Authentication access method and authentication access system for wireless multi-hop network

US 8,656,153 B2
Filed: 12/26/2008
Issued: 02/18/2014
Est. Priority Date: 12/29/2007
Status: Active Grant

First Claim

Patent Images

1. An authentication access method applicable to a wireless multi-hop network, comprising:

defining an uncontrolled port and a controlled port of a terminal device and a coordinator, wherein the uncontrolled port pass an authentication protocol data packet and management information and the controlled port pass an application data packet;

broadcasting, by the coordinator, a beacon frame comprising authentication and key management suites supported by the coordinator;

selecting, by the terminal device upon reception of the beacon frame of the coordinator, one of the authentication and key management suites, and then transmitting to the coordinator a connection request command comprising the authentication and key management suites selected by the terminal device;

performing, by the coordinator upon reception of the connection request command of the terminal device, an authentication process with the terminal device according to the authentication and key management suites selected by the terminal device; and

upon successful authentication, opening the controlled port to allow an access of the terminal device to the wireless multi-hop network while transmitting a connection response command to the terminal device; and

opening, by the terminal device upon reception of the connection response command of the coordinator, the controlled port to thereby access the wireless multi-hop network;

wherein the authentication and key management suites comprise an authentication and key management suite based upon a pre-shared key and an ID-based authentication and key management suit, andwherein the authentication process comprises;

A. when the coordinator knows from the connection request command transmitted from the terminal device that the authentication and key management suite selected by the terminal device is an ID-based authentication and key management suite, generating an authentication inquiry of the coordinator, and transmitting an authentication activation consisting of the authentication inquiry of the coordinator and a public key of the coordinator to the terminal device;

B. when validity verification of the public key of the coordinator is passed, generating, by the terminal device upon reception of the authentication activation, an authentication inquiry of the terminal device, an identifier of a public key revocation query and a temporary public key of the terminal device, and transmitting an authentication request consisting of the authentication inquiry of the terminal device, the authentication inquiry of the coordinator, a public key of the terminal device, the identifier of the public key revocation query, the temporary public key of the terminal device and a signature of the terminal device on the above five items of information to the coordinator;

C. verifying, by the coordinator upon reception of the authentication request, the signature of the authentication request for legality, the authentication inquiry of the coordinator for consistency and the temporary public key of the terminal device for validity;

when verification is passed, determining according to the identifier of the public key revocation query whether to perform the public key revocation query;

if the public key revocation query is not to be performed, generating a temporary public key of the coordinator and an access result, then transmitting, by the coordinator, an authentication response consisting of the identifier of the public key revocation query, the authentication inquiry of the terminal device, the temporary public key of the coordinator, the access result and a signature of the coordinator on the above four items of information to the terminal device, and then performing step G;

or if the public key revocation query is to be performed, transmitting a public key revocation query request;

D. verifying, by a trusted center upon reception of the public key revocation query request, the information of the public key revocation query request, and then transmitting a public key revocation query response to the coordinator;

E. verifying, by the coordinator upon reception of the public key revocation query response, the information of the public key revocation query response, and then transmitting the authentication response to the terminal device; and

also generating a base key between the terminal device and the coordinator according to the temporary public key of the terminal device and a temporary private key of the coordinator;

F. verifying, by the terminal device upon reception of the authentication response, the information of the authentication response, wherein if verification fails, the authentication fails;

otherwise, the terminal device generates the base key between the terminal device and the coordinator according to the temporary public key of the terminal device and the temporary private key of the coordinator and the authentication is successful; and

G. verifying, by the terminal device upon reception of the authentication response transmitted in the step C from the coordinator, the signature of the authentication response for validity, the authentication inquiry of the terminal device for consistency and the access result, wherein if verification fails, the authentication fails;

otherwise, the terminal device generates the base key between the terminal device and the coordinator according to the temporary public key of the terminal device and the temporary private key of the coordinator and the authentication is successful.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Authentication access method and authentication access system for wireless multi-hop network. Terminal equipment and coordinator have the capability of port control, the coordinator broadcasts a beacon frame, and the terminal equipment selects an authentication and key management suite and transmits a connecting request command to the coordinator. The coordinator performs authentication with the terminal equipment according to the authentication and key management suite which is selected by the terminal equipment, after authenticated, transmits a connecting response command to the terminal equipment. The terminal equipment and the coordinator control the port according to the authentication result, therefore the authenticated access for the wireless multi-hop network is realized. The invention solves the security problem of the wireless multi-hop network authentication method.

Citations

9 Claims

1. An authentication access method applicable to a wireless multi-hop network, comprising:
- defining an uncontrolled port and a controlled port of a terminal device and a coordinator, wherein the uncontrolled port pass an authentication protocol data packet and management information and the controlled port pass an application data packet;
  
  broadcasting, by the coordinator, a beacon frame comprising authentication and key management suites supported by the coordinator;
  
  selecting, by the terminal device upon reception of the beacon frame of the coordinator, one of the authentication and key management suites, and then transmitting to the coordinator a connection request command comprising the authentication and key management suites selected by the terminal device;
  
  performing, by the coordinator upon reception of the connection request command of the terminal device, an authentication process with the terminal device according to the authentication and key management suites selected by the terminal device; and
  
  upon successful authentication, opening the controlled port to allow an access of the terminal device to the wireless multi-hop network while transmitting a connection response command to the terminal device; and
  
  opening, by the terminal device upon reception of the connection response command of the coordinator, the controlled port to thereby access the wireless multi-hop network;
  
  wherein the authentication and key management suites comprise an authentication and key management suite based upon a pre-shared key and an ID-based authentication and key management suit, andwherein the authentication process comprises;
  
  A. when the coordinator knows from the connection request command transmitted from the terminal device that the authentication and key management suite selected by the terminal device is an ID-based authentication and key management suite, generating an authentication inquiry of the coordinator, and transmitting an authentication activation consisting of the authentication inquiry of the coordinator and a public key of the coordinator to the terminal device;
  
  B. when validity verification of the public key of the coordinator is passed, generating, by the terminal device upon reception of the authentication activation, an authentication inquiry of the terminal device, an identifier of a public key revocation query and a temporary public key of the terminal device, and transmitting an authentication request consisting of the authentication inquiry of the terminal device, the authentication inquiry of the coordinator, a public key of the terminal device, the identifier of the public key revocation query, the temporary public key of the terminal device and a signature of the terminal device on the above five items of information to the coordinator;
  
  C. verifying, by the coordinator upon reception of the authentication request, the signature of the authentication request for legality, the authentication inquiry of the coordinator for consistency and the temporary public key of the terminal device for validity;
  
  when verification is passed, determining according to the identifier of the public key revocation query whether to perform the public key revocation query;
  
  if the public key revocation query is not to be performed, generating a temporary public key of the coordinator and an access result, then transmitting, by the coordinator, an authentication response consisting of the identifier of the public key revocation query, the authentication inquiry of the terminal device, the temporary public key of the coordinator, the access result and a signature of the coordinator on the above four items of information to the terminal device, and then performing step G;
  
  or if the public key revocation query is to be performed, transmitting a public key revocation query request;
  
  D. verifying, by a trusted center upon reception of the public key revocation query request, the information of the public key revocation query request, and then transmitting a public key revocation query response to the coordinator;
  
  E. verifying, by the coordinator upon reception of the public key revocation query response, the information of the public key revocation query response, and then transmitting the authentication response to the terminal device; and
  
  also generating a base key between the terminal device and the coordinator according to the temporary public key of the terminal device and a temporary private key of the coordinator;
  
  F. verifying, by the terminal device upon reception of the authentication response, the information of the authentication response, wherein if verification fails, the authentication fails;
  
  otherwise, the terminal device generates the base key between the terminal device and the coordinator according to the temporary public key of the terminal device and the temporary private key of the coordinator and the authentication is successful; and
  
  G. verifying, by the terminal device upon reception of the authentication response transmitted in the step C from the coordinator, the signature of the authentication response for validity, the authentication inquiry of the terminal device for consistency and the access result, wherein if verification fails, the authentication fails;
  
  otherwise, the terminal device generates the base key between the terminal device and the coordinator according to the temporary public key of the terminal device and the temporary private key of the coordinator and the authentication is successful.
- View Dependent Claims (2, 3, 7, 8)
- - 2. The method according to claim 1, further comprising:
    - performing, by the terminal device upon successful connection to the coordinator, unicast key negotiation with the coordinator.
  - 3. The method according to claim 2, wherein the unicast key negotiation is performed in following steps of:
    - when a unicast key is required to be created or updated, generating, by the coordinator upon successful authentication, a unicast key negotiation inquiry of the coordinator, and transmitting a unicast key negotiation request consisting of the unicast key negotiation inquiry of the coordinator to the terminal device;
      
      generating, by the terminal device upon reception of the unicast key negotiation request, a unicast key negotiation inquiry of the terminal device, generating a unicast key between the terminal device and the coordinator according to the base key, the unicast key negotiation inquiry of the coordinator and the unicast key negotiation inquiry of the terminal device, and then transmitting to the coordinator a unicast key negotiation response consisting of the unicast key negotiation inquiry of the coordinator, the unicast key negotiation inquiry of the terminal device and a message authentication code, wherein the message authentication code is calculated by the terminal device according to the unicast key negotiation inquiry of the coordinator and the unicast key negotiation inquiry of the terminal device;
      
      calculating, by the coordinator upon reception of the unicast key negotiation response, the unicast key according to the base key, the unicast key negotiation inquiry of the coordinator and the unicast key negotiation inquiry of the terminal device, then verifying the unicast key negotiation inquiry of the coordinator for consistency and the message authentication code of the terminal device for validity, wherein if verification fails, the unicast key negotiation fails;
      
      otherwise, the coordinator transmits a unicast key negotiation acknowledgement consisting of the unicast key negotiation inquiry of the coordinator and the message authentication code calculated on the unicast key negotiation inquiry of the terminal device to the terminal device; and
      
      verifying, by the terminal device upon reception of the unicast key negotiation acknowledgement, the unicast key negotiation inquiry of the terminal device for consistency and the message authentication code of the coordinator for validity, wherein if verification fails, the unicast key negotiation fails;
      
      otherwise, the unicast key negotiation is successful.
  - 7. The method according to claim 2, further comprising:
    - performing, by the coordinator and the terminal device, a multicast key announcement process upon completion of the unicast key negotiation; and
      
      if the unicast key negotiation is passed and the coordinator is required to perform multicast key negotiation with the terminal device, performing, by the coordinator, the multicast key announcement process with the terminal device.
  - 8. The method according to claim 7, wherein the multicast key announcement process comprises:
    - when a multicast key is required to be created or updated, firstly calculating, by the coordinator upon successful unicast key negotiation, the multicast key from an announcement master key, then encrypting the announcement master key using an encryption key in the unicast key to generate an identifier of a multicast key announcement, and finally transmitting to the terminal device the multicast key announcement consisting of the identifier of the multicast key announcement, the encrypted multicast announcement master key and a message authentication code, wherein the message authentication code is calculated by the coordinator from the identifier of the multicast key announcement and the encrypted multicast announcement master key using an authentication key in the multicast key;
      
      verifying, by the terminal device upon reception of the multicast key announcement, the identifier of the multicast key announcement and calculating the multicast key from the announcement master key, then further verifying the message authentication code of the coordinator for validity, and when verification is passed, transmitting to the coordinator a multicast key response consisting of the identifier of the multicast key announcement and a message authentication code, wherein the message authentication code is calculated by the terminal device from the identifier of the multicast key announcement message using an authentication key in a locally generated multicast key; and
      
      verifying, by the coordinator upon reception of the multicast key response, the identifier of the multicast key announcement for consistency and the message authentication code of the terminal device for validity, wherein if verification fails, the multicast key negotiation fails;
      
      otherwise, the multicast key negotiation is successful.

4. An authentication access method applicable to a wireless multi-hop network, comprising:
- defining an uncontrolled port and a controlled port of a terminal device and a coordinator, wherein the uncontrolled port pass an authentication protocol data packet and management information and the controlled port pass an application data packet;
  
  broadcasting, by the coordinator, a beacon frame comprising authentication and key management suites supported by the coordinator;
  
  selecting, by the terminal device upon reception of the beacon frame of the coordinator, one of the authentication and key management suites, and then transmitting to the coordinator a connection request command comprising the authentication and key management suites selected by the terminal device;
  
  performing, by the coordinator upon reception of the connection request command of the terminal device, an authentication process with the terminal device according to the authentication and key management suites selected by the terminal device; and
  
  upon successful authentication, opening the controlled port to allow an access of the terminal device to the wireless multi-hop network while transmitting a connection response command to the terminal device; and
  
  opening, by the terminal device upon reception of the connection response command of the coordinator, the controlled port to thereby access the wireless multi-hop network;
  
  wherein the authentication and key management suites comprise an authentication and key management suite based upon a pre-shared key and an ID-based authentication and key management suit, andwherein the authentication process comprises;
  
  a. when the coordinator knows from the connection request command transmitted from the terminal device that the authentication and key management suite selected by the terminal device is an authentication and key management suite based upon a pre-shared key, expanding, by the coordinator, a locally stored pre-shared key between the coordinator and the terminal device into a corresponding base key, generating an authentication inquiry of a pre-shared key of the coordinator, and then transmitting an authentication request consisting of the authentication inquiry of the pre-shared key of the coordinator to the terminal device;
  
  b. firstly expanding, by the terminal device upon reception of the authentication request, the locally stored pre-shared key between the coordinator and the terminal device into the corresponding base key, generating an authentication inquiry of a pre-shared key of the terminal device, generating a unicast key between the terminal device and the coordinator according to the base key, the authentication inquiry of the pre-shared key of the coordinator and the authentication inquiry of the pre-shared key of the terminal device, and then transmitting to the coordinator an authentication response consisting of the authentication inquiry of the pre-shared key of the coordinator, the authentication inquiry of the pre-shared key of the terminal device and a message authentication code, wherein the message authentication code is calculated from the authentication inquiry of the pre-shared key of the coordinator and the authentication inquiry of the pre-shared key of the terminal device;
  
  c. calculating, by the coordinator upon reception of the authentication response, the unicast key from the base key and the authentication inquiry of the pre-shared key of the coordinator generated in the step a and the authentication inquiry of the pre-shared key of the terminal device, then verifying the authentication inquiry of the pre-shared key of the coordinator for consistency and the message authentication code of the terminal device for validity, wherein if verification fails, the authentication fails;
  
  otherwise, the coordinator transmits an authentication acknowledgement consisting of the authentication inquiry of the pre-shared key of the terminal device and the message authentication code calculated by the coordinator on the authentication inquiry of the pre-shared key of the terminal device to the terminal device; and
  
  d. verifying, by the terminal device upon reception of the authentication acknowledgement, the authentication inquiry of the pre-shared key of the terminal device for consistency and the message authentication code of the coordinator for validity, wherein if verification fails, the authentication fails;
  
  otherwise, the authentication is successful.
- View Dependent Claims (5, 6)
- - 5. The method according to claim 4, further comprising:
    - performing, by the terminal device upon successful connection to the coordinator, unicast key negotiation with the coordinator.
  - 6. The method according to claim 5, wherein:
    - when the unicast key is required to be created or updated, the coordinator determines whether the unicast key negotiation is a unicast key negotiation for a first time upon successful authentication with the terminal device, and if so, a process of the unicast key negotiation is the same as the authentication process;
      
      otherwise, the process of the unicast key negotiation is the same as the unicast key negotiation process based upon the ID-based authentication and key management suite.

9. An authentication access system applicable to a wireless multi-hop network, comprising a terminal device, a coordinator and a trusted center, wherein:
- the terminal device and the coordinator are provided with an uncontrolled port and a controlled port, wherein the uncontrolled port pass an authentication protocol data packet and management information and the controlled port pass an application data packet;
  
  the coordinator is adapted to broadcast a beacon frame comprising authentication and key management suites supported by the coordinator, to perform an authentication process with the terminal device and the trusted center according to an authentication and key management suite selected by the terminal device upon reception of a connection request command of the terminal device, wherein the connection request command comprises the authentication and key management suite selected by the terminal device, and to open the controlled port to allow an access of the terminal device to the wireless multi-hop network while to transmit a connection response command to the terminal device upon successful authentication; and
  
  the terminal device is adapted to select the authentication and key management suite and then transmit the connection request command to the coordinator upon reception of the beacon frame of the coordinator, wherein the connection request command comprises the authentication and key management suite selected by the terminal device and to open the controlled port to thereby access the wireless multi-hop network upon reception of the connection response command of the coordinator; and
  
  the trusted center is adapted to facilitate the authentication process of the coordinator and the terminal device;
  
  wherein the authentication and key management suites comprise an authentication and key management suite based upon a pre-shared key and an ID-based authentication and key management suit, andwherein the authentication process comprises;
  
  A. when the coordinator knows from the connection request command transmitted from the terminal device that the authentication and key management suite selected by the terminal device is an ID-based authentication and key management suite, generating an authentication inquiry of the coordinator, and transmitting an authentication activation consisting of the authentication inquiry of the coordinator and a public key of the coordinator to the terminal device;
  
  B. when validity verification of the public key of the coordinator is passed, generating, by the terminal device upon reception of the authentication activation, an authentication inquiry of the terminal device, an identifier of a public key revocation query and a temporary public key of the terminal device, and transmitting an authentication request consisting of the authentication inquiry of the terminal device, the authentication inquiry of the coordinator, a public key of the terminal device, the identifier of the public key revocation query, the temporary public key of the terminal device and a signature of the terminal device on the above five items of information to the coordinator;
  
  C. verifying, by the coordinator upon reception of the authentication request, the signature of the authentication request for legality, the authentication inquiry of the coordinator for consistency and the temporary public key of the terminal device for validity;
  
  when verification is passed, determining according to the identifier of the public key revocation query whether to perform the public key revocation query;
  
  if the public key revocation query is not to be performed, generating a temporary public key of the coordinator and an access result, then transmitting, by the coordinator, an authentication response consisting of the identifier of the public key revocation query, the authentication inquiry of the terminal device, the temporary public key of the coordinator, the access result and a signature of the coordinator on the above four items of information to the terminal device, and then performing step G;
  
  or if the public key revocation query is to be performed, transmitting a public key revocation query request;
  
  D. verifying, by a trusted center upon reception of the public key revocation query request, the information of the public key revocation query request, and then transmitting a public key revocation query response to the coordinator;
  
  E. verifying, by the coordinator upon reception of the public key revocation query response, the information of the public key revocation query response, and then transmitting the authentication response to the terminal device; and
  
  also generating a base key between the terminal device and the coordinator according to the temporary public key of the terminal device and a temporary private key of the coordinator;
  
  F. verifying, by the terminal device upon reception of the authentication response, the information of the authentication response, wherein if verification fails, the authentication fails;
  
  otherwise, the terminal device generates the base key between the terminal device and the coordinator according to the temporary public key of the terminal device and the temporary private key of the coordinator and the authentication is successful; and
  
  G. verifying, by the terminal device upon reception of the authentication response transmitted in the step C from the coordinator, the signature of the authentication response for validity, the authentication inquiry of the terminal device for consistency and the access result, wherein if verification fails, the authentication fails;
  
  otherwise, the terminal device generates the base key between the terminal device and the coordinator according to the temporary public key of the terminal device and the temporary private key of the coordinator and the authentication is successful;
  
  ora. when the coordinator knows from the connection request command transmitted from the terminal device that the authentication and key management suite selected by the terminal device is an authentication and key management suite based upon a pre-shared key, expanding, by the coordinator, a locally stored pre-shared key between the coordinator and the terminal device into a corresponding base key, generating an authentication inquiry of a pre-shared key of the coordinator, and then transmitting an authentication request consisting of the authentication inquiry of the pre-shared key of the coordinator to the terminal device;
  
  b. firstly expanding, by the terminal device upon reception of the authentication request, the locally stored pre-shared key between the coordinator and the terminal device into the corresponding base key, generating an authentication inquiry of a pre-shared key of the terminal device, generating a unicast key between the terminal device and the coordinator according to the base key, the authentication inquiry of the pre-shared key of the coordinator and the authentication inquiry of the pre-shared key of the terminal device, and then transmitting to the coordinator an authentication response consisting of the authentication inquiry of the pre-shared key of the coordinator, the authentication inquiry of the pre-shared key of the terminal device and a message authentication code, wherein the message authentication code is calculated from the authentication inquiry of the pre-shared key of the coordinator and the authentication inquiry of the pre-shared key of the terminal device;
  
  c. calculating, by the coordinator upon reception of the authentication response, the unicast key from the base key and the authentication inquiry of the pre-shared key of the coordinator generated in the step a and the authentication inquiry of the pre-shared key of the terminal device, then verifying the authentication inquiry of the pre-shared key of the coordinator for consistency and the message authentication code of the terminal device for validity, wherein if verification fails, the authentication fails;
  
  otherwise, the coordinator transmits an authentication acknowledgement consisting of the authentication inquiry of the pre-shared key of the terminal device and the message authentication code calculated by the coordinator on the authentication inquiry of the pre-shared key of the terminal device to the terminal device; and
  
  d. verifying, by the terminal device upon reception of the authentication acknowledgement, the authentication inquiry of the pre-shared key of the terminal device for consistency and the message authentication code of the coordinator for validity, wherein if verification fails, the authentication fails;
  
  otherwise, the authentication is successful.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
China Iwncomm Co., Ltd
Original Assignee
China Iwncomm Co., Ltd
Inventors
Xiao, Yuelei, Cao, Jun, Lai, Xiaolong, Huang, Zhenhai
Primary Examiner(s)
Homayounmehr, Farid
Assistant Examiner(s)
Debnath, Suman

Application Number

US12/810,374
Publication Number

US 20100293370A1
Time in Patent Office

1,880 Days
Field of Search

713/155, 726/5, 709/239
US Class Current

713/155
CPC Class Codes

H04L 2209/80   Wireless

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 9/0844   with user authentication or...

H04L 9/3226   using a predetermined code,...

H04L 9/3263   involving certificates, e.g...

H04W 12/0433   Key management protocols

H04W 12/069   using certificates or pre-s...

H04W 88/02   Terminal devices

Authentication access method and authentication access system for wireless multi-hop network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

9 Claims

Specification

Solutions

Use Cases

Quick Links

Authentication access method and authentication access system for wireless multi-hop network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

9 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links