Authentication access method and authentication access system for wireless multi-hop network
First Claim
1. An authentication access method applicable to a wireless multi-hop network, comprising:
- defining an uncontrolled port and a controlled port of a terminal device and a coordinator, wherein the uncontrolled port pass an authentication protocol data packet and management information and the controlled port pass an application data packet;
broadcasting, by the coordinator, a beacon frame comprising authentication and key management suites supported by the coordinator;
selecting, by the terminal device upon reception of the beacon frame of the coordinator, one of the authentication and key management suites, and then transmitting to the coordinator a connection request command comprising the authentication and key management suites selected by the terminal device;
performing, by the coordinator upon reception of the connection request command of the terminal device, an authentication process with the terminal device according to the authentication and key management suites selected by the terminal device; and
upon successful authentication, opening the controlled port to allow an access of the terminal device to the wireless multi-hop network while transmitting a connection response command to the terminal device; and
opening, by the terminal device upon reception of the connection response command of the coordinator, the controlled port to thereby access the wireless multi-hop network;
wherein the authentication and key management suites comprise an authentication and key management suite based upon a pre-shared key and an ID-based authentication and key management suit, andwherein the authentication process comprises;
A. when the coordinator knows from the connection request command transmitted from the terminal device that the authentication and key management suite selected by the terminal device is an ID-based authentication and key management suite, generating an authentication inquiry of the coordinator, and transmitting an authentication activation consisting of the authentication inquiry of the coordinator and a public key of the coordinator to the terminal device;
B. when validity verification of the public key of the coordinator is passed, generating, by the terminal device upon reception of the authentication activation, an authentication inquiry of the terminal device, an identifier of a public key revocation query and a temporary public key of the terminal device, and transmitting an authentication request consisting of the authentication inquiry of the terminal device, the authentication inquiry of the coordinator, a public key of the terminal device, the identifier of the public key revocation query, the temporary public key of the terminal device and a signature of the terminal device on the above five items of information to the coordinator;
C. verifying, by the coordinator upon reception of the authentication request, the signature of the authentication request for legality, the authentication inquiry of the coordinator for consistency and the temporary public key of the terminal device for validity;
when verification is passed, determining according to the identifier of the public key revocation query whether to perform the public key revocation query;
if the public key revocation query is not to be performed, generating a temporary public key of the coordinator and an access result, then transmitting, by the coordinator, an authentication response consisting of the identifier of the public key revocation query, the authentication inquiry of the terminal device, the temporary public key of the coordinator, the access result and a signature of the coordinator on the above four items of information to the terminal device, and then performing step G;
or if the public key revocation query is to be performed, transmitting a public key revocation query request;
D. verifying, by a trusted center upon reception of the public key revocation query request, the information of the public key revocation query request, and then transmitting a public key revocation query response to the coordinator;
E. verifying, by the coordinator upon reception of the public key revocation query response, the information of the public key revocation query response, and then transmitting the authentication response to the terminal device; and
also generating a base key between the terminal device and the coordinator according to the temporary public key of the terminal device and a temporary private key of the coordinator;
F. verifying, by the terminal device upon reception of the authentication response, the information of the authentication response, wherein if verification fails, the authentication fails;
otherwise, the terminal device generates the base key between the terminal device and the coordinator according to the temporary public key of the terminal device and the temporary private key of the coordinator and the authentication is successful; and
G. verifying, by the terminal device upon reception of the authentication response transmitted in the step C from the coordinator, the signature of the authentication response for validity, the authentication inquiry of the terminal device for consistency and the access result, wherein if verification fails, the authentication fails;
otherwise, the terminal device generates the base key between the terminal device and the coordinator according to the temporary public key of the terminal device and the temporary private key of the coordinator and the authentication is successful.
1 Assignment
0 Petitions
Accused Products
Abstract
Authentication access method and authentication access system for wireless multi-hop network. Terminal equipment and coordinator have the capability of port control, the coordinator broadcasts a beacon frame, and the terminal equipment selects an authentication and key management suite and transmits a connecting request command to the coordinator. The coordinator performs authentication with the terminal equipment according to the authentication and key management suite which is selected by the terminal equipment, after authenticated, transmits a connecting response command to the terminal equipment. The terminal equipment and the coordinator control the port according to the authentication result, therefore the authenticated access for the wireless multi-hop network is realized. The invention solves the security problem of the wireless multi-hop network authentication method.
-
Citations
9 Claims
-
1. An authentication access method applicable to a wireless multi-hop network, comprising:
-
defining an uncontrolled port and a controlled port of a terminal device and a coordinator, wherein the uncontrolled port pass an authentication protocol data packet and management information and the controlled port pass an application data packet; broadcasting, by the coordinator, a beacon frame comprising authentication and key management suites supported by the coordinator; selecting, by the terminal device upon reception of the beacon frame of the coordinator, one of the authentication and key management suites, and then transmitting to the coordinator a connection request command comprising the authentication and key management suites selected by the terminal device; performing, by the coordinator upon reception of the connection request command of the terminal device, an authentication process with the terminal device according to the authentication and key management suites selected by the terminal device; and
upon successful authentication, opening the controlled port to allow an access of the terminal device to the wireless multi-hop network while transmitting a connection response command to the terminal device; andopening, by the terminal device upon reception of the connection response command of the coordinator, the controlled port to thereby access the wireless multi-hop network; wherein the authentication and key management suites comprise an authentication and key management suite based upon a pre-shared key and an ID-based authentication and key management suit, and wherein the authentication process comprises; A. when the coordinator knows from the connection request command transmitted from the terminal device that the authentication and key management suite selected by the terminal device is an ID-based authentication and key management suite, generating an authentication inquiry of the coordinator, and transmitting an authentication activation consisting of the authentication inquiry of the coordinator and a public key of the coordinator to the terminal device; B. when validity verification of the public key of the coordinator is passed, generating, by the terminal device upon reception of the authentication activation, an authentication inquiry of the terminal device, an identifier of a public key revocation query and a temporary public key of the terminal device, and transmitting an authentication request consisting of the authentication inquiry of the terminal device, the authentication inquiry of the coordinator, a public key of the terminal device, the identifier of the public key revocation query, the temporary public key of the terminal device and a signature of the terminal device on the above five items of information to the coordinator; C. verifying, by the coordinator upon reception of the authentication request, the signature of the authentication request for legality, the authentication inquiry of the coordinator for consistency and the temporary public key of the terminal device for validity;
when verification is passed, determining according to the identifier of the public key revocation query whether to perform the public key revocation query;
if the public key revocation query is not to be performed, generating a temporary public key of the coordinator and an access result, then transmitting, by the coordinator, an authentication response consisting of the identifier of the public key revocation query, the authentication inquiry of the terminal device, the temporary public key of the coordinator, the access result and a signature of the coordinator on the above four items of information to the terminal device, and then performing step G;
or if the public key revocation query is to be performed, transmitting a public key revocation query request;D. verifying, by a trusted center upon reception of the public key revocation query request, the information of the public key revocation query request, and then transmitting a public key revocation query response to the coordinator; E. verifying, by the coordinator upon reception of the public key revocation query response, the information of the public key revocation query response, and then transmitting the authentication response to the terminal device; and
also generating a base key between the terminal device and the coordinator according to the temporary public key of the terminal device and a temporary private key of the coordinator;F. verifying, by the terminal device upon reception of the authentication response, the information of the authentication response, wherein if verification fails, the authentication fails;
otherwise, the terminal device generates the base key between the terminal device and the coordinator according to the temporary public key of the terminal device and the temporary private key of the coordinator and the authentication is successful; andG. verifying, by the terminal device upon reception of the authentication response transmitted in the step C from the coordinator, the signature of the authentication response for validity, the authentication inquiry of the terminal device for consistency and the access result, wherein if verification fails, the authentication fails;
otherwise, the terminal device generates the base key between the terminal device and the coordinator according to the temporary public key of the terminal device and the temporary private key of the coordinator and the authentication is successful. - View Dependent Claims (2, 3, 7, 8)
-
-
4. An authentication access method applicable to a wireless multi-hop network, comprising:
-
defining an uncontrolled port and a controlled port of a terminal device and a coordinator, wherein the uncontrolled port pass an authentication protocol data packet and management information and the controlled port pass an application data packet; broadcasting, by the coordinator, a beacon frame comprising authentication and key management suites supported by the coordinator; selecting, by the terminal device upon reception of the beacon frame of the coordinator, one of the authentication and key management suites, and then transmitting to the coordinator a connection request command comprising the authentication and key management suites selected by the terminal device; performing, by the coordinator upon reception of the connection request command of the terminal device, an authentication process with the terminal device according to the authentication and key management suites selected by the terminal device; and
upon successful authentication, opening the controlled port to allow an access of the terminal device to the wireless multi-hop network while transmitting a connection response command to the terminal device; andopening, by the terminal device upon reception of the connection response command of the coordinator, the controlled port to thereby access the wireless multi-hop network; wherein the authentication and key management suites comprise an authentication and key management suite based upon a pre-shared key and an ID-based authentication and key management suit, and wherein the authentication process comprises; a. when the coordinator knows from the connection request command transmitted from the terminal device that the authentication and key management suite selected by the terminal device is an authentication and key management suite based upon a pre-shared key, expanding, by the coordinator, a locally stored pre-shared key between the coordinator and the terminal device into a corresponding base key, generating an authentication inquiry of a pre-shared key of the coordinator, and then transmitting an authentication request consisting of the authentication inquiry of the pre-shared key of the coordinator to the terminal device; b. firstly expanding, by the terminal device upon reception of the authentication request, the locally stored pre-shared key between the coordinator and the terminal device into the corresponding base key, generating an authentication inquiry of a pre-shared key of the terminal device, generating a unicast key between the terminal device and the coordinator according to the base key, the authentication inquiry of the pre-shared key of the coordinator and the authentication inquiry of the pre-shared key of the terminal device, and then transmitting to the coordinator an authentication response consisting of the authentication inquiry of the pre-shared key of the coordinator, the authentication inquiry of the pre-shared key of the terminal device and a message authentication code, wherein the message authentication code is calculated from the authentication inquiry of the pre-shared key of the coordinator and the authentication inquiry of the pre-shared key of the terminal device; c. calculating, by the coordinator upon reception of the authentication response, the unicast key from the base key and the authentication inquiry of the pre-shared key of the coordinator generated in the step a and the authentication inquiry of the pre-shared key of the terminal device, then verifying the authentication inquiry of the pre-shared key of the coordinator for consistency and the message authentication code of the terminal device for validity, wherein if verification fails, the authentication fails;
otherwise, the coordinator transmits an authentication acknowledgement consisting of the authentication inquiry of the pre-shared key of the terminal device and the message authentication code calculated by the coordinator on the authentication inquiry of the pre-shared key of the terminal device to the terminal device; andd. verifying, by the terminal device upon reception of the authentication acknowledgement, the authentication inquiry of the pre-shared key of the terminal device for consistency and the message authentication code of the coordinator for validity, wherein if verification fails, the authentication fails;
otherwise, the authentication is successful. - View Dependent Claims (5, 6)
-
-
9. An authentication access system applicable to a wireless multi-hop network, comprising a terminal device, a coordinator and a trusted center, wherein:
-
the terminal device and the coordinator are provided with an uncontrolled port and a controlled port, wherein the uncontrolled port pass an authentication protocol data packet and management information and the controlled port pass an application data packet; the coordinator is adapted to broadcast a beacon frame comprising authentication and key management suites supported by the coordinator, to perform an authentication process with the terminal device and the trusted center according to an authentication and key management suite selected by the terminal device upon reception of a connection request command of the terminal device, wherein the connection request command comprises the authentication and key management suite selected by the terminal device, and to open the controlled port to allow an access of the terminal device to the wireless multi-hop network while to transmit a connection response command to the terminal device upon successful authentication; and the terminal device is adapted to select the authentication and key management suite and then transmit the connection request command to the coordinator upon reception of the beacon frame of the coordinator, wherein the connection request command comprises the authentication and key management suite selected by the terminal device and to open the controlled port to thereby access the wireless multi-hop network upon reception of the connection response command of the coordinator; and the trusted center is adapted to facilitate the authentication process of the coordinator and the terminal device; wherein the authentication and key management suites comprise an authentication and key management suite based upon a pre-shared key and an ID-based authentication and key management suit, and wherein the authentication process comprises; A. when the coordinator knows from the connection request command transmitted from the terminal device that the authentication and key management suite selected by the terminal device is an ID-based authentication and key management suite, generating an authentication inquiry of the coordinator, and transmitting an authentication activation consisting of the authentication inquiry of the coordinator and a public key of the coordinator to the terminal device; B. when validity verification of the public key of the coordinator is passed, generating, by the terminal device upon reception of the authentication activation, an authentication inquiry of the terminal device, an identifier of a public key revocation query and a temporary public key of the terminal device, and transmitting an authentication request consisting of the authentication inquiry of the terminal device, the authentication inquiry of the coordinator, a public key of the terminal device, the identifier of the public key revocation query, the temporary public key of the terminal device and a signature of the terminal device on the above five items of information to the coordinator; C. verifying, by the coordinator upon reception of the authentication request, the signature of the authentication request for legality, the authentication inquiry of the coordinator for consistency and the temporary public key of the terminal device for validity;
when verification is passed, determining according to the identifier of the public key revocation query whether to perform the public key revocation query;
if the public key revocation query is not to be performed, generating a temporary public key of the coordinator and an access result, then transmitting, by the coordinator, an authentication response consisting of the identifier of the public key revocation query, the authentication inquiry of the terminal device, the temporary public key of the coordinator, the access result and a signature of the coordinator on the above four items of information to the terminal device, and then performing step G;
or if the public key revocation query is to be performed, transmitting a public key revocation query request;D. verifying, by a trusted center upon reception of the public key revocation query request, the information of the public key revocation query request, and then transmitting a public key revocation query response to the coordinator; E. verifying, by the coordinator upon reception of the public key revocation query response, the information of the public key revocation query response, and then transmitting the authentication response to the terminal device; and
also generating a base key between the terminal device and the coordinator according to the temporary public key of the terminal device and a temporary private key of the coordinator;F. verifying, by the terminal device upon reception of the authentication response, the information of the authentication response, wherein if verification fails, the authentication fails;
otherwise, the terminal device generates the base key between the terminal device and the coordinator according to the temporary public key of the terminal device and the temporary private key of the coordinator and the authentication is successful; andG. verifying, by the terminal device upon reception of the authentication response transmitted in the step C from the coordinator, the signature of the authentication response for validity, the authentication inquiry of the terminal device for consistency and the access result, wherein if verification fails, the authentication fails;
otherwise, the terminal device generates the base key between the terminal device and the coordinator according to the temporary public key of the terminal device and the temporary private key of the coordinator and the authentication is successful;
ora. when the coordinator knows from the connection request command transmitted from the terminal device that the authentication and key management suite selected by the terminal device is an authentication and key management suite based upon a pre-shared key, expanding, by the coordinator, a locally stored pre-shared key between the coordinator and the terminal device into a corresponding base key, generating an authentication inquiry of a pre-shared key of the coordinator, and then transmitting an authentication request consisting of the authentication inquiry of the pre-shared key of the coordinator to the terminal device; b. firstly expanding, by the terminal device upon reception of the authentication request, the locally stored pre-shared key between the coordinator and the terminal device into the corresponding base key, generating an authentication inquiry of a pre-shared key of the terminal device, generating a unicast key between the terminal device and the coordinator according to the base key, the authentication inquiry of the pre-shared key of the coordinator and the authentication inquiry of the pre-shared key of the terminal device, and then transmitting to the coordinator an authentication response consisting of the authentication inquiry of the pre-shared key of the coordinator, the authentication inquiry of the pre-shared key of the terminal device and a message authentication code, wherein the message authentication code is calculated from the authentication inquiry of the pre-shared key of the coordinator and the authentication inquiry of the pre-shared key of the terminal device; c. calculating, by the coordinator upon reception of the authentication response, the unicast key from the base key and the authentication inquiry of the pre-shared key of the coordinator generated in the step a and the authentication inquiry of the pre-shared key of the terminal device, then verifying the authentication inquiry of the pre-shared key of the coordinator for consistency and the message authentication code of the terminal device for validity, wherein if verification fails, the authentication fails;
otherwise, the coordinator transmits an authentication acknowledgement consisting of the authentication inquiry of the pre-shared key of the terminal device and the message authentication code calculated by the coordinator on the authentication inquiry of the pre-shared key of the terminal device to the terminal device; andd. verifying, by the terminal device upon reception of the authentication acknowledgement, the authentication inquiry of the pre-shared key of the terminal device for consistency and the message authentication code of the coordinator for validity, wherein if verification fails, the authentication fails;
otherwise, the authentication is successful.
-
Specification