An Extensible Authentication Protocol (EAP) defines an authentication and key management architecture. An EAP authentication method is end-to-end authentication between an EAP client and an EAP server. An EAP packet can be borne by different protocols between different network entities on an authentication path. For example, an Authentication, Authorization and Accounting (AAA) protocol is adopted between an authenticator and the EAP server, which may be Diameter, Radius, or the like.
The EAP authentication is widely applied in network access control. As shown in FIG. 1 which is an EAP authentication model: An Extensible Authentication Protocol (EAP)-client, EAP client, also called a peer or a supplicant (all of these names can be used interchangeably), is a function entity of a user terminal, and is configured to respond to the EAP authentication initiated by an authenticator on a link and implement the authentication between the EAP client and an EAP server. The authenticator is generally located on a Network Access Server (NAS), and is configured to initiate an EAP authentication process on the link, so as to implement the authentication between the EAP client and the EAP server. During the authentication process, the authenticator forwards an EAP message and performs underlying protocol conversion. For example, an EAP packet of the EAP client borne by a layer 2/3 protocol is received, a packet header of the layer 2/3 protocol is removed, and then the EAP packet is encapsulated through the AAA protocol and is sent to the EAP server. The EAP server, also called a backend authentication server, an AAA server, or a re-authentication server (during re-authentication), or called a domain server for short, is configured to provide the authenticator with an authentication service, that is, authenticate the EAP client.
When a node leaves a home domain, after the node performs a complete EAP authentication with a home server, a shared key is set up by the home domain server for the node (the EAP client) and a local domain server. When the node performs re-authentication in a local domain, the node can use the key to perform authentication with the local domain server, in which the process for generating the key of the re-authentication is as follows.
The shared key of the local domain server and the EAP client is called a Domain Specific Root Key (DSRK). The calculation method of the key is DSRK=KDF (EMSK, Domain_ID|NULL|Peer_ID|Key_length), where “|” is a connecting symbol, for example, in A|B, if A represents a character string “good” and B represents “night”, A|B represents “good night”; KDF represents a key derivation function, generally a unidirectional Hash function; EMSK is an extended master session key; Domain_ID is a local domain name; Peer_ID is a user identity; and Key_length is a key length. Since the local domain server does not have the master key EMSK for generating the DSRK (which is saved on the home EAP server and the EAP client), the local domain server needs to obtain the master key EMSK from the home EAP server. The process of obtaining the master key EMSK is classified into an implicit process and an explicit process. The implicit process is an implicit EAP Re-authentication Protocol (ERP) bootstrapping process, which is included in a full authentication process, in which the local domain server requests, from the home domain server, informations relevant to a key such as the DSRK. The explicit process is an explicit ERP bootstrapping process, which is initiated by the EAP client when the EAP client does not have a local domain name, in which the local domain server may also incidentally request, from the home domain server, the informations relevant to a key such as the DSRK.
When the node hands over from one authenticator to a new authenticator during movement, or re-acknowledgement of its accessing (re-authentication) is performed, the existing EAP architecture requires that the node perform a complete EAP process with the home domain authentication server. Generally, one complete EAP authentication process requires multiple rounds interaction of a EAP authentication message. Moreover, the distance from the current authenticator to the home authentication server is long, and multiple hops exist. Since the EAP client does not know the local domain name to which the client belongs, a full authentication process must be performed again. Therefore, the node needs to spend a long time performing the complete authentication once, when the node leaves the home domain. Network accessing authentication and key management during the handover are one of main factors causing a handover delay, and the handover delay caused by the re-authentication performed by the node is one of the biggest problems of the mobile network.