To solve security loopholes existed in the Wired Equivalent Privacy (WEP) security mechanism defined in the international standard ISO/IEC 8802-11 for Wireless Local Area Network (WLAN), China issued a national standard for WLAN and a No. 1 revision thereof, i.e. replacing the WEP with Wireless Local Area Network Authentication and Privacy Infrastructure (WAPI), to solve the security problem of the WLAN.
The WAPI consists of WLAN Authentication Infrastructure (WAI) and WLAN Privacy Infrastructure (WPI). The WAI utilizes public key encrypting technique for the mutual identity authentication between a station (STA, or terminal) and a Access Point (AP), while the WPI utilizes the symmetric cryptographic algorithm for WLAN approved by State Encryption Management Commission Office to realize data protection, encrypting and decrypting the MAC Protocol Data Unit (MPDU) of the Media Access Control (MAC) sub-layer.
The infrastructure presented in the WAPI specification comprises three function entities: Authentication Supplicant Entity (ASUE), Authenticator Entity (AE) and Authentication Service Entity (ASE), wherein
the ASUE is an entity for requesting authentication before accessing a service;
the AE is an entity for providing the authentication for the ASUE before the ASUE accesses the service; this entity stays in an AP or a terminal; the AP refers to any entity which has station functions and provides an access distribution service to terminals associated with the AE via a wireless network; and
the ASE is an entity for providing an identity authentication service for the ASUE and the AE; this entity stays in an Authentication Service Unit (ASU); the basic functions of the ASU comprise the management of user certificate, the authentication of user identity and the like, the ASU is an important part of the WAI based on public key encrypting technique; a node corresponding to the ASU in the network is a WAPI authentication server.
The user certificate is a public key certificate, which is an important link in the WAI system structure. The public key certificate is the digital identity certification of a network user, which is able to identify the network user uniquely through the private key authentication.
After the terminal which supports the WAPI function completes the WAI authentication, it accesses a wired packet network via a WLAN air interface link, and then the terminal and the AP which supports the WAPI function complete the encryption and decryption of their respective MPDU by means of the negotiated unicast key and the negotiated symmetric cryptographic algorithm during the WAI process. The network protocol stack at the terminal side is observed by means of Transfer Control Protocol/Internet Protocol (TCP/IP) hierarchical model; 802.11 media access control and the 802.2 logic link control at the upper layer constitute the data link layer, as shown in FIG. 1.
The network applications on the terminal are mostly based on IP packet, and the IP layer has its own security service. Each network application client is able to complete the encryption and integrity protection of communication data with its application server or a client of a user interacting with the network application client by means of the security service of the IP layer. For the data transmitted on the radio access link, on the premise of data security protection of IP layer or a layer above the IP layer (e.g. application layer), the encryption for a MPDU message of data link layer usually cannot further enhance the security of the service data, while consumes a lot of calculating resources.