At present, the wireless network security mainly adopts the security mechanism in the wireless local area network standard (IEEE 802.11) constituted by the Institute of Electrical and Electronics Engineers (IEEE). This mechanism adopts the Wired Equivalent Privacy (WEP), and this mechanism has been widely proved that it does not have the security equivalent to the wired network, and brings huge hidden danger in security to the wireless local area network.
In this situation, China has put forward a wireless local area network national standard GB15629.11 in May, 2003, which introduced a brand new security mechanism, namely the Wireless Local Area Network Authentication and Privacy Infrastructure (WAPI) to enhance the security of the wireless local area network, and has published an improved national standard (GB15629.11-2003/XG1-2006) in 2006.
The WAPI is comprised of the WLAN Authentication Infrastructure (WAI) and the WLAN Privacy Infrastructure (WPI), wherein the WAI adopts the elliptic-curve-based public key certificate system. The wireless station (STA) and access point (AP) carry out bidirectional identity authentication (certificate authentication) through the Authentication Server (AS). For the security of the transmission data, the WPI adopts the symmetric cryptographic algorithm SMS4 provided by the State Commercial Secret code Regulatory Commission Office in China for encryption and decryption to ensure the security of the data transmission.
The WAPI mechanism mainly relates to following three entities: a wireless station (STA), a wireless access point (AP) and an authentication server. To set up association with an AP and securely transmit data, STA should complete two parts of works: one is to complete the certificate authentication process, and generate a basic key in this process; and the other is to negotiate keys based on the basic key, including unicast key negotiation and the multicast key notification. As shown in FIG. 1, the following steps are comprised:
101: the AP sends an authentication activation packet to the STA to start the certificate authentication process;
The authentication activation packet includes fields such as: an AP certificate, ECDH (Elliptic Curve Diffie-Hellman) parameters and so on.
102: after receiving the authentication activation packet, the STA saves the AP certificate which is used to verify the signature of the AP in the subsequent operations, and generates a temporary private key sx and a temporary public key px which are used in the ECDH exchange.
103: the STA generates an access authentication request packet, and sends the access authentication request packet to the AP;
The access authentication request packet includes fields such as a temporary public key px, the STA certificate and so on, and a signature value signed on above fields by the STA.
104: after receiving the access authentication request packet, the AP verifies the signature of the STA (using the public key included in the STA certificate), and if the verification is unsuccessful, this access authentication request packet is discarded; or else the AP generates a certificate authentication request packet, and sends the certificate authentication request packet to the authentication server;
The certificate authentication request packet includes: the STA certificate and the AP certificate.
105: after receiving the certificate authentication request packet, the authentication server verifies the STA certificate and the AP certificate;
106: the authentication server constructs an certificate authentication response packet, which includes the verification results of the STA certificate and the AP certificate and attaches a signature of the authentication server, and sends the certificate authentication response packet to the AP;
107: the AP verifies the signature of the authentication server, and after the verification is successful, further verifies the verification result of the STA certificate verified by the authentication server, and after the verification is successful, the following operations are carried out:
107a: a temporary private key sy and a temporary public key py used for ECDH exchange are generated;
107b: ECDH calculation is carried out using the temporary public key px sent by the STA and the temporary private key sy generated locally to generate a basic key (BK).
108: the AP sends an access authentication response packet to the STA;
The access authentication response packet includes: a temporary public key py, a certificate verification result, a signature of the authentication server, and a signature signed on above fields by the AP.
109: after receiving the access authentication response packet, the STA verifies the signature of the AP, the signature of the authentication server, and the certificate verification result, and if both of the signatures of the AP and the authentication server are correct, and the authentication server verifies the AP certificate successfully, the STA carries out the ECDH calculation using the temporary public key py and temporary private key sx to generate the BK.
It should be noted that according the principal of the ECDH, the BKs generated by the STA and the AP are the same.
Through above processes, the STA and AP complete the bidirectional identity authentication (namely the certificate authentication), and set up the Base Key Security Association (BKSA). The BKSA includes parameters such as a BK, and a base key identifier (BKID) and so on.
110: the AP sends a unicast key negotiation request packet to the STA;
The unicast key negotiation request packet includes parameters such as the BKID, ADDID, and N1 and so on, wherein
The BKID is the identifier of the BK obtained from the previous negotiation of the AP and STA;
ADDID is comprised of the Media Access Control (MAC) addresses of the AP and STA;
N1 is a random number generated by the AP.
111: after receiving the unicast key negotiation request packet, the STA generates a random number N2, and then calculates:
Key=KD-HMAC-SHA256(BK, ADDID∥N1∥N2∥String); wherein
BK is the base key identified by the above BKID; KD-HMAC-SHA256 is the Hashed Message Authentication Code (HMAC) algorithm based on the SHA256 algorithm, namely a HASH algorithm with a key; String is a preset character string, which is “pairwise key expansion for unicast and additional keys and nonce” in the current standard; “∥” denotes a string concatenation operation, and “ADDID∥N1∥N2∥String” is the character parameter used by the KD-HMAC-SHA256 algorithm.
After calculating to obtain the Key, the STA extracts 64 bytes therein as the unicast session key (USK), including: 16 bytes unicast encryption key, 16 bytes unicast integrity check key, 16 bytes message authentication key, and 16 bytes key encryption key.
112: the STA sends a unicast key negotiation response packet to the AP;
The unicast key negotiation response packet includes parameters such as: the BKID, random number N2 and so on.
113: after receiving the unicast key negotiation response packet, the AP makes the following calculates:
Key=KD-HMAC-SHA256(BK, ADDID∥N1∥N2∥String), and extracts the USK therein.
114: the AP sends a unicast key negotiation confirmation packet to the STA;
So far, the AP and STA complete the unicast session key negotiation flow, and set up the unicast session key security association (USKSA).
115: the AP sends a multicast key notification packet to the STA;
The multicast key notification packet includes fields such as: the ADDID, key data, message authentication code and so on.
The key data field is the cryptograph generated by encrypting the notification master key by the AP using the key encryption key and the algorithm chosen in the negotiation of the AP and the STA. The notification master key is a 16 bytes random number generated by the AP.
The message authentication code is data resulting from calculation on all the protocol data fields before this field by the AP using the message authentication key and the HMAC-SHA256 algorithm.
116: after receiving the multicast key notification packet, the STA verifies the message authentication code, and after the verification is passed, the STA decrypts key data to obtain the notification master key, and expands the notification master key using the KD-HMAC-SHA256 algorithm to obtain the multicast key.
117: the STA sends the multicast key response packet to the AP to complete the multicast key notification process.
In the wireless local area network, there may be a plurality of APs existing. If the STA wants to handoff from the current AP to the destination AP, the STA requires carrying out the certificate authentication process and the key negotiation process with the destination AP over again. These processes will spend a lot of time, resulting in the handoff delay, and even breaking off the communication. Therefore, the WAPI puts forward the pre-authentication method.
In the WAPI mechanism, if the destination AP supports pre-authentication, after completing unicast session key negotiation with the current associated AP and installing the key, the STA can start the pre-authentication process. The authentication unit of the STA sends a pre-authentication start packet to active the pre-authentication process. The destination address (DA) of this packet is the Basic Service Set ID (BSSID) of the destination AP, and the source address (RA) is the BSSID of the current associated AP. The destination AP should use own BSSID as the Media Access Control (MAC) of the AP authentication unit. The current associated AP bridges the pre-authentication packet sent by the STA to the Distribution System (DS). The destination AP receiving the pre-authentication packet through the DS starts the certificate authentication process with the corresponding STA. If the certificate authentication process of the WAI is successful, the result of the pre-authentication is the Base Key Security Association (BKSA). After associating with the destination AP which completes the pre-authentication, the STA can use the BKSA to carry out the unicast key negotiation and the multicast key notification processes.
It can be seen from above description that the existing pre-authentication method in the WAPI is that the STA and AP carry out the identity authentication and key negotiation for each other in advance to reduce the handoff delay.
However, the current pre-authentication method has the following drawbacks: when the STA and the destination AP carry out the pre-authentication, the whole certificate authentication process and key negotiation process are still required to be carried out, and the pre-authentication process is rather complex; and when the STA requires carrying out pre-authentication with a plurality of APs, more time is spent, and more bandwidth resources are occupied, and the handoff delay of the STA is increased indirectly.