CN106921965B - Method for realizing EAP authentication in W L AN network - Google Patents

Method for realizing EAP authentication in W L AN network Download PDF

Info

Publication number
CN106921965B
CN106921965B CN201710043557.7A CN201710043557A CN106921965B CN 106921965 B CN106921965 B CN 106921965B CN 201710043557 A CN201710043557 A CN 201710043557A CN 106921965 B CN106921965 B CN 106921965B
Authority
CN
China
Prior art keywords
authentication
dedicated
eap
message
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710043557.7A
Other languages
Chinese (zh)
Other versions
CN106921965A (en
Inventor
李健诚
范绍山
王勇城
洪加滨
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Anzhong Network (Hong Kong) Ltd.
Original Assignee
Xiamen Elite Electric Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xiamen Elite Electric Co ltd filed Critical Xiamen Elite Electric Co ltd
Priority to CN201710043557.7A priority Critical patent/CN106921965B/en
Publication of CN106921965A publication Critical patent/CN106921965A/en
Application granted granted Critical
Publication of CN106921965B publication Critical patent/CN106921965B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/10Small scale networks; Flat hierarchical networks
    • H04W84/12WLAN [Wireless Local Area Networks]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

本发明公开了一种WLAN网络中实现EAP认证的方法,所述WLAN网络包括绑定有SIM卡或USIM卡的手机终端、无线AP、专用AAA服务器和专用认证服务器,手机终端与无线AP通信,无线AP与专用AAA服务器通信,专用AAA服务器与专用认证服务器通信,每个专用AAA用户在专用认证服务器上均存有IMSI、加密算法、算法标识和密钥信息。本发明的基于手机用户识别卡(SIM/USIM卡)的多组EAP‑SIM/AKA认证组合,是基于手机移动终端的WIFI认证,以EAP‑SIM/AKA为认证方式,在不影响SIM/USIM卡的标准鉴权命令所需的认证密钥及算法的情况下,使用SIM/USIM卡内其他密钥及算法,并自动完成WIFI认证、登录,具有操作简便,用户可无感知使用WIFI的特点,此外,避开了传统的指向移动运营商的HLR或HSS,为EAP‑SIM/AKA的普及推广提供便捷条件。

Figure 201710043557

The invention discloses a method for realizing EAP authentication in a WLAN network. The WLAN network includes a mobile phone terminal bound with a SIM card or a USIM card, a wireless AP, a dedicated AAA server and a dedicated authentication server, and the mobile phone terminal communicates with the wireless AP, The wireless AP communicates with the dedicated AAA server, and the dedicated AAA server communicates with the dedicated authentication server. Each dedicated AAA user stores IMSI, encryption algorithm, algorithm identification and key information on the dedicated authentication server. The multi-group EAP-SIM/AKA authentication combination based on the mobile phone user identification card (SIM/USIM card) of the present invention is based on the WIFI authentication of the mobile terminal of the mobile phone, and uses the EAP-SIM/AKA as the authentication method, without affecting the SIM/USIM In the case of the authentication key and algorithm required by the standard authentication command of the card, other keys and algorithms in the SIM/USIM card are used, and WIFI authentication and login are automatically completed. It is easy to operate and the user can use WIFI without perception. , In addition, it avoids the traditional HLR or HSS pointing to mobile operators, providing convenient conditions for the popularization and promotion of EAP‑SIM/AKA.

Figure 201710043557

Description

一种WLAN网络中实现EAP认证的方法A method for realizing EAP authentication in WLAN network

技术领域technical field

本发明涉及网络通信技术领域,特别涉及一种WLAN网络中实现EAP认证的方法。The invention relates to the technical field of network communication, in particular to a method for realizing EAP authentication in a WLAN network.

背景技术Background technique

EAP协议(Extensible Authentication Protocol)是使用可扩展的身份验证协议的简称,是一序列验证方式的集合,以满足任何链路层的身份验证需求,支持多种链路曾认证方式。EAP协议是IEEE802.1x认证机制的核心,它将实现细节交由附属的EAP Method协议完成,如何选取EAP Method由认证系统特征决定。实现了EAP的扩展性及灵活性,EAP可以提供不同的方法分别支持PPP、以太网、无线局域网的链路验证。EAP protocol (Extensible Authentication Protocol) is the abbreviation of Extensible Authentication Protocol. It is a collection of a sequence of authentication methods to meet the authentication requirements of any link layer and supports multiple link authentication methods. The EAP protocol is the core of the IEEE802.1x authentication mechanism. It hands over the implementation details to the attached EAP Method protocol. How to select the EAP Method is determined by the authentication system characteristics. It realizes the expansibility and flexibility of EAP. EAP can provide different methods to support the link authentication of PPP, Ethernet and wireless local area network respectively.

EAP-SIM/AKA(指EAP-SIM和EAP-AKA)是采用SIM/USIM卡作为EAP认证和密钥分发的机制(其中,SIM卡采用EAP-SIM认证机制,USIM卡采用EAP-AKA认证机制)。它是基于通用移动通讯系统(Universal Mobile Telecommunication System简称UMTS)认证的基础上产生的。EAP-SIM/AKA在UMTS认证的基础上,提供了双向认证,只有服务器端和客户端相互认证通过后,服务器端才发送EAP-Success认证成功消息至客户端,客户端才可以接入网络。同时,EAP-SIM/AKA认证机制还支持通过多次认证机制,生成更强的回话密钥。EAP-SIM/AKA (referring to EAP-SIM and EAP-AKA) is a mechanism that uses SIM/USIM card as EAP authentication and key distribution (among which, SIM card uses EAP-SIM authentication mechanism, USIM card uses EAP-AKA authentication mechanism ). It is based on the certification of Universal Mobile Telecommunication System (UMTS). On the basis of UMTS authentication, EAP-SIM/AKA provides two-way authentication. Only after the mutual authentication between the server and the client is passed, the server sends an EAP-Success authentication success message to the client, and the client can access the network. At the same time, the EAP-SIM/AKA authentication mechanism also supports multiple authentication mechanisms to generate stronger session keys.

RADIUS(Remote Authentication Dial In User Service),远程用户拨号认证系统,是目前应用最广泛的AAA协议(AAA是认证(Authentication)、授权(Authorization)和计费(Accounting)的简称,是网络安全中进行访问控制的一种安全管理机制,提供认证、授权和计费三种安全服务)。RADIUS (Remote Authentication Dial In User Service), a remote user dial-in authentication system, is the most widely used AAA protocol (AAA is the abbreviation of Authentication, Authorization and Accounting). A security management mechanism for access control, providing three security services of authentication, authorization and accounting).

由于RADIUS协议简单明确,可扩展性强,因此得到了广泛应用,包括普通电话上网、ADSL上网、小区宽带上网、IP电话、移动电话预付费等业务。IEEE提出了802.1x标准,这是一种基于端口的标准,用于对无线网络的接入认证,认证是也支持采用RADIUS协议。Because the RADIUS protocol is simple and clear, and has strong scalability, it has been widely used, including ordinary telephone Internet access, ADSL Internet access, residential broadband Internet access, IP telephony, and mobile phone prepaid services. The IEEE proposed the 802.1x standard, which is a port-based standard for authentication of access to wireless networks. The authentication also supports the use of the RADIUS protocol.

EAP-SIM/AKA认证的工作原理是客户端(手机或者具有SIM卡读写接口设备)通过安全通道与支持802.1x的无线接入点(AP)去的联系,通过WLAN AP连接到支持EAP-SIM/AKA认证协议的RADIUS服务器连接,然后通过专用通道与存储用户信息的HLR(Home LocationRegister,归宿位置寄存器)或HSS(Home Subscriber Server,服务器归属签约用户服务器)进行连接,完成一序列相互认证。目前SIM/USIM卡鉴权认证所使用的密钥KI,只存放在移动运营商的HLR或HSS,由于HLR或HSS存储着移动用户核心数据,移动运营商暂不对外开放,不利于EAP-SIM/AKA的普及推广;另一方面,直接使用HLR或HSS作为认证服务器,对交换网络带宽有较高的要求,此外,将导致HLR或HSS消息交互急剧增加,增加了HLR或HSS的负担,网络不稳定时或业务高峰时段,可能导致正常通话受到影响,甚至导致宕机。The working principle of EAP-SIM/AKA authentication is that the client (mobile phone or a device with a SIM card read/write interface) communicates with a wireless access point (AP) supporting 802.1x through a secure channel, and connects to a wireless access point (AP) supporting EAP- Connect to the RADIUS server of the SIM/AKA authentication protocol, and then connect to the HLR (Home Location Register) or HSS (Home Subscriber Server, server home subscriber server) that stores user information through a dedicated channel to complete a sequence of mutual authentication. At present, the key KI used for SIM/USIM card authentication is only stored in the HLR or HSS of the mobile operator. Since the HLR or HSS stores the core data of mobile users, the mobile operator temporarily does not open it to the outside world, which is not conducive to EAP-SIM The popularization and promotion of /AKA; on the other hand, directly using HLR or HSS as the authentication server has higher requirements on the exchange network bandwidth. In addition, it will lead to a sharp increase in the HLR or HSS message interaction, which increases the burden of the HLR or HSS. Unstable or business peak hours may cause normal calls to be affected or even lead to downtime.

发明内容SUMMARY OF THE INVENTION

鉴于上述问题,本发明提供一种克服上述问题或者至少部分地解决上述问题的一种WLAN网络中实现EAP认证的方法,该方法利用EAP-SIM/AKA的认证机制,使得SIM/USIM卡除了支持标准SIM/USIM密钥和认证算法外,还支持其他密钥和认证算法,同时将认证系统指向新的专用认证服务器,避开了传统指向移动运营商的HLR或HSS,为EAP-SIM/AKA的普及推广提供便捷条件。In view of the above problems, the present invention provides a method for implementing EAP authentication in a WLAN network that overcomes the above problems or at least partially solves the above problems. In addition to the standard SIM/USIM key and authentication algorithm, it also supports other keys and authentication algorithms. At the same time, the authentication system is pointed to a new dedicated authentication server, which avoids the traditional HLR or HSS pointed to the mobile operator, and is an EAP-SIM/AKA The popularization and promotion provide convenient conditions.

本发明解决其技术问题所采用的技术方案是:The technical scheme adopted by the present invention to solve its technical problems is:

一种WLAN网络中实现EAP认证的方法,所述WLAN网络包括绑定有SIM卡或USIM卡的手机终端、无线AP、专用AAA服务器和专用认证服务器,所述手机终端与所述无线AP通过EAP消息通信,所述无线AP与所述专用AAA服务器通过RADIUS消息通信,所述专用AAA服务器与所述专用认证服务器通过MAP消息通信,所述方法包括:A method for implementing EAP authentication in a WLAN network, the WLAN network includes a mobile phone terminal bound with a SIM card or a USIM card, a wireless AP, a dedicated AAA server and a dedicated authentication server, the mobile phone terminal and the wireless AP pass through EAP message communication, the wireless AP communicates with the dedicated AAA server through a RADIUS message, the dedicated AAA server communicates with the dedicated authentication server through a MAP message, and the method includes:

所述手机终端发起EAP鉴权请求消息;所述无线AP对所述手机终端接入鉴权,将EAP鉴权请求消息发送到所专用AAA服务器;所述专用AAA服务器发送获取鉴权向量请求消息到所述专用认证服务器,所述获取鉴权向量请求消息携带移动用户识别号IMSI;The mobile phone terminal initiates an EAP authentication request message; the wireless AP authenticates the access of the mobile phone terminal, and sends the EAP authentication request message to the dedicated AAA server; the dedicated AAA server sends an obtain authentication vector request message To the dedicated authentication server, the request message for obtaining an authentication vector carries the mobile subscriber identification number IMSI;

所述专用认证服务器接收所述获取鉴权向量请求消息,判断本地是否存储有所述移动用户识别号IMSI,如果有,通过专用随机数产生模块生成挑战随机数RAND,再通过第一专用认证模块生成其他鉴权向量,并将鉴权向量发送到所述专用AAA服务器;The dedicated authentication server receives the request message for obtaining the authentication vector, determines whether the mobile subscriber identification number IMSI is stored locally, and if so, generates a challenge random number RAND through the dedicated random number generation module, and then passes the first dedicated authentication module. generating other authentication vectors and sending the authentication vectors to the dedicated AAA server;

所述专用AAA服务器通过所述无线AP发送携带有随机数RAND的鉴权挑战请求消息到所述手机终端,所述手机终端根据鉴权挑战消息中的RAND判断所述RAND是否为专用随机数,如果是,通过第二专用认证模块生成密钥对鉴权挑战请求消息进行验证,并通过所述AP返回鉴权挑战响应消息到所述专用AAA服务器。The dedicated AAA server sends an authentication challenge request message carrying a random number RAND to the mobile terminal through the wireless AP, and the mobile terminal determines whether the RAND is a dedicated random number according to the RAND in the authentication challenge message, If yes, the authentication challenge request message is verified by generating a key through the second dedicated authentication module, and an authentication challenge response message is returned to the dedicated AAA server through the AP.

所述随机数RAND的长度为16个字节,包括如下字段:长度为2个字节的专用随机数标识、长度为1个字节的算法标识、长度为12的随机数字、长度为1的检验和。The length of the random number RAND is 16 bytes, including the following fields: a dedicated random number identifier with a length of 2 bytes, an algorithm identifier with a length of 1 byte, a random number with a length of 12, and a random number with a length of 1. Checksum.

如果所述算法标识和所述检验和与预期值均符合时,判断所述RAND为专用随机数。If the algorithm identifier and the checksum are consistent with the expected value, it is judged that the RAND is a dedicated random number.

如果所述RAND为不是专用随机数,说明鉴权挑战消息不是由专用AAA服务器发送过来的,所述手机终端将消息发送给GSM算法认证模块或UMTS算法认证模块处理。If the RAND is not a dedicated random number, it means that the authentication challenge message is not sent by the dedicated AAA server, and the mobile terminal sends the message to the GSM algorithm authentication module or the UMTS algorithm authentication module for processing.

所述WLAN网络还包括HLR或HSS,如果所述专用认证服务器判断本地没有存储所述移动用户识别号IMSI,将所述获取鉴权向量请求消息转发给HLR或HSS。The WLAN network further includes an HLR or an HSS, and if the dedicated authentication server determines that the mobile subscriber identification number IMSI is not stored locally, the request message for obtaining an authentication vector is forwarded to the HLR or the HSS.

所述第一专用认证模块和第二专用认证模块包括有相同的认证算法,且SIM卡或USIM卡中存储的算法标识与所述专用认证服务器中存储的算法标识一致。The first dedicated authentication module and the second dedicated authentication module include the same authentication algorithm, and the algorithm identification stored in the SIM card or the USIM card is consistent with the algorithm identification stored in the dedicated authentication server.

所述第一专用认证模块和第二专用认证模块包括A3A8、AES、DES、TDES、RSA、MD5算法中的一种或几种。The first dedicated authentication module and the second dedicated authentication module include one or more of A3A8, AES, DES, TDES, RSA, and MD5 algorithms.

所述专用AAA服务器为RADIUS服务器。The dedicated AAA server is a RADIUS server.

如果所述EAP鉴权请求消息由绑定有SIM卡的手机终端发起,所述鉴权向量为鉴权三元组,包括挑战随机数RAND、符号响应SRES和密钥Kc;所述其他鉴权向量包括符号响应SRES和密钥Kc;所述第二专用认证模块生成密钥对鉴权挑战请求消息中的消息鉴权码MAC进行验证。If the EAP authentication request message is initiated by a mobile phone terminal bound with a SIM card, the authentication vector is an authentication triplet, including the challenge random number RAND, the symbol response SRES and the key Kc; the other authentication The vector includes the symbolic response SRES and the key Kc; the second dedicated authentication module generates the key to verify the message authentication code MAC in the authentication challenge request message.

如果所述EAP鉴权请求消息由绑定有USIM卡的手机终端发起,所述鉴权向量为鉴权五元组,包括:挑战随机数RAND、预期响应XRES、完整性密钥IK、密钥CK和鉴权标记AUTH;所述其他鉴权向量包括预期响应XRES、完整性密钥IK、密钥CK和鉴权标记AUTH;所述第二专用认证模块生成密钥对鉴权挑战请求消息中的消息鉴权码MAC和鉴权标记AUTH进行验证。If the EAP authentication request message is initiated by a mobile terminal bound with a USIM card, the authentication vector is an authentication quintuple, including: challenge random number RAND, expected response XRES, integrity key IK, key CK and authentication mark AUTH; the other authentication vectors include expected response XRES, integrity key IK, key CK and authentication mark AUTH; the second dedicated authentication module generates a key pair in the authentication challenge request message The message authentication code MAC and authentication mark AUTH are verified.

本发明所述的一种WLAN网络中实现EAP认证的方法,提供一种基于手机用户识别卡(SIM/USIM卡)的多组EAP-SIM/AKA认证组合,是基于手机移动终端的WIFI认证,以EAP-SIM/AKA为认证方式,在不影响SIM/USIM卡的标准鉴权命令所需的认证密钥及算法的情况下,使用SIM/USIM卡内其他密钥及算法,并自动完成WIFI认证、登录,具有操作简便,用户可无感知使用WIFI等特点。此外,本发明方法避开了传统指向移动运营商的HLR或HSS,为EAP-SIM/AKA的普及推广提供便捷条件。A method for realizing EAP authentication in a WLAN network described in the present invention provides a combination of multiple groups of EAP-SIM/AKA authentication based on a mobile phone subscriber identity card (SIM/USIM card), which is based on WIFI authentication of a mobile phone terminal, Using EAP-SIM/AKA as the authentication method, without affecting the authentication keys and algorithms required by the standard authentication commands of the SIM/USIM card, use other keys and algorithms in the SIM/USIM card, and automatically complete the WIFI Authentication, login, easy to operate, users can use WIFI without perception. In addition, the method of the present invention avoids the traditional HLR or HSS directed to the mobile operator, and provides convenient conditions for the popularization and promotion of EAP-SIM/AKA.

上述说明仅是本发明技术方案的概述,为了能够更清楚地了解本发明的技术手段,从而可依照说明书的内容予以实施,并且为了让本发明的上述和其他目的、特征和优点能够更明显易懂,以下列举本发明的具体实施方式。The above description is only an overview of the technical solution of the present invention, in order to be able to understand the technical means of the present invention more clearly, so that it can be implemented according to the content of the description, and in order to make the above and other purposes, features and advantages of the present invention more obvious and easy It is understood that specific embodiments of the present invention are listed below.

根据下文结合附图对本发明具体实施例的详细描述,本领域技术人员将会更加明了本发明的上述及其他目的、优点和特征。The above and other objects, advantages and features of the present invention will be more apparent to those skilled in the art from the following detailed description of the specific embodiments of the present invention in conjunction with the accompanying drawings.

附图说明Description of drawings

图1为在发明的专用认证服务器上判断是否专用AAA用户的简要流程图;Fig. 1 is a brief flow chart of judging whether a dedicated AAA user is on the dedicated authentication server of the invention;

图2为在本发明的SIM/USIM卡上判断挑战消息中随机数是否为专用随机数的简要流程图;Fig. 2 is a brief flow chart of judging whether the random number in the challenge message is a dedicated random number on the SIM/USIM card of the present invention;

图3为本发明的EAP-SIM认证流程图;Fig. 3 is the EAP-SIM authentication flow chart of the present invention;

图4为本发明的EAP-AKA认证流程图。FIG. 4 is a flow chart of the EAP-AKA authentication of the present invention.

具体实施方式Detailed ways

为使本发明的目的、技术方案和优点更加清楚,下面将结合附图对本发明实施方式作进一步的详细描述。In order to make the objectives, technical solutions and advantages of the present invention clearer, the embodiments of the present invention will be further described in detail below with reference to the accompanying drawings.

一种WLAN网络中实现EAP认证的方法,所述WLAN网络包括绑定有SIM卡或USIM卡的手机终端、无线AP、专用AAA服务器和专用认证服务器,所述手机终端与所述无线AP通过EAP消息通信(消息定义参考RFC4186和RFC4187),所述无线AP与所述专用AAA服务器通过RADIUS消息通信(消息定义参考RFC2865和RFC3579),所述专用AAA服务器与所述专用认证服务器通过MAP消息通信(消息定义参考TS23.002和TS29.002),所述方法包括:所述手机终端发起EAP鉴权请求消息;所述无线AP对所述手机终端接入鉴权,将EAP鉴权请求消息发送到所专用AAA服务器;所述专用AAA服务器发送获取鉴权向量请求消息到所述专用认证服务器,所述获取鉴权向量请求消息携带移动用户识别号IMSI;A method for implementing EAP authentication in a WLAN network, the WLAN network includes a mobile phone terminal bound with a SIM card or a USIM card, a wireless AP, a dedicated AAA server and a dedicated authentication server, the mobile phone terminal and the wireless AP pass through EAP Message communication (refer to RFC4186 and RFC4187 for message definition), the wireless AP communicates with the dedicated AAA server through RADIUS messages (refer to RFC2865 and RFC3579 for message definition), and the dedicated AAA server communicates with the dedicated authentication server through MAP messages ( The message definition refers to TS23.002 and TS29.002), and the method includes: the mobile phone terminal initiates an EAP authentication request message; the wireless AP authenticates the access of the mobile phone terminal, and sends the EAP authentication request message to the the dedicated AAA server; the dedicated AAA server sends a request message for obtaining an authentication vector to the dedicated authentication server, and the request message for obtaining an authentication vector carries the mobile subscriber identification number IMSI;

所述专用认证服务器接收所述获取鉴权向量请求消息,判断本地是否存储有所述移动用户识别号IMSI,如果有,通过专用随机数产生模块生成挑战随机数RAND,再通过第一专用认证模块生成其他鉴权向量,并将鉴权向量发送到所述专用AAA服务器;The dedicated authentication server receives the request message for obtaining the authentication vector, determines whether the mobile subscriber identification number IMSI is stored locally, and if so, generates a challenge random number RAND through the dedicated random number generation module, and then passes the first dedicated authentication module. generating other authentication vectors and sending the authentication vectors to the dedicated AAA server;

所述专用AAA服务器通过所述无线AP发送携带有随机数RAND的鉴权挑战请求消息到所述手机终端,所述手机终端根据鉴权挑战消息中的RAND判断所述RAND是否为专用随机数,如果是,通过第二专用认证模块生成密钥对鉴权挑战请求消息进行验证,并通过所述AP返回鉴权挑战响应消息到所述专用AAA服务器。The dedicated AAA server sends an authentication challenge request message carrying a random number RAND to the mobile terminal through the wireless AP, and the mobile terminal determines whether the RAND is a dedicated random number according to the RAND in the authentication challenge message, If yes, the authentication challenge request message is verified by generating a key through the second dedicated authentication module, and an authentication challenge response message is returned to the dedicated AAA server through the AP.

如图1所示为在专用认证服务器上判断是否专用AAA用户的简要流程图,在专用认证服务器端通过判断移动用户识别号(IMSI)是否在本地存储来选择目标认证模块。如果IMSI在本地有存储,说明是专用AAA用户,则通过专用随机数产生模块,生成挑战随机数,并通过第一专用认证模块生成鉴权三元组/鉴权五元组及认证结果,并将专用随机数、鉴权三元组/鉴权五元组及认证结果一并返回给专用AAA服务器(即RADIUS服务器);如果不是专用AAA用户,则通过移动运营商的HLR/HSS,生成普通随机数并通过UMTS/GSM认证模块生成认证结果,普通随机数和认证结果一并返回给移动运营商的RADIUS服务器。Figure 1 shows a brief flow chart of judging whether a dedicated AAA user is a dedicated AAA user on the dedicated authentication server. The dedicated authentication server selects the target authentication module by judging whether the mobile subscriber identification number (IMSI) is stored locally. If the IMSI is stored locally, indicating that it is a dedicated AAA user, the dedicated random number generation module is used to generate a challenge random number, and the first dedicated authentication module is used to generate the authentication triplet/quintuple and the authentication result, and Return the dedicated random number, authentication triplet/quintuple, and authentication result to the dedicated AAA server (that is, the RADIUS server); if it is not a dedicated AAA user, use the HLR/HSS of the mobile operator to generate ordinary The random number is generated and the authentication result is generated by the UMTS/GSM authentication module. The ordinary random number and the authentication result are returned to the RADIUS server of the mobile operator.

如图2所示为在SIM/USIM卡上判断挑战消息中随机数是否为专用随机数的简要流程图,SIM/USIM卡接收到挑战随机数RAND时,根据SIM/USIM卡的鉴权指令所需的随机数的结构,通过判断挑战随机数RAND的特殊字段的特征值,选择目标认证模块及相应的认证算法,从而实现SIM/USIM卡支持多组EAP-SIM/AKA认证组合。Figure 2 is a brief flow chart of judging whether the random number in the challenge message is a dedicated random number on the SIM/USIM card. When the SIM/USIM card receives the challenge random number RAND, the The required random number structure, by judging the characteristic value of the special field of the challenge random number RAND, select the target authentication module and the corresponding authentication algorithm, so that the SIM/USIM card supports multiple EAP-SIM/AKA authentication combinations.

具体的,根据协议标准,鉴权命令的随机数长度固定为16个字节,如表1所示为本发明方法根据协议标准自定义的的挑战随机数的结构,具体的,随机数RAND的长度为16个字节,包括如下字段:长度为2个字节的专用随机数标识、长度为1个字节的算法标识、长度为12的随机数字、长度为1的检验和。Specifically, according to the protocol standard, the length of the random number of the authentication command is fixed to 16 bytes. Table 1 shows the structure of the challenge random number customized by the method of the present invention according to the protocol standard. The length is 16 bytes and includes the following fields: a dedicated random number identifier of 2 bytes in length, an algorithm identifier of length 1 byte, a random number of length 12, and a checksum of length 1.

表1Table 1

Figure BDA0001213586130000051
Figure BDA0001213586130000051

具体的,如果所述算法标识和所述检验和与预期值均符合时,判断所述RAND为专用随机数。Specifically, if the algorithm identifier and the checksum are consistent with the expected value, it is determined that the RAND is a dedicated random number.

进一步的,如果是专用随机数,通过第二专用认证模块生成密钥对鉴权挑战请求消息进行验证,并通过所述AP返回鉴权结果到所述专用AAA服务器;如果不是专用随机数,将消息发送给GSM算法认证模块或UMTS算法认证模块处理。Further, if it is a dedicated random number, the authentication challenge request message is verified by generating a key through the second dedicated authentication module, and the authentication result is returned to the dedicated AAA server through the AP; if it is not a dedicated random number, the The message is sent to the GSM algorithm authentication module or the UMTS algorithm authentication module for processing.

进一步的,所述第一专用认证模块和第二专用认证模块的认证算法可以是AES/DES/TDES等通用对称加密算法中的一种或几种,也可以是RSA、MD5等非对称算法中的一种或几种;所述第一专用认证模块和第二专用认证模块包括有相同的认证算法,且SIM卡或USIM卡中存储的算法标识与所述专用认证服务器中存储的算法标识一致。Further, the authentication algorithms of the first dedicated authentication module and the second dedicated authentication module may be one or more of general symmetric encryption algorithms such as AES/DES/TDES, or may be asymmetric algorithms such as RSA and MD5. one or more; the first dedicated authentication module and the second dedicated authentication module include the same authentication algorithm, and the algorithm identification stored in the SIM card or the USIM card is consistent with the algorithm identification stored in the dedicated authentication server .

具体的,如图3为本发明的EAP-SIM认证流程图,详细的消息交互过程如下:Specifically, FIG. 3 is a flowchart of the EAP-SIM authentication of the present invention, and the detailed message interaction process is as follows:

1)手机终端和无线AP建立关联之后,手机终端向无线AP发送EAPoL-Start,发起鉴权请求。1) After the mobile terminal is associated with the wireless AP, the mobile terminal sends EAPoL-Start to the wireless AP to initiate an authentication request.

2)无线AP发送EAP-Req手机终端st/Identity消息到手机终端。2) The wireless AP sends the EAP-Req mobile terminal st/Identity message to the mobile terminal.

3)手机终端回复EAP-Response/Identity消息,向网络发送其用户身份标识信息,身份标识可以为伪随机NAI或永久NAI。3) The mobile terminal replies to the EAP-Response/Identity message, and sends its user identity information to the network, and the identity can be pseudo-random NAI or permanent NAI.

4)无线AP将EAP报文使用RADIUS Access-Req手机终端st消息封装,并将Identity放在RADIUS的User-Name属性中,发送给专用AAA服务器。4) The wireless AP encapsulates the EAP message with the RADIUS Access-Req mobile terminal st message, puts the Identity in the User-Name attribute of the RADIUS, and sends it to the dedicated AAA server.

5)专用AAA服务器收到包含用户身份的EAP-Response/Identity报文。5) The dedicated AAA server receives the EAP-Response/Identity packet containing the user identity.

6)专用AAA服务器识别出用户准备使用的认证方法为EAP-SIM。如果手机终端送上的Identity为伪随机NAI,专用AAA服务器检查本地没有该伪随机NAI与IMSI的映射关系,则使用EAP Req手机终端st/SIM-Start消息再次请求永久NAI(6、7、8、9步仅用于手机终端漫游到新的拜访地而使用其他AAA分配的伪随机NAI接入认证的场景)。EAP报文封装在RADIUSAccess-Challenge消息中,发送给无线AP。6) The dedicated AAA server recognizes that the authentication method to be used by the user is EAP-SIM. If the Identity sent by the mobile terminal is a pseudo-random NAI, the dedicated AAA server checks that there is no mapping relationship between the pseudo-random NAI and IMSI locally, and then uses the EAP Req mobile terminal st/SIM-Start message to request the permanent NAI again (6, 7, 8 , Step 9 is only used in the scenario where the mobile terminal roams to a new visited place and uses the pseudo-random NAI assigned by other AAA for access authentication). EAP packets are encapsulated in RADIUSAccess-Challenge messages and sent to wireless APs.

7)无线AP转发EAP-Req手机终端st/SIM-Start消息到手机终端。7) The wireless AP forwards the EAP-Req mobile terminal st/SIM-Start message to the mobile terminal.

8)手机终端使用EAP-Response/SIM-Start消息携带永久NAI进行响应8) The mobile terminal responds with the EAP-Response/SIM-Start message carrying the permanent NAI

9)无线AP转发EAP-Response/SIM-Start消息携带永久NAI到专用AAA服务器,EAP报文封装在RADIUS Access-Req手机终端st消息中。9) The wireless AP forwards the EAP-Response/SIM-Start message carrying the permanent NAI to the dedicated AAA server, and the EAP message is encapsulated in the RADIUS Access-Req mobile terminal st message.

10)专用AAA服务器检查本地是否缓存可用的鉴权向量,如果没有则向专用认证服务器发送MAP_SEND_AUTH_INFO请求,请求获取n组鉴权向量(n可配置,取值范围1~5)。10) The dedicated AAA server checks whether there is an available authentication vector cached locally, and if not, sends a MAP_SEND_AUTH_INFO request to the dedicated authentication server, requesting to obtain n groups of authentication vectors (n is configurable, and ranges from 1 to 5).

11)专用认证服务器响应专用AAA服务器鉴权请求,下发n组鉴权三元组。11) The dedicated authentication server responds to the dedicated AAA server authentication request and issues n groups of authentication triples.

12)专用AAA服务器检查本地是否存在用户的签约信息。如果没有,则专用AAA服务器向专用认证服务器发起MAP_UPDATE_GPRS_LOC或MAP-RESTORE-DATA(可通过配置开关进行控制)请求,获取用户签约信息。12) The dedicated AAA server checks whether the user's subscription information exists locally. If not, the dedicated AAA server initiates a MAP_UPDATE_GPRS_LOC or MAP-RESTORE-DATA (which can be controlled by a configuration switch) request to the dedicated authentication server to obtain user subscription information.

13)专用认证服务器向专用AAA服务器发起插入用户数据MAP_INSERT_SUBS_DATA请求,向专用AAA服务器插入数据。13) The dedicated authentication server initiates a request for inserting user data MAP_INSERT_SUBS_DATA to the dedicated AAA server, and inserts data into the dedicated AAA server.

14)专用AAA服务器响应专用认证服务器插入用户数据消息,完成用户签约信息获取。14) The dedicated AAA server responds to the dedicated authentication server and inserts the user data message to complete the acquisition of user subscription information.

15)专用认证服务器向专用AAA服务器回复MAP_UPDATE_GPRS_LOC或MAP-RESTORE-DATA(可通过配置开关进行控制)响应消息,完成专用认证服务器的交互流程。15) The dedicated authentication server replies to the dedicated AAA server with a MAP_UPDATE_GPRS_LOC or MAP-RESTORE-DATA (which can be controlled by a configuration switch) response message to complete the interaction process of the dedicated authentication server.

16)专用AAA服务器检查用户签约通过后,根据专用认证服务器返回的鉴权三元组生成TEKs、MSK和EMSK(参见IETF RFC 4186),将m组(默认m=2,可配置,同步设备规范)RAND串起来后生成一个N*RAND。为支持标识保密功能,专用AAA服务器还要生成伪随机NAI和快速重鉴权NAI,用于后续的全鉴权和快速重鉴权过程。16) After the dedicated AAA server checks that the user's subscription is passed, it generates TEKs, MSK and EMSK (see IETF RFC 4186) according to the authentication triplet returned by the dedicated authentication server, and sets m groups (default m=2, configurable, synchronous device specifications) )RAND is concatenated to generate an N*RAND. In order to support the identity confidentiality function, the dedicated AAA server also generates pseudo-random NAI and fast re-authentication NAI for subsequent full authentication and fast re-authentication processes.

17)专用AAA服务器在EAP-Req手机终端st/SIM-Challenge消息中发送RAND,一个消息鉴权码(MAC)和2个用户标识(伪随机NAI和快速重鉴权NAI)给无线AP,EAP报文封装在RADIUS Access-Challenge消息中。17) The dedicated AAA server sends RAND, a message authentication code (MAC) and 2 user identities (pseudo-random NAI and fast re-authentication NAI) to the wireless AP in the EAP-Req mobile terminal st/SIM-Challenge message, EAP Packets are encapsulated in RADIUS Access-Challenge messages.

18)无线AP转发EAP Req手机终端st/SIM-Challenge消息到手机终端。18) The wireless AP forwards the EAP Req mobile terminal st/SIM-Challenge message to the mobile terminal.

19)手机终端根据每个RAND为128bit,解析出m个RAND,根据算法标识指定的第二专用认证模块中的加密算法(A3A8、AES、DES、TDES、RSA、MD5中的一种)得出K_sres,K_int,K_ency,Session_Key,并且用K_int得出AT_MAC,和接收到的AT_MAC进行比较,如果一致,表示专用AAA服务器认证通过。再利用K_sres作为key用规定的算法生成MAC_SRES。19) The mobile terminal parses out m RANDs according to each RAND being 128 bits, and obtains it according to the encryption algorithm (one of A3A8, AES, DES, TDES, RSA, MD5) in the second dedicated authentication module specified by the algorithm identification K_sres, K_int, K_ency, Session_Key, and use K_int to get the AT_MAC, and compare it with the received AT_MAC. If they are consistent, it means that the dedicated AAA server has passed the authentication. MAC_SRES is generated by a predetermined algorithm using K_sres as a key.

20)手机终端使用新密钥素材覆盖整个EAP消息计算新消息认证码(messageauthentication code,MAC)值。手机终端发送包含RES和新消息认证码的EAP Response/SIM/Challenge消息给无线AP。20) The mobile terminal uses the new key material to cover the entire EAP message to calculate a new message authentication code (message authentication code, MAC) value. The mobile terminal sends an EAP Response/SIM/Challenge message containing the RES and the new message authentication code to the wireless AP.

21)无线AP发送EAP Response/SIM-Challenge报文到专用AAA服务器,EAP报文封装在RADIUS Access-Req手机终端st消息中。21) The wireless AP sends an EAP Response/SIM-Challenge message to the dedicated AAA server, and the EAP message is encapsulated in a RADIUS Access-Req mobile terminal st message.

22)专用AAA服务器利用本端产生的K_sres作为key生成MAC_SRES,和接收到的MAC_SRES进行比较,如果一致,表示客户端认证通过。22) The dedicated AAA server uses the K_sres generated by the local end as the key to generate the MAC_SRES, and compares it with the received MAC_SRES. If they are consistent, it means that the client has passed the authentication.

23)如果所有检查都成功,且专用AAA服务器之前发送过认证结果保护标识,则专用AAA服务器必须在发送EAP Success消息前发送EAP Req手机终端st/SIM/Notification消息。EAP报文封装在RADIUS Access-Challenge消息中,且用MAC保护。23) If all checks are successful, and the dedicated AAA server has previously sent the authentication result protection identifier, the dedicated AAA server must send the EAP Req mobile terminal st/SIM/Notification message before sending the EAP Success message. EAP packets are encapsulated in RADIUS Access-Challenge messages and protected by MAC.

24)无线AP转发EAP消息到手机终端。24) The wireless AP forwards the EAP message to the mobile terminal.

25)手机终端发送EAP Response/SIM-Notification。25) The mobile terminal sends EAP Response/SIM-Notification.

26)无线AP转发EAP Response/SIM-Notification消息到专用AAA服务器,EAP报文封装在RADIUS Access-Req手机终端st消息中。26) The wireless AP forwards the EAP Response/SIM-Notification message to the dedicated AAA server, and the EAP message is encapsulated in the RADIUS Access-Req mobile terminal st message.

27)专用AAA服务器发送EAP-Success消息到无线AP(可能在发送EAPNotification之前,参见第23步描述)。如果专用AAA服务器产生了额外的用于WLANAN和手机终端间链路保护的机密性和/或完整性保护的鉴权密钥,专用AAA服务器在RADIUSAccess-Accept消息中包含这些密钥素材。27) The dedicated AAA server sends an EAP-Success message to the wireless AP (possibly before sending EAPNotification, see step 23 for description). If the dedicated AAA server generates additional authentication keys for confidentiality and/or integrity protection of the link between the WLAN and the mobile terminal, the dedicated AAA server includes these key materials in the RADIUSAccess-Accept message.

28)无线AP通过EAP Success消息通知手机终端鉴权成功。至此,EAP-SIM交互已经成功完成,手机终端和无线AP共享交互过程中生成的密钥素材。28) The wireless AP notifies the mobile terminal that the authentication is successful through the EAP Success message. So far, the EAP-SIM interaction has been successfully completed, and the mobile terminal and the wireless AP share the key material generated during the interaction.

具体的,如图4为本发明的EAP-AKA认证流程图,详细的消息交互过程如下:Specifically, FIG. 4 is the EAP-AKA authentication flow chart of the present invention, and the detailed message interaction process is as follows:

1)手机终端和无线AP建立关联之后,手机终端向无线AP发送EAPoL-Start,发起鉴权请求。1) After the mobile terminal is associated with the wireless AP, the mobile terminal sends EAPoL-Start to the wireless AP to initiate an authentication request.

2)无线AP发送EAP-Req手机终端st/Identity消息到手机终端。2) The wireless AP sends the EAP-Req mobile terminal st/Identity message to the mobile terminal.

3)手机终端回复EAP-Response/Identity消息,向网络发送其用户身份标识信息,身份标识可以为伪随机NAI或永久NAI。3) The mobile terminal replies to the EAP-Response/Identity message, and sends its user identity information to the network, and the identity can be pseudo-random NAI or permanent NAI.

4)无线AP将EAP报文使用RADIUS Access-Req手机终端st消息封装,并将Identity放在RADIUS的User-Name属性中,发送给专用认证服务器。4) The wireless AP encapsulates the EAP message with the RADIUS Access-Req mobile terminal st message, puts the Identity in the User-Name attribute of the RADIUS, and sends it to the dedicated authentication server.

5)专用认证服务器收到包含用户身份的EAP-Response/Identity报文。5) The dedicated authentication server receives the EAP-Response/Identity packet containing the user identity.

6)专用认证服务器识别出用户准备使用的认证方法为EAP-SIM。如果手机终端送上的Identity为伪随机NAI,专用认证服务器检查本地没有该伪随机NAI与IMSI的映射关系,则使用EAP Req手机终端st/SIM-Start消息再次请求永久NAI(6、7、8、9步仅用于手机终端漫游到新的拜访地而使用其他AAA分配的伪随机NAI接入认证的场景)。EAP报文封装在RADIUS Access-Challenge消息中,发送给无线AP。6) The dedicated authentication server recognizes that the authentication method to be used by the user is EAP-SIM. If the Identity sent by the mobile terminal is pseudo-random NAI, the dedicated authentication server checks that there is no mapping relationship between the pseudo-random NAI and IMSI locally, and then uses the EAP Req mobile terminal st/SIM-Start message to request the permanent NAI again (6, 7, 8 , Step 9 is only used in the scenario where the mobile terminal roams to a new visited place and uses the pseudo-random NAI assigned by other AAA for access authentication). EAP packets are encapsulated in RADIUS Access-Challenge messages and sent to wireless APs.

7)无线AP转发EAP-Request/AKA-Identity消息到手机终端。7) The wireless AP forwards the EAP-Request/AKA-Identity message to the mobile terminal.

8)手机终端使用EAP-Response/AKA-Identity消息携带永久NAI进行响应8) The mobile terminal responds with the EAP-Response/AKA-Identity message carrying the permanent NAI

9)无线AP转发EAP-Response/AKA-Identity消息携带永久NAI到专用AAA服务器,EAP报文封装在RADIUS Access-Request消息中。9) The wireless AP forwards the EAP-Response/AKA-Identity message carrying the permanent NAI to the dedicated AAA server, and the EAP message is encapsulated in the RADIUS Access-Request message.

10)专用AAA服务器检查本地是否缓存可用的鉴权向量,如果没有则向专用认证服务器发送MAP_SEND_AUTH_INFO请求,请求获取n组鉴权向量(n可配置,取值范围1~5)。10) The dedicated AAA server checks whether there is an available authentication vector cached locally, and if not, sends a MAP_SEND_AUTH_INFO request to the dedicated authentication server, requesting to obtain n groups of authentication vectors (n is configurable, and ranges from 1 to 5).

11)专用认证服务器响应专用AAA服务器鉴权请求,下发n组鉴权五元组。11) The dedicated authentication server responds to the dedicated AAA server authentication request, and issues n groups of authentication quintuple.

12)专用AAA服务器检查本地是否存在用户的签约信息。如果没有,则AAA向专用认证服务器发起MAP_UPDATE_GPRS_LOC或MAP-RESTORE-DATA(可通过配置开关进行控制)请求,获取用户签约信息。12) The dedicated AAA server checks whether the user's subscription information exists locally. If not, the AAA initiates a MAP_UPDATE_GPRS_LOC or MAP-RESTORE-DATA (which can be controlled through a configuration switch) request to the dedicated authentication server to obtain user subscription information.

13)专用认证服务器向专用AAA服务器发起插入用户数据MAP_INSERT_SUBS_DATA请求,向专用AAA服务器插入数据。13) The dedicated authentication server initiates a request for inserting user data MAP_INSERT_SUBS_DATA to the dedicated AAA server, and inserts data into the dedicated AAA server.

14)AA Server响应专用认证服务器插入用户数据消息,完成用户签约信息获取。14) The AA Server responds to the dedicated authentication server and inserts the user data message to complete the acquisition of the user subscription information.

15)专用认证服务器向专用AAA服务器回复MAP_UPDATE_GPRS_LOC或MAP-RESTORE-DATA(可通过配置开关进行控制)响应消息,完成专用认证服务器的交互流程。15) The dedicated authentication server replies to the dedicated AAA server with a MAP_UPDATE_GPRS_LOC or MAP-RESTORE-DATA (which can be controlled by a configuration switch) response message to complete the interaction process of the dedicated authentication server.

16)专用AAA服务器检查用户签约通过后,根据专用认证服务器返回的鉴权三元组生成TEKs、MSK和EMSK(参见IETF RFC 4187)。为支持标识保密功能,专用AAA服务器还要生成伪随机NAI和快速重鉴权NAI,用于后续的全鉴权和快速重鉴权过程。16) After the dedicated AAA server checks that the user's subscription is passed, it generates TEKs, MSK and EMSK according to the authentication triplet returned by the dedicated authentication server (see IETF RFC 4187). In order to support the identity confidentiality function, the dedicated AAA server also generates pseudo-random NAI and fast re-authentication NAI for subsequent full authentication and fast re-authentication processes.

17)专用AAA服务器在EAP-Request/AKA-Challenge消息中发送RAND,AUTH,一个消息鉴权码(MAC)和2个用户标识(伪随机NAI和快速重鉴权NAI)给无线AP,EAP报文封装在RADIUS Access-Challenge消息中。17) The dedicated AAA server sends RAND, AUTH, a message authentication code (MAC) and 2 user identities (pseudo-random NAI and fast re-authentication NAI) to the wireless AP in the EAP-Request/AKA-Challenge message, and the EAP reports The text is encapsulated in the RADIUS Access-Challenge message.

18)无线AP转发EAP-Request/AKA-Challenge消息到手机终端。18) The wireless AP forwards the EAP-Request/AKA-Challenge message to the mobile terminal.

19)手机终端运行算法标识指定的第二专用认证模块中的加密算法(A3A8、AES、DES、TDES、RSA、MD5中的一种)。USIM验证AUTN并且据此认证网络,如果AUTN验证正确,USIM计算RES,IK和CK。19) The mobile phone terminal runs the encryption algorithm (one of A3A8, AES, DES, TDES, RSA, MD5) in the second dedicated authentication module specified by the algorithm identification. The USIM verifies the AUTN and authenticates the network accordingly, and if the AUTN verification is correct, the USIM calculates RES, IK and CK.

手机终端从由USIM新计算出的IK和CK推导出新的附加密钥素材,用新导出的密钥素材检查收到的MAC。The mobile terminal derives a new additional key material from the IK and CK newly calculated by the USIM, and checks the received MAC with the newly derived key material.

如果收到受保护的伪随机身份和快速重鉴权身份,手机终端保存这些临时身份用于后续鉴权。If the protected pseudo-random identities and fast re-authentication identities are received, the mobile terminal saves these temporary identities for subsequent authentication.

20)手机终端使用新密钥素材覆盖整个EAP消息计算新消息认证码(messageauthentication code,MAC)值。手机终端发送包含RES和新消息认证码的EAP Response/AKA-Challenge消息给无线AP。20) The mobile terminal uses the new key material to cover the entire EAP message to calculate a new message authentication code (message authentication code, MAC) value. The mobile terminal sends an EAP Response/AKA-Challenge message containing the RES and the new message authentication code to the wireless AP.

21)无线AP发送EAP-Response/AKA-Challenge报文到专用AAA服务器,EAP报文封装在RADIUS Access-Request消息中。21) The wireless AP sends an EAP-Response/AKA-Challenge message to the dedicated AAA server, and the EAP message is encapsulated in a RADIUS Access-Request message.

22)专用AAA服务器检查收到的消息认证码(MAC)比较XRES和收到RES。22) The dedicated AAA server checks the received message authentication code (MAC) and compares the XRES with the received RES.

23)如果所有检查都成功,且专用AAA服务器之前发送过认证结果保护标识,则专用AAA服务器必须在发送EAP Success消息前发送EAP-Request/AKA-Notification消息。EAP报文封装在RADIUS Access-Challenge消息中,且用MAC保护。23) If all checks are successful and the dedicated AAA server has previously sent the authentication result protection flag, the dedicated AAA server must send an EAP-Request/AKA-Notification message before sending the EAP Success message. EAP packets are encapsulated in RADIUS Access-Challenge messages and protected by MAC.

24)无线AP转发EAP消息到手机终端。24) The wireless AP forwards the EAP message to the mobile terminal.

25)手机终端发送EAP-Response/AKA-Notification。25) The mobile terminal sends EAP-Response/AKA-Notification.

26)无线AP发送EAP-Response/AKA-Notification消息到专用AAA服务器,EAP报文封装在RADIUS Access-Request消息中。26) The wireless AP sends the EAP-Response/AKA-Notification message to the dedicated AAA server, and the EAP message is encapsulated in the RADIUS Access-Request message.

27)专用AAA服务器发送EAP Success消息到无线AP(可能在发送EAP-Notification之前,参见第23步描述)。如果专用AAA服务器产生了额外的用于WLANAN和手机终端间链路保护的机密性和/或完整性保护的鉴权密钥,专用AAA服务器在RADIUSAccess-Accept消息中包含这些密钥素材。27) The dedicated AAA server sends an EAP Success message to the wireless AP (possibly before sending EAP-Notification, see step 23 for description). If the dedicated AAA server generates additional authentication keys for confidentiality and/or integrity protection of the link between the WLAN and the mobile terminal, the dedicated AAA server includes these key materials in the RADIUSAccess-Accept message.

28)无线AP通过EAP Success消息通知手机终端鉴权成功。至此,EAP-AKA交互已经成功完成。28) The wireless AP notifies the mobile terminal that the authentication is successful through the EAP Success message. So far, the EAP-AKA interaction has been successfully completed.

一具体实施例中,整个实施步骤如下:In a specific embodiment, the entire implementation steps are as follows:

1、搭建支持EAP-SIM/AKA认证协议的专用RADIUS服务器和专用认证服务器;1. Build a dedicated RADIUS server and dedicated authentication server supporting EAP-SIM/AKA authentication protocol;

2、制作一张支持本发明的SIM/USIM卡,写入专用EAP-SIM/AKA认证所使用的密钥及算法标识;2. Make a SIM/USIM card supporting the present invention, and write the key and algorithm identification used for the special EAP-SIM/AKA authentication;

3、将SIM/USIM卡放入支持EAP-SIM/AKA认证的手机客户端,并将手机的WIFI认证模式设置为EAP-SIM/AKA模式;3. Put the SIM/USIM card into the mobile phone client that supports EAP-SIM/AKA authentication, and set the WIFI authentication mode of the mobile phone to EAP-SIM/AKA mode;

4、将任意一个或多个支持无线802.1x协议的无线路由器(AP),配制成采用RADIUS认证方式,并指向事先搭建的RADIUS服务器。4. Configure any one or more wireless routers (APs) that support the wireless 802.1x protocol to adopt RADIUS authentication and point to the pre-built RADIUS server.

5、将目标SIM/USIM卡的专用EAP-SIM/AKA认证密钥和算法标识导入到专用认证服务器。5. Import the dedicated EAP-SIM/AKA authentication key and algorithm identifier of the target SIM/USIM card into the dedicated authentication server.

6、目标手机只要进入无线路由器(AP)的信号覆盖范围,即可自动实现WIFI认证并登录网路,用户可以无感知使用WIFI网络,该无线AP不受地域限制。6. As long as the target mobile phone enters the signal coverage of the wireless router (AP), it can automatically realize WIFI authentication and log in to the network. The user can use the WIFI network without perception, and the wireless AP is not restricted by regions.

上述说明仅是本发明技术方案的概述,为了能够更清楚地了解本发明的技术手段,从而可依照说明书的内容予以实施,并且为了让本发明的上述和其他目的、特征和优点能够更明显易懂,以下列举本发明的具体实施方式。The above description is only an overview of the technical solution of the present invention, in order to be able to understand the technical means of the present invention more clearly, so that it can be implemented according to the content of the description, and in order to make the above and other purposes, features and advantages of the present invention more obvious and easy It is understood that specific embodiments of the present invention are listed below.

以上所述仅为本发明的较佳实施例,并不用以限制本发明,凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。The above are only preferred embodiments of the present invention and are not intended to limit the present invention. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the present invention shall be included in the protection of the present invention. within the range.

Claims (10)

1. A method for realizing EAP authentication in W L AN network is characterized in that the W L AN network comprises a mobile phone terminal bound with SIM card or USIM card, a wireless AP, a special AAA server and a special authentication server, the mobile phone terminal and the wireless AP communicate through EAP message, the wireless AP and the special AAA server communicate through RADIUS message, the special AAA server and the special authentication server communicate through MAP message, the method comprises:
the mobile phone terminal initiates an EAP authentication request message; the wireless AP authenticates the access of the mobile phone terminal and sends an EAP authentication request message to the special AAA server; the special AAA server sends an authentication vector acquisition request message to the special authentication server, wherein the authentication vector acquisition request message carries a mobile subscriber identification number IMSI; the special authentication server receives the request message for obtaining the authentication vector, judges whether the mobile subscriber identification number IMSI is stored locally, generates a challenge random number RAND through a special random number generation module if the mobile subscriber identification number IMSI is stored locally, generates other authentication vectors through a first special authentication module, and sends the authentication vectors to the special AAA server;
the special AAA server sends an authentication challenge request message carrying a random number RAND to the mobile phone terminal through the wireless AP, the mobile phone terminal judges whether the RAND is the special random number according to the RAND in the authentication challenge message, if so, a key is generated by a second special authentication module to verify the authentication challenge request message, and an authentication challenge response message is returned to the special AAA server through the AP;
the WIFI authentication mode of the mobile phone terminal is set to be an EAP-SIM mode or an AKA mode; the wireless AP is set to adopt a RADIUS authentication mode and points to the AAA server.
2. The method for implementing EAP authentication in W L AN network as in claim 1, wherein the random number RAND has a length of 16 bytes, and comprises fields of a specific random number id with a length of 2 bytes, AN algorithm id with a length of 1 byte, a random number with a length of 12, and a checksum with a length of 1.
3. The method of claim 2 wherein the RAND is determined to be a dedicated random number if the algorithm id and the checksum match expected values.
4. The method of claim 3 for implementing EAP authentication in W L AN network, wherein if the RAND is not a special random number, the handset terminal sends message to GSM algorithm authentication module or UMTS algorithm authentication module for processing.
5. The method of claim 1, wherein the W3556 AN network further comprises AN H L R or AN HSS, and wherein the request message for obtaining authentication vector is forwarded to the H L R or the HSS if the dedicated authentication server determines that the IMSI is not locally stored.
6. The method of claim 1, wherein the first and second dedicated authentication modules comprise the same authentication algorithm, and the algorithm id stored in the SIM card or USIM card is consistent with the algorithm id stored in the dedicated authentication server.
7. The method of claim 6, wherein the first and second dedicated authentication modules comprise one or more of A3a8, AES, DES, TDES, RSA, MD5 algorithms.
8. The method for implementing EAP authentication in a W L AN network as in claim 1, wherein the dedicated AAA server is a RADIUS server.
9. The method of claim 1, wherein if the EAP authentication request message is initiated by a mobile phone terminal with a SIM card bound thereto, the authentication vector is AN authentication triple comprising a challenge random number (RAND), a Symbolic Response (SRES) and a secret key (Kc), the other authentication vectors comprise a Symbolic Response (SRES) and a secret key (Kc), and the second authentication module generates a secret key to verify a Message Authentication Code (MAC) in the authentication challenge request message.
10. The method of claim 1, wherein if the EAP authentication request message is initiated by a USIM-bound mobile phone terminal, the authentication vector is AN authentication quintuple comprising a challenge random number (RAND), AN expected response (XRES), AN Integrity Key (IK), a key (CK) and AN authentication tag (AUTH), and the other authentication vectors comprise AN expected response (XRES), AN Integrity Key (IK), a key (CK) and AN authentication tag (AUTH), and the second authentication module generates a key to verify the Message Authentication Code (MAC) and the authentication tag (AUTH) in the authentication challenge request message.
CN201710043557.7A 2017-01-19 2017-01-19 Method for realizing EAP authentication in W L AN network Active CN106921965B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710043557.7A CN106921965B (en) 2017-01-19 2017-01-19 Method for realizing EAP authentication in W L AN network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710043557.7A CN106921965B (en) 2017-01-19 2017-01-19 Method for realizing EAP authentication in W L AN network

Publications (2)

Publication Number Publication Date
CN106921965A CN106921965A (en) 2017-07-04
CN106921965B true CN106921965B (en) 2020-07-21

Family

ID=59454448

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710043557.7A Active CN106921965B (en) 2017-01-19 2017-01-19 Method for realizing EAP authentication in W L AN network

Country Status (1)

Country Link
CN (1) CN106921965B (en)

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109413646B (en) 2017-08-16 2020-10-16 华为技术有限公司 Secure access method, device and system
CN109803261B (en) * 2017-11-17 2021-06-22 华为技术有限公司 Authentication method, equipment and system
CN108737381B (en) * 2018-04-23 2021-11-16 厦门盛华电子科技有限公司 Extension authentication method of Internet of things system
CN109286933B (en) * 2018-10-18 2021-11-30 世纪龙信息网络有限责任公司 Authentication method, device, system, computer equipment and storage medium
CN110312303A (en) * 2019-07-11 2019-10-08 广州爱浦路网络技术有限公司 A kind of method that list IMSI is used for more network termination repeated registrations
CN111432408B (en) * 2020-02-23 2021-07-06 中国科学院信息工程研究所 A two-factor authentication method and electronic device based on Wi-Fi traffic analysis
CN112188439B (en) * 2020-09-28 2023-08-01 大唐微电子技术有限公司 Access authentication system of V2X equipment in Internet of vehicles
CN112202799B (en) * 2020-10-10 2022-05-10 杭州盈高科技有限公司 Authentication system and method for realizing binding of user and/or terminal and SSID
CN114301593B (en) * 2021-12-30 2023-08-22 济南量子技术研究院 A quantum key-based EAP authentication system and method

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105745946A (en) * 2013-11-11 2016-07-06 索尼公司 Terminal device and information processing device

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105745946A (en) * 2013-11-11 2016-07-06 索尼公司 Terminal device and information processing device

Also Published As

Publication number Publication date
CN106921965A (en) 2017-07-04

Similar Documents

Publication Publication Date Title
CN106921965B (en) Method for realizing EAP authentication in W L AN network
US7546459B2 (en) GSM-like and UMTS-like authentication in a CDMA2000 network environment
CA2490131C (en) Key generation in a communication system
Arkko et al. Extensible authentication protocol method for 3rd generation authentication and key agreement (EAP-AKA)
Shin et al. Wireless network security and interworking
EP1941649B1 (en) EAP/SIM authentication for mobile IP to leverage GSM/SIM authentication infrastructure
JP4194046B2 (en) SIM-based authentication and encryption system, apparatus and method for wireless local area network access
US8045530B2 (en) Method and apparatus for authentication in a wireless telecommunications system
US8094821B2 (en) Key generation in a communication system
US20130104207A1 (en) Method of Connecting a Mobile Station to a Communcations Network
CN101640887A (en) Authentication method, communication device and communication system
US20050271209A1 (en) AKA sequence number for replay protection in EAP-AKA authentication
CN112423299B (en) Method and system for wireless access based on identity authentication
RU2292648C2 (en) System, device, and method designed for sim based authentication and for encryption with wireless local area network access
CN102685742B (en) A kind of WLAN access authentication method and device
Arkko et al. RFC 4187: Extensible authentication protocol method for 3rd generation authentication and key agreement (eap-aka)
GB2394143A (en) System and method for use of internet authentication technology to provide umts authentication of a usim in a radius server means
Zhao et al. Security authentication of 3G-WLAN interworking
Ayyagari et al. Making IEEE 802.11 Networks Enterprise-Ready
Haverinen et al. RFC 4186: Extensible authentication protocol method for global system for mobile communications (GSM) subscriber identity modules (EAP-SIM)
Yang et al. A robust authentication protocol with non-repudiation service for integrating WLAN and 3G network
EP1968274A1 (en) Method for supporting an existing authentication infrastructure
Latze Towards a secure and user friendly authentication method for public wireless networks
Cho et al. Key Management for Wireless Interworking
Pagliusi et al. Heterogeneous Internet access via PANA/UMTS

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20250716

Address after: China Hong Kong, Room 3809-10, Hong Kong Business Centre, 188 Connaught Road West

Patentee after: Anzhong Network (Hong Kong) Ltd.

Country or region after: Hongkong, China

Address before: 361000 Fujian Province, Xiamen City, Siming District, Software Park Phase II, Guanri Road No. 48, Room 201

Patentee before: XIAMEN ELITE ELECTRIC Co.,Ltd.

Country or region before: China

TR01 Transfer of patent right