authentication unit is adapted to authenticate a terminal device supporting the suite of ID-based authentication and key management upon reception of a connection request command transmitted from the terminal device; and
  
  a transmission unit is adapted to transmit to the terminal device a connection response command for instructing the terminal device to access a wireless multi-hop network, andthe terminal device comprises;
  
  a connection request transmission unit adapted to transmit the connection request command to a coordinator upon reception of the beacon frame transmitted from the coordinator, wherein the beacon frame comprises suites of ID-based authentication and key management; and
  
  an access unit is adapted to enable a controlled port and access the wireless multi-hop network upon reception of the connection response command transmitted from the coordinator.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
China Iwncomm Co., Ltd
Original Assignee
China Iwncomm Co., Ltd
Inventors
Huang, Zhenhai, Xiao, Yuelei, Cao, Jun, Lai, Xiaolong

Application Number

US12/864,401
Publication Number

US 20100293378A1
Time in Patent Office

Days
Field of Search
US Class Current

713/168
CPC Class Codes

H04L 63/062   for key distribution, e.g. ...

H04L 63/205   involving negotiation or de...

H04L 9/321   involving a third party or ...

H04L 9/3268   using certificate validatio...

H04W 12/0431   Key distribution or pre-dis...

H04W 12/08   Access security

H04W 84/18   Self-organising networks, e...

METHOD, DEVICE AND SYSTEM OF ID BASED WIRELESS MULTI-HOP NETWORK AUTHENTICATION ACCESS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD, DEVICE AND SYSTEM OF ID BASED WIRELESS MULTI-HOP NETWORK AUTHENTICATION ACCESS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links