CN102217239A

Movatterモバイル変換

Info

Publication number: CN102217239A
Application number: CN2010800034370A
Authority: CN
Inventors: 胡建如; 刘国平; 颜林志; 唐建文
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2010-01-08
Filing date: 2010-01-08
Publication date: 2011-10-12
Anticipated expiration: 2030-01-08
Also published as: CN102217239B; WO2011082529A1

Abstract

Translated fromChinese

一种组临时密钥更新方法、装置和系统，所述方法包括以下步骤：根据接入控制点下发的业务配置请求将接入点划分为多个虚拟接入点，每个虚拟接入点具有一个服务组标识符；基于虚拟接入点粒度计算并保存组临时密钥；接收接入控制点下发的组临时密钥更新代理请求，对虚拟接入点范围内的无线站点STA进行组临时密钥更新。通过本发明实施例提供的方法、装置和系统，不仅改变了组临时密钥的管理的位置，由AC转移到AP，在瘦AC集中式管理的网络模型下，极大的减轻了AC的负担，还改变了组临时密钥更新的范围，由ESS级降到VAP级，缩小了更新的范围，减少了整个系统网络的流量，减轻了系统的震荡。

A method, device and system for updating a group temporary key, the method comprising the following steps: dividing an access point into a plurality of virtual access points according to a service configuration request issued by an access control point, each virtual access point Has a service group identifier; calculates and saves the group temporary key based on the granularity of the virtual access point; receives the group temporary key update agent request issued by the access control point, and groups the wireless station STA within the range of the virtual access point Temporary key update. The method, device and system provided by the embodiment of the present invention not only change the management position of the group temporary key, but transfer it from the AC to the AP, and greatly reduce the burden on the AC under the network model of the centralized management of the thin AC , also changed the range of group temporary key update, from ESS level to VAP level, narrowed the update range, reduced the traffic of the entire system network, and eased system shock.

Description

Translated fromChinese

一种组临时密钥更新方法、装置和系统 A group temporary key update method, device and system

技术领域technical field

本发明涉及无线局域网，尤其涉及一种组临时密钥更新方法、装置和系统。背景技术 The invention relates to a wireless local area network, in particular to a group temporary key update method, device and system. Background technique

WLAN (Wireless Local Area Network, 无线局域网）是 20世纪 90年代计算机与无线通信技术相结合的产物，它使用无线信道来接入网络，为通信的移动化，个人化和多媒体应用提供了潜在的手段，并成为宽带接入的有效手段之一。 WLAN (Wireless Local Area Network, Wireless Local Area Network) is the product of the combination of computer and wireless communication technology in the 1990s. It uses wireless channels to access the network, providing potential means for communication mobility, personalization and multimedia applications , and become one of the effective means of broadband access.

802.11是 IEEE制定的一个无线局域网标准，其体系结构的组成包括：无线站点 STA( station) ,无线接入点 AP( access point) ,独立基本服务组 IBSS ( independent basic service set) , 基本月艮务组 BSS (basic service set) , 分布式系统 DS (distribution system) 禾口扩展月艮务组 ESS (extended service set)。其中，无线站点 STA通常由一台 PC机或笔记本计算机加上一块无线网卡构成，也可以是非计算机终端上的能提供无线连接的嵌入式设备，例如支持 802.11 的手机。无线接入点 AP可以看成是一个无线的 Hub, 它的作用是提供 STA 和现有骨干网络（有线或无线的）之间的桥接，为无线用户提供对有线或无线网络的访问。 802.11 is a wireless local area network standard formulated by IEEE, and its system structure includes: wireless station STA (station), wireless access point AP (access point), independent basic service set IBSS (independent basic service set), basic service Set BSS (basic service set), distributed system DS (distribution system) and extended service set ESS (extended service set). Among them, the wireless station STA usually consists of a PC or notebook computer plus a wireless network card, or it can be an embedded device that can provide wireless connection on a non-computer terminal, such as a mobile phone that supports 802.11. Wireless access point AP can be regarded as a wireless Hub, its function is to provide a bridge between STA and the existing backbone network (wired or wireless), and provide wireless users with access to wired or wireless networks.

在 802.11网络中，出于对空间信息传播技术的安全性考虑，会采用组临时密钥（Group Transient Key, GTK) 加密和解密广播和组播报文，同样出于安全性考虑，还需要定期和不定期的更新组临时密钥，在现有的瘦 AP方案中，组临时密钥是在接入控制点 AC (Access Control)上基于 ESS粒度进行更新，目前触发组临时密钥的更新有以下几点： In the 802.11 network, for the security of the space information dissemination technology, the group transient key (Group Transient Key, GTK) will be used to encrypt and decrypt the broadcast and multicast messages. And update the group temporary key irregularly. In the existing thin AP solution, the group temporary key is updated based on the ESS granularity on the access control point AC (Access Control). Currently, the update of the group temporary key is triggered by The following points:

1、 AC定期更新其管理的 ESS内用户（无线站点 STA) 的组临时密钥； 1. The AC regularly updates the group temporary key of the user (wireless station STA) in the ESS it manages;

2、 AC响应 ESS内用户触发的更新组临时密钥的请求，为该 ESS内所有用户更新组播密钥。以上的更新操作，均需要在接入控制点 AC上完成，由于 WLAN网络的特点，在 AC上管理的每一个 ESS包括很多用户，用户的上线、下线是很频繁的现象，因此会经常触发组临时密钥的更新操作，由此触发 AC系统频繁处理这些报文，导致系统的效率低下，性能下降，甚至瘫痪。发明内容2. The AC responds to the request for updating the group temporary key triggered by the user in the ESS, and updates the multicast key for all users in the ESS. The above update operations need to be completed on the access control point AC. Due to the characteristics of the WLAN network, each ESS managed on the AC includes many users, and users go online and offline very frequently, so it will often trigger The update operation of the group temporary key thus triggers the AC system to frequently process these messages, resulting in low efficiency, performance degradation, or even paralysis of the system. Contents of the invention

本发明实施例提供一种组临时密钥更新方法、装置和系统，以避免由 AC进行集中式频繁处理组临时密钥的更新操作带来的系统性能瓶颈问题。 Embodiments of the present invention provide a method, device, and system for updating a group temporary key, so as to avoid the system performance bottleneck problem caused by the centralized and frequent processing of the update operation of the group temporary key by the AC.

本发明实施例的上述目的是通过如下技术方案实现的： The above object of the embodiments of the present invention is achieved through the following technical solutions:

一种组临时密钥更新方法，所述方法包括：根据接入控制点下发的业务配置请求将接入点划分为多个虚拟接入点，每一个虚拟接入点具有一个服务组标识符；基于虚拟接入点粒度计算并保存组临时密钥；接收接入控制点下发的组密钥更新代理请求，对虚拟接入点范围内的无线站点进行组密钥更新。 A method for updating a group temporary key, the method comprising: dividing an access point into a plurality of virtual access points according to a service configuration request issued by an access control point, each virtual access point having a service group identifier ; Calculate and save the group temporary key based on the granularity of the virtual access point; receive the group key update agent request issued by the access control point, and update the group key for the wireless stations within the range of the virtual access point.

一种接入装置，所述装置上划分有多个虚拟接入点，所述装置包括：检测单元，用于检测特定虚拟接入点是否需要更新组临时密钥；确定单元，用于在所述检测单元检测到所述特定虚拟接入点需要更新组临时密钥时，确定该特定虚拟接入点待更新的新组临时密钥；更新单元，用于将所述新组临时密钥发送给所述特定虚拟接入点范围内的所有在线无线站点以进行组临时密钥更新。 An access device, the device is divided into multiple virtual access points, and the device includes: a detection unit, configured to detect whether a specific virtual access point needs to update a group temporary key; a determination unit, configured to When the detecting unit detects that the specific virtual access point needs to update the group temporary key, it determines the new group temporary key to be updated for the specific virtual access point; the updating unit is configured to send the new group temporary key All online wireless stations within the range of the specific virtual access point are updated with group temporary keys.

一种通信系统，所述系统包括接入点和无线站点，所述接入点连接所述无线站点，所述接入点上划分有多个虚拟接入点，所述接入点用于检测到特定虚拟接入点需要更新组临时密钥时，确定该特定虚拟接入点待更新的新组临时密钥；将确定的新组临时密钥发送给该特定虚拟接入点范围内的所有在线无线站点以进行组临时密钥更新。 A communication system, the system includes an access point and a wireless station, the access point is connected to the wireless station, the access point is divided into a plurality of virtual access points, and the access point is used to detect When a specific virtual access point needs to update the group temporary key, determine the new group temporary key to be updated for the specific virtual access point; send the determined new group temporary key to all Online wireless station for group ephemeral key update.

通过本发明实施例提供的方法、装置和系统，不仅改变了组密钥的管理的位置，由 AC转移到 AP，在瘦 AP集中式管理的网络模型下，极大的减轻了 AC的负担，还改变了组密钥更新的范围，由 ESS级降到 VAP级，缩小了更新的范围，减少了整个系统网络的流量，减轻了系统的震荡。附图说明 Through the method, device and system provided by the embodiments of the present invention, not only the management position of the group key is changed, but also transferred from the AC to the AP, and under the network model of centralized management of the thin AP, theThe burden on the AC is reduced, and the range of the group key update is changed from the ESS level to the VAP level, which narrows the update range, reduces the traffic of the entire system network, and reduces system shock. Description of drawings

此处所说明的附图用来提供对本发明的进一歩理解，构成本申请的一部分，并不构成对本发明的限定。在附图中： The accompanying drawings described here are used to provide a further understanding of the present invention, constitute a part of the present application, and do not constitute a limitation to the present invention. In the attached picture:

图 1为本发明实施例的方法流程图； Fig. 1 is a method flowchart of an embodiment of the present invention;

图 2为瘦 AC网络结构示意图； FIG. 2 is a schematic diagram of a thin AC network structure;

图 3为本发明一实施例的 STA通过 AP接入 AC的流程图； FIG. 3 is a flow chart of STA accessing AC through AP according to an embodiment of the present invention;

图 4为本发明一实施例的链路建立流程图； FIG. 4 is a flow chart of link establishment according to an embodiment of the present invention;

图 5为本发明一实施例的信息认证流程图； FIG. 5 is a flow chart of information authentication according to an embodiment of the present invention;

图 6为本发明实施例的一种 GTK更新方法流程图； FIG. 6 is a flowchart of a GTK update method according to an embodiment of the present invention;

图 7为本发明实施例的另外一种 GTK更新方法流程图； FIG. 7 is a flowchart of another GTK update method according to an embodiment of the present invention;

图 8为本发明实施例的另外一种 GTK更新方法流程图； FIG. 8 is a flowchart of another GTK update method according to an embodiment of the present invention;

图 9为本发明实施例的另外一种 GTK更新方法流程图； FIG. 9 is a flowchart of another GTK update method according to an embodiment of the present invention;

图 10为本发明实施例的另外一种 GTK更新方法流程图； FIG. 10 is a flow chart of another GTK update method according to an embodiment of the present invention;

图 11为本发明实施例的装置组成框图； Fig. 11 is a block diagram of the device composition of the embodiment of the present invention;

图 12为本发明实施例的系统组成框图。具体实施方式 Fig. 12 is a block diagram of the system composition of the embodiment of the present invention. Detailed ways

为使本发明实施例的目的、技术方案和优点更加清楚明白，下面结合实施例和附图，对本发明实施例做进一歩详细说明。在此，本发明的示意性实施例及其说明用于解释本发明，但并不作为对本发明的限定。 In order to make the purpose, technical solutions and advantages of the embodiments of the present invention clearer, the embodiments of the present invention will be further described in detail below in conjunction with the embodiments and accompanying drawings. Here, the exemplary embodiments of the present invention and their descriptions are used to explain the present invention, but not to limit the present invention.

图 1为本发明实施例提供的一种组临时密钥更新方法的流程图，该方法可以应用于无线局域网络 WLAN中接入点 AP，请参照图 1，该方法包括：歩骤 101 : 将接入点 AP划分为多个虚拟接入点。 FIG. 1 is a flow chart of a method for updating a group temporary key provided by an embodiment of the present invention. This method can be applied to an access point AP in a wireless local area network WLAN. Please refer to FIG. 1. The method includes: Step 101: The access point AP is divided into multiple virtual access points.

本实施例的方法可以应用于瘦 AP网络架构，图 2为瘦 AP网络结构示意图，请参照图 2，该网络架构包括接入控制点 AC、由 AC集中控制的 AC 下连接的各个接入点 AP、以及各个接入点下连接的无线站点设备 STA。 The method of this embodiment can be applied to a thin AP network architecture. FIG. 2 is a diagram of a thin AP network structureIntention, please refer to FIG. 2, the network architecture includes an access control point AC, each access point AP connected under the AC centrally controlled by the AC, and a wireless station device STA connected under each access point.

在本实施例中，划分 VAP处理可以是 AP接收到接入控制点 AC向 AP 下发业务配置请求后触发。接入点 AP根据该业务配置请求中携带的业务类型、业务配置参数等，在 AP上划分多个虚拟 AP，即 VAP, 每一个 VAP对应一个服务组标识符 SSID, 即用一个 SSID标识。 AP根据业务配置请求确定需要配置的业务类型，将该业务类型添加到已有的一个或多个 VAP 中。 AP上划分 VAP的处理也可以是业务支撑系统根据需要通过管理接口远程配置，当然也可以是操作维护人员通过配置命令行或人机交互界面配置等。其中， AP上划分的多个 VAP中，每一个 VAP可以包含一个或多个业务，比如 AP上划分成 3个 VAPs, 即 VAP 1、 VAP2和 VAP3, 其中， VAP 1只提供上网服务， VAP 2只提供视频服务， VAP 3既提供上网又提供视频服务等，本实施例并不以此作为限制。由于每个 VAP逻辑上独立，多个 VAP间互不影响，便于业务运营、维护和管理。 In this embodiment, the VAP division process may be triggered after the AP receives a service configuration request from the access control point AC to the AP. The access point AP divides multiple virtual APs, namely VAPs, according to the service type and service configuration parameters carried in the service configuration request, and each VAP corresponds to a service group identifier SSID, which is identified by an SSID. The AP determines the service type to be configured according to the service configuration request, and adds the service type to one or more existing VAPs. The processing of dividing VAPs on the AP can also be remotely configured by the service support system through the management interface as needed, and of course, by the operation and maintenance personnel through the configuration command line or the human-computer interaction interface. Among the multiple VAPs divided on the AP, each VAP can contain one or more services. For example, the AP is divided into three VAPs, namely VAP 1, VAP2 and VAP3, wherein VAP 1 only provides Internet access services, and VAP 2 Only video services are provided, and the VAP 3 provides both Internet access and video services, etc. This embodiment is not limited by this. Since each VAP is logically independent, multiple VAPs do not affect each other, which is convenient for business operation, maintenance and management.

在本实施例中， VAP的 SSID用于标识 VAP, 以便无线站点通过无线网卡扫描到 SSID后，可以便利地接入到 AP上多个 VAP中与该 SSID对应的 VAP, 以便与 AC进行关联，以使 STA接入到网络。 In this embodiment, the SSID of the VAP is used to identify the VAP, so that after the wireless station scans the SSID through the wireless network card, it can conveniently access the VAP corresponding to the SSID among the multiple VAPs on the AP, so as to associate with the AC. To enable STAs to access the network.

歩骤 102: 在 AP上基于 VAP粒度计算组临时密钥； Step 102: Calculate the group temporary key based on the VAP granularity on the AP;

在本实施例中， AP上多个 VAP计算各自对应的组临时密钥，一个组临时密钥对应一个 VAP, 该 VAP下的所有 STA公用该组临时密钥， AC上可以不再保存基于 ESS 的 GMK (Group Master Key, 组主密钥）、 GTK信息，而是在 AP上基于 VAP粒度进行计算并保存，也即 AP为每个 VAP计算并保存一份 GMK、 GTK信息。若该 VAP下有用户（无线站点）下线或者其它原因需要更新组临时密钥时，只需要更新该 VAP 的组临时密钥 (GTK) , 同时通告该 VAP下的所有在线用户。这样整个更新过程就不需要 AC 参与，同时每次更新也只涉及最多 100 左右的用户。歩骤 103: AP将计算得到的组临时密钥发送相应 VAP下的所有在线用户以更新该 VAP的组临时密钥。 In this embodiment, multiple VAPs on the AP calculate their corresponding group temporary keys, one group temporary key corresponds to one VAP, and all STAs under the VAP share the group temporary key, and the AC may no longer save the ESS-based The GMK (Group Master Key, group master key) and GTK information are calculated and saved on the AP based on the VAP granularity, that is, the AP calculates and saves a copy of GMK and GTK information for each VAP. If a user (wireless station) under the VAP is offline or needs to update the group temporary key for other reasons, only the group temporary key (GTK) of the VAP needs to be updated, and all online users under the VAP are notified at the same time. In this way, the entire update process does not require AC participation, and each update only involves a maximum of about 100 users. Step 103: The AP sends the calculated group temporary key to all online users under the corresponding VAP to update the group temporary key of the VAP.

例如， AP接收 AC下发的组密钥更新代理请求，响应该组密钥更新代理请求，确定多个 VAP中需要更新组临时密钥的 VAP, 对确定的 VAP范围内的所有在线 STA进行组密钥更新。 For example, the AP receives the group key update proxy request issued by the AC, responds to the group key update proxy request, determines the VAP that needs to update the group temporary key among the multiple VAPs, and groups all online STAs within the determined VAP range. Key update.

在本实施例中，在 AP上检测是否需要为该 AP上特定 VAP更新组临时密钥，以便触发更新该特定 VAP的处理。 In this embodiment, it is detected on the AP whether the group temporary key needs to be updated for the specific VAP on the AP, so as to trigger the process of updating the specific VAP.

在本发明的一实施例中，检测是否需要为该 AP上特定 VAP更新组临时密钥是通过 AP检测 AC发送的组密钥更新代理请求实现的。 AP检测到 AC 发送的组密钥更新代理请求，确定需要更新组临时密钥的 VAP, 在确定的 VAP范围内进行组临时密钥的更新。 In an embodiment of the present invention, detecting whether the group temporary key needs to be updated for a specific VAP on the AP is realized by the AP detecting the group key update proxy request sent by the AC. The AP detects the group key update proxy request sent by the AC, determines the VAP that needs to update the group temporary key, and updates the group temporary key within the determined range of the VAP.

在本发明的另一实施例中，检测是否需要为该 AP上特定 VAP更新组临时密钥是通过 AP检测其覆盖区域内的 STA的连接状态实现的。 AP检测到其覆盖区域内特定 STA从在线状态变成下线状态，如果确定需要为该 STA 所属 VAP更新组临时密钥，在该 STA所属 VAP范围内进行组临时密钥的更新。 In another embodiment of the present invention, detecting whether the group temporary key needs to be updated for a specific VAP on the AP is realized by the AP detecting the connection status of the STAs in its coverage area. The AP detects that a specific STA in its coverage area changes from an online state to an offline state. If it is determined that the group temporary key needs to be updated for the VAP to which the STA belongs, the group temporary key is updated within the range of the VAP to which the STA belongs.

由于整个更新过程就不需要 AC 参与，减轻了 AC的处理负担；另外，原 AC管理的 ESS包括其下连接的所有 AP，本发明实施例中将更新的范围由 AC管理的 ESS级降到 AP的 VAP级，缩小了更新的范围，因此减少了整个系统网络的流量，减轻了系统的震荡。 Since the AC does not need to participate in the entire update process, the processing burden on the AC is reduced; in addition, the ESS managed by the original AC includes all APs connected under it. The VAP level narrows the scope of the update, thus reducing the flow of the entire system network and reducing the shock of the system.

图 3为 STA通过 AP接入网络时， AP根据本发明实施例提供的方法的处理流程图，请参照图 3，该接入流程包括： FIG. 3 is a processing flow chart of the method provided by the AP according to the embodiment of the present invention when the STA accesses the network through the AP. Please refer to FIG. 3. The access process includes:

歩骤 301 : STA通过其上的无线网卡扫描附近的无线信号，得到一组无线接入列表，也即本实施例的 AP在划分 VAP后提供的一组服务组标识符 SSID, 该无线站点 STA选择其中一个进行连接； Step 301: The STA scans nearby wireless signals through the wireless network card on it, and obtains a set of wireless access lists, that is, a set of service group identifiers SSID provided by the AP in this embodiment after dividing the VAP, and the wireless station STA Choose one of them to connect;

在本实施例中，根据认证方式的不同，需要输入密码、提供证书等方式证明是合法接入，这些可以通过现有技术的方式实现，在此不再赘述。在本实施例中， STA选择一个 SSID进行无线连接可以通过图 4所示的歩骤完成，但本实施例并不以此作为限制，请参照图 4，该方法包括： In this embodiment, according to different authentication methods, it is necessary to enter a password, provide a certificate, and other methods to prove that it is a legal access, which can be realized by means of the prior art, and will not be repeated here. In this embodiment, the STA selects an SSID to perform the wireless connection through the steps shown in FIG. 4, but this embodiment is not limited thereto. Please refer to FIG. 4, the method includes:

歩骤 401 : STA向 AP发送链路验证请求（Authentication request-open system); Step 401: STA sends link verification request (Authentication request-open system) to AP;

其中，该链路验证请求中也可以携带选择的 VAP的 SSID和 STA的用户标识。 Wherein, the link verification request may also carry the SSID of the selected VAP and the user identifier of the STA.

歩骤 402: AP接收所述链路验证请求，进行链路验证并向 STA返回链路认证响应； Step 402: The AP receives the link verification request, performs link verification and returns a link verification response to the STA;

歩骤 403:接收到 AP返回的链路认证响应后， STA经由 AP向 AC发送关联请求 ( Association request)； Step 403: After receiving the link authentication response returned by the AP, the STA sends an association request (Association request) to the AC via the AP;

其中，该关联请求中可以携带 STA选择的 VAP的 SSID和 STA的用户标识。 Wherein, the association request may carry the SSID of the VAP selected by the STA and the user identifier of the STA.

歩骤 404: AC 决策该 STA可以接入时，在 AC上建立 VAP和所述 STA 的关联关系，向所述 STA返回关联响应（Association response),允许该 STA 接入无线网络，同时 AC记录 STA的关联信息，如 STA的 MAC地址、 VAP、 SSID等。 Step 404: When the AC decides that the STA can access, it establishes an association relationship between the VAP and the STA on the AC, returns an association response (Association response) to the STA, and allows the STA to access the wireless network, and at the same time, the AC records the STA The associated information of the STA, such as the STA's MAC address, VAP, SSID, etc.

其中，关联响应中可以携带 STA和 VAP的关联关系，如 SSID和 STA 的对应关系信息。由于 STA和 AC间交互的消息都经由 AP转发， AP可以截取关联响应，如果确定 AC对 STA认证成功，根据关联响应中的 VAP和 STA的关联关系在 AP上建立 STA和 VAP的关联。至此， AP上也保存了 STA的 MAC和 VAP、 SSID等对应关系信息，此时无线链路已经接通。 Wherein, the association response may carry the association relationship between the STA and the VAP, such as the corresponding relationship information between the SSID and the STA. Since the messages exchanged between the STA and the AC are all forwarded by the AP, the AP can intercept the association response, and if it is determined that the AC authenticates the STA successfully, an association between the STA and the VAP is established on the AP according to the association relationship between the VAP and the STA in the association response. So far, the AP also saves the corresponding relationship information of the STA's MAC, VAP, and SSID, and the wireless link has been connected at this time.

歩骤 302: 无线链路接通后， STA经由 AP与 AC进行信息认证；在本实施例中，该信息认证过程可以通过四次握手过程实现，在这四次握手过程中， AC不将 GTK信息发送到 STA, 请参照图 5，该过程包括如下歩骤： Step 302: After the wireless link is connected, the STA performs information authentication with the AC via the AP; in this embodiment, the information authentication process can be implemented through a four-way handshake process, and the AC does not transfer the GTK Information is sent to STA, please refer to Fig. 5, this process includes the following steps:

歩骤 501 : AC向 STA发送消息 1 ; 其中，该消息 1包含一个随机值 A-nonce，是四次握手消息中的第一个消息，与现有的四次握手消息（4-Way Handshake Message)相同，在此不再赘述。 Step 501: AC sends message 1 to STA; Wherein, the message 1 includes a random value A-nonce, which is the first message in the four-way handshake message, which is the same as the existing four-way handshake message (4-Way Handshake Message), and will not be repeated here.

在本实施例中， STA根据该 Α-nonce, 向 AC返回一些认证信息，这是现有技术的内容，在此不再赘述。 In this embodiment, the STA returns some authentication information to the AC according to the Α-nonce, which is the content of the prior art and will not be repeated here.

其中， nonce 是为了防范重放攻击的随机值， A-nonce表示 AC发送给 STA的随机数。 Wherein, nonce is a random value for preventing replay attacks, and A-nonce represents a random number sent by the AC to the STA.

歩骤 502: STA经由 AP向 AC发送消息 2; Step 502: STA sends message 2 to AC via AP;

其中，该消息 2包含 STA的 MAC地址、消息验证码 MIC以及 S-nonce，其中， MIC是一个保护该消息 2不被篡改的消息验证码， S-nonce表示 STA 发送给 AC的随机数。同样的，该消息 2是四次握手消息中的第二个消息，与现有的四次握手消息（4-Way Handshake Message) 相同，在此不再赘述。 Wherein, the message 2 includes the MAC address of the STA, a message verification code MIC and an S-nonce, wherein the MIC is a message verification code to protect the message 2 from being tampered with, and the S-nonce represents a random number sent by the STA to the AC. Similarly, the message 2 is the second message in the four-way handshake message, which is the same as the existing four-way handshake message (4-Way Handshake Message), and will not be repeated here.

在本实施例中， AC根据该消息 2中的 STA的 MAC地址和 S-nonce以及 AC的 MAC地址和 A-nonce计算出 PTK (Pairwise Transient Key, 成对临时密钥），根据该 PTK计算出 MIC, 将计算出的 MIC与消息 2中的 MIC进行比较，以验证该 STA是否合法，这里可以通过现有技术的手段实现，在此不再赘述。 In this embodiment, the AC calculates the PTK (Pairwise Transient Key, Pairwise Transient Key) according to the MAC address and S-nonce of the STA and the MAC address and A-nonce of the AC in the message 2, and calculates the PTK according to the PTK The MIC is to compare the calculated MIC with the MIC in message 2 to verify whether the STA is legal, which can be implemented by means of the prior art, and will not be repeated here.

在本实施例中，如果验证的结果为计算出的 MIC与消息 2中的 MIC相同，则该 STA合法。 In this embodiment, if the result of the verification is that the calculated MIC is the same as the MIC in message 2, the STA is legal.

歩骤 503: AC经由 AP向 STA发送消息 3; Step 503: AC sends message 3 to STA via AP;

其中，该消息 3包含 AC的 MIC校验值以及 AC的加密状态，同样的，该消息 3是四次握手消息中的第三个消息，第三个消息表明 AC核实 STA是否知道 PMK, 以及通知 STAAC准备安装和使用数据加密密钥，与现有的四次握手消息（4-Way Handshake Message) 相同，在此不再赘述。 Among them, the message 3 contains the MIC check value of the AC and the encryption status of the AC. Similarly, the message 3 is the third message in the four-way handshake message, and the third message indicates that the AC verifies whether the STA knows the PMK, and notifies The STAAC is going to install and use the data encryption key, which is the same as the existing 4-Way Handshake Message, and will not be repeated here.

在本实施例中， STA根据该消息 3中的 MIC校验值，与自己的 MIC进行比较，以确定 AC是否为可信任一方，并根据该消息 3中的 AC的加密状态，确定该 AC是否已经准备安装和使用数据加密密钥。 In this embodiment, the STA compares the MIC check value in the message 3 with its own MIC to determine whether the AC is a trusted party, and according to the encryption status of the AC in the message 3state, to determine whether the AC is ready to install and use the data encryption key.

歩骤 504: STA经由 AP向 AC发送消息 4; Step 504: STA sends message 4 to AC via AP;

其中，该消息 4包含了密钥核实信息，同样的，该消息 4是四次握手消息中的第四个消息，与现有的四次握手消息（4-Way Handshake Message)相同，在此不再赘述。 Wherein, the message 4 includes key verification information, and similarly, the message 4 is the fourth message in the four-way handshake message, which is the same as the existing four-way handshake message (4-Way Handshake Message), and is not mentioned here Let me repeat.

在本实施例中， AC根据该消息 4，确定密钥正准备安装和开始加密，同时根据该消息 4确定握手过程结束。 In this embodiment, according to the message 4, the AC determines that the key is about to be installed and starts encryption, and at the same time determines the end of the handshake process according to the message 4.

歩骤 303 : 信息认证成功后，接入控制点 AC下发 PTK到 VAP后，由 VAP保存 PKT信息，用来对单播报文进行加密和解密，同时启动 GTK的更新。 Step 303: After the information authentication is successful, the access control point AC sends the PTK to the VAP, and the VAP saves the PKT information, which is used to encrypt and decrypt the unicast message, and at the same time start the update of the GTK.

在本实施例中，经过 STA和 AC的四次握手过程， AC将计算获得的成对临时密钥 PTK发送给 VAP, 由 VAP收到 PTK后，启动组临时密钥更新过程。 In this embodiment, after the four-way handshake process between the STA and the AC, the AC sends the calculated pairwise temporary key PTK to the VAP, and the VAP starts the group temporary key update process after receiving the PTK.

在本实施例中， VAP启动 GTK的更新，可以通过两次握手过程实现，请继续参照图 5，该过程包括： In this embodiment, the VAP starts the update of GTK, which can be realized through two handshake processes. Please continue to refer to FIG. 5, the process includes:

歩骤 505: AP向 STA发送消息 5 ; Step 505: AP sends message 5 to STA;

其中，该消息 5包含了组临时密钥，其为组密钥握手消息 1 (Group Key Handshake Message 1 )。 Wherein, the message 5 includes the group temporary key, which is the group key handshake message 1 (Group Key Handshake Message 1).

在本实施例中， AP是以 VAP的粒度下发组临时密钥，也即在 VAP的范围内，向 VAP范围的所有在线 STA下发组临时密钥。 In this embodiment, the AP issues the group temporary key at the granularity of the VAP, that is, within the scope of the VAP, issues the group temporary key to all online STAs within the VAP range.

歩骤 506: STA向 AP发送消息 6; Step 506: STA sends message 6 to AP;

其中，消息 6为消息 5的响应消息，其为组密钥握手消息 2 (Group Key Handshake Message 2 )。 Wherein, message 6 is a response message to message 5, which is group key handshake message 2 (Group Key Handshake Message 2).

在本实施例中， STA接收到组临时密钥后，进行组临时密钥的更新，并通过消息 6向 AP返回更新完毕的信息。 In this embodiment, after receiving the group temporary key, the STA updates the group temporary key, and returns the updated information to the AP through message 6.

在本实施例中，握手过程的消息可以为 EAPOL-Key ( Extensible Authentication Protocol over LAN-Key, 基于局域网的扩展认证协议密钥）报文，格式和现有的 EAPOL-Key报文的报文格式一样，包括：描述类型、密钥信息、密钥长度、重复计时器、 Key Nonce、 EAPOL-Key lV, 密钥起始序列、密钥标志符、密钥 MIC ( 16)、密钥数据长度（2)、密钥数据（0…！ 1) 等字段，其中，描述类型字段为 254，标志这个报文是 WPA1的报文，描述类型字段为 2，标志这个报文是 WPA2的报文；密钥信息字段包含了几个字段，提供密钥类型和怎样使用的信息，也包含各种与握手过程相关的控制位; 密钥长度字段用字节表示的密钥长度，主要对于成对密钥，尽管实际的 PTK 没有在这个密钥帧中发送，这是 PTK 的长度，它是目标密钥；重复计时器字段的值随着每个消息而增长来探测任何以重复旧消息的攻击企图，当这个消息是一个 ACK请求的回应时例外，在这个情况下，那个被 "回复 " 的重复值插入到此字段； Key Nonce字段的当前值用于派生出临时成对密钥和组密钥； EAPOL-Key IV字段时用于对于组密钥的传输， GTK使用 EAPOL-Key 加密字连同这个 IV值进行加密，这个加密过的 GTK放在密钥数据区；密钥起始序列字段在密钥安装后，希望收到的第一个帧的序列号这个序列号用于防止重复攻击；密钥标志符字段没有于 WPA, 在将来它可能用于使能事先建立多个密钥；密钥 MIC字段是一个完整性校验值，计算的范围是从 EAPOL 协议版本字段到密钥材料结束（在计算过程中，这个字段置 0); 密钥数据长度字段以字节为单位定义了密钥数据字段的长度，密钥数据字段可以不同于实际密钥本身；密钥数据字段为需要秘密传送的数据，例如，在组密钥情况下，这是加密的 GTK; 在一些成对密钥信息情况下，这个字段携带了一个信息要素。 In this embodiment, the message of the handshake process may be an EAPOL-Key (Extensible Authentication Protocol over LAN-Key, LAN-based Extensible Authentication Protocol key) message, the format of which is the same as the message format of the existing EAPOL-Key message same, including: description type, passwordKey Information, Key Length, Repeat Timer, Key Nonce, EAPOL-Key lV, Key Initial Sequence, Key Identifier, Key MIC (16), Key Data Length (2), Key Data (0 …! 1) and other fields, where the description type field is 254, indicating that this message is a WPA1 message, and the description type field is 2, indicating that this message is a WPA2 message; the key information field contains several fields , providing information about the key type and how to use it, and also contains various control bits related to the handshake process; the key length field is the key length expressed in bytes, mainly for pairwise keys, although the actual PTK is not in this This is the length of the PTK, which is the target key; the value of the repeat timer field is incremented with each message to detect any attempt to repeat an old message when the message is an ACK request The exception is for responses, in which case the repeated value of the "reply" is inserted into this field; the current value of the Key Nonce field is used to derive the temporary pair key and group key; the EAPOL-Key IV field is used for For the transmission of the group key, GTK uses the EAPOL-Key encryption word together with the IV value for encryption, and the encrypted GTK is placed in the key data area; the key start sequence field is after the key is installed. The serial number of a frame This serial number is used to prevent repeated attacks; the key identifier field is not used in WPA, it may be used to enable multiple keys to be established in advance in the future; the key MIC field is an integrity check value , the calculation range is from the EAPOL protocol version field to the end of the key material (in the calculation process, this field is set to 0); the key data length field defines the length of the key data field in bytes, the key data field Can be different from the actual key itself; the key data field is the data that needs to be transmitted secretly, for example, in the case of group keys, this is the encrypted GTK; in the case of some pair key information, this field carries a message element.

其中，密钥信息字段说明如表一所示: Among them, the description of the key information field is shown in Table 1:

0-3 比特目前未用置 0 0-3 bits currently unused set to 0

4-9 比特握手不同阶段的控制位 4-9 bits Control bits for different phases of the handshake

10-11 比特密钥指数，在组密钥的情况下指明密钥的索引。这允许通过安装新的组密钥稍侯进行更新。新的组密钥的索引位置不同于现在的组密钥的索引位置 10-11 bits Key Index, In case of a group key, indicates the index of the key. This allows updating later by installing a new group key. The index position of the new group key is different from the index position of the current group key

12 比特密钥类型：区分成对密钥和组密钥消息12 bits Key Type: Distinguish between pair key and group key message

13-15 比特标志版本并且允许在将来使用不同的方案和密钥加密方法。其中， 4~9 比特说明如表 Bits 13-15 mark the version and allow future use of different schemes and key encryption methods. Among them, 4~9 bits are described in the table

图 6为根据本发明实施例提供的方法， AP根据 STA的主动请求对该 STA 接入的 VAP范围内的所有 STA进行组密钥更新的流程图，请参照图 6，该方法包括： Fig. 6 is a method according to an embodiment of the present invention, a flow chart of the AP updating the group key of all STAs within the VAP range accessed by the STA according to the active request of the STA, please refer to Fig. 6, the method includes:

歩骤 601 : AP接收 STA的组临时密钥更新请求，表一中的密钥信息字段中第十二个比特用来表明是否是组密钥更新报文； Step 601: The AP receives the group temporary key update request of the STA, and the twelfth bit in the key information field in Table 1 is used to indicate whether it is a group key update message;

歩骤 602: AP更新所述 STA接入的 VAP的组临时密钥； Step 602: The AP updates the group temporary key of the VAP accessed by the STA;

AP可以根据组临时密钥更新请求报文中的 MAC地址信息，找到该 STA 关联的 VAP,根据 VAP再查找对应的组临时密钥；该存储在本地的与该 VAP 标识对应的组临时密钥是 AP在接收到组临时密钥更新请求之前，自身计算并保存的，组临时的计算方法是现有技术的内容，不再赘述。 The AP can find the VAP associated with the STA according to the MAC address information in the group temporary key update request message, and then search for the corresponding group temporary key according to the VAP; the locally stored group temporary key corresponding to the VAP ID It is calculated and saved by the AP itself before receiving the group temporary key update request, and the calculation method of the group temporary key is the content of the prior art, and will not be described again.

歩骤 603: AP向所述 STA接入的 VAP范围内的所有在线 STA发送更新后的组临时密钥的报文。 Step 603: The AP sends a message of the updated group temporary key to all online STAs within the range of the VAP accessed by the STA.

图 7为根据本发明实施例提供的方法， AP在 STA正常下线时对该 STA 原来接入的 VAP范围内的所有 STA进行组密钥更新的流程图，请参照图 7，该方法包括： Fig. 7 is a method according to an embodiment of the present invention. When the STA goes offline normally, the AP performs a group key update process for all STAs within the VAP range that the STA originally accessed. Please refer to Fig. 7. The method includes:

歩骤 701 : AP接收 STA的去关联请求： STA离开 VAP后，会向 AP发送去关联报文， AP收到报文后先删除 AP上该 STA的信息，再通知 AC删除之前保存的 STA信息，如 STA的 MAC、 VAP, SSID等， Step 701: The AP receives the STA's deassociation request: After the STA leaves the VAP, it will send a deassociation message to the AP. After receiving the message, the AP first deletes the information of the STA on the AP, and then notifies the AC to delete the previously saved STA information , such as STA's MAC, VAP, SSID, etc.,

歩骤 702: AP更新所述 STA原来接入的 VAP的组临时密钥； AP可以根据去关联请求报文中的 MAC地址信息，找到该 STA关联的 VAP, 根据 VAP再查找对应的组临时密钥；该存储在本地的与该 VAP标识对应的组临时密钥是 AP在接收到组临时密钥更新请求之前，自身计算并保存的，组临时的计算方法是现有技术的内容，不再赘述。 Step 702: The AP updates the group temporary key of the VAP originally accessed by the STA; The AP can find the VAP associated with the STA according to the MAC address information in the de-association request message, and then search for the corresponding group temporary key according to the VAP; the group temporary key corresponding to the VAP identifier stored locally is the AP's Before receiving the group temporary key update request, the calculation method of the group temporary which is calculated and saved by itself is the content of the prior art, and will not be repeated here.

歩骤 703: AP向所述 STA原来接入的 VAP范围内的 STA发送更新后的组临时密钥的报文。 Step 703: The AP sends a message of the updated group temporary key to the STAs within the range of the VAP that the STA originally accessed.

由此， AP触发了 VAP范围内的 STA的组临时密钥的更新。 Thus, the AP triggers the updating of group temporary keys of STAs within the VAP range.

图 8为根据本发明实施例提供的方法， AP在 STA异常下线时对该 STA 原来接入的 VAP范围内的所有 STA进行组密钥更新的流程图，请参照图 8，该方法包括： Fig. 8 is a method according to an embodiment of the present invention. When the STA goes offline abnormally, the AP performs a group key update process for all STAs within the VAP range originally accessed by the STA. Please refer to Fig. 8. The method includes:

歩骤 801 : AP检测 STA是否下线； Step 801: the AP detects whether the STA is offline;

在本实施例中， AP可以根据报文流量检测 STA是否下线。 In this embodiment, the AP can detect whether the STA is offline according to the packet flow.

歩骤 802: AP定期的检测 AP芯片上对应的 STA是否有流量统计，芯片上根据 STA的 MAC统计，通过如果检测到 STA没有流量，则认为 STA 下线，则 AP更新该 STA原来接入的 VAP的组临时密钥； Step 802: The AP periodically detects whether the corresponding STA on the AP chip has traffic statistics. According to the MAC statistics of the STA on the chip, if it is detected that the STA has no traffic, the STA is considered offline, and the AP updates the STA's original access Group ephemeral key of the VAP;

歩骤 803: AP向所述 STA原来接入的 VAP范围内的所有在线 STA发送更新后的组临时密钥的报文。 Step 803: The AP sends a message of the updated group temporary key to all online STAs within the range of the VAP originally accessed by the STA.

图 9为根据本发明实施例提供的方法， AP在 STA漫游时对该 STA原来接入的 VAP范围内的所有 STA进行组密钥更新的流程图，请参照图 9，该方法包括： Fig. 9 is a method according to an embodiment of the present invention. When the STA is roaming, the AP performs a group key update process for all STAs within the range of the VAP originally accessed by the STA. Please refer to Fig. 9. The method includes:

歩骤 901 : AP接收 STA的去关联或去认证请求； Step 901: the AP receives the STA's de-association or de-authentication request;

在本实施例中， STA离开了老的 VAP,去新的 VAP认证，会向老的 VAP 发出去关联或者去认证请求。 In this embodiment, the STA leaves the old VAP and goes to the new VAP for authentication, and sends a de-association or de-authentication request to the old VAP.

歩骤 902: AP更新所述 STA原来接入的 VAP的组临时密钥； Step 902: The AP updates the group temporary key of the VAP originally accessed by the STA;

在本实施例中，老的 VAP收到该去关联或去认证请求后，触发这个 VAP 范围内的 STA进行组密钥更新。 In this embodiment, after the old VAP receives the de-association or de-authentication request, it triggers the VAPSTAs within the range perform group key update.

AP可以根据去关联请求或去认证请求报文中的 MAC地址信息，找到该 STA关联的 VAP, 根据 VAP再查找对应的组临时密钥；该存储在本地的与该 VAP标识对应的组临时密钥是 AP在接收到组临时密钥更新请求之前，自身计算并保存的，组临时的计算方法是现有技术的内容，不再赘述。 The AP can find the VAP associated with the STA according to the MAC address information in the de-association request or de-authentication request message, and then search for the corresponding group temporary key according to the VAP; the group temporary key stored locally corresponding to the VAP identifier The key is calculated and saved by the AP itself before receiving the group temporary key update request, and the calculation method of the group temporary key is the content of the prior art, and will not be repeated here.

歩骤 903: AP向所述 STA原来接入的 VAP范围内的 STA发送更新后的组临时密钥的报文。 Step 903: The AP sends a message of the updated group temporary key to the STAs within the range of the VAP that the STA originally accessed.

由此， AP代理 AC触发了 VAP范围内的 STA的组临时密钥的更新。图 10为根据本发明实施例提供的方法， AP定时更新 VAP范围内的所有 STA的组密钥更新的流程图，请参照图 10，该方法包括： Thus, the AP proxies the AC to trigger the updating of group temporary keys of STAs within the VAP range. Fig. 10 is a method according to an embodiment of the present invention, a flow chart of the AP regularly updating the group key update of all STAs within the VAP range, please refer to Fig. 10, the method includes:

歩骤 1001 : 定时更新组临时密钥； Step 1001: regularly update the group temporary key;

歩骤 1002: 向 VAP范围内的 STA发送更新后的组临时密钥的报文。通过本实施例的方法， AP根据 AC的组密钥更新代理请求，在需要更新组临时密钥时，代替 AC在 VAP范围内进行组临时密钥的更新，由于整个更新过程就不需要 AC 参与，减轻了 AC的处理负担，又由于更新的范围由 ESS级降到 VAP级，缩小了更新的范围，因此减少了整个系统网络的流量，减轻了系统的震荡。 Step 1002: Send the message of the updated group temporary key to the STAs within the range of the VAP. Through the method of this embodiment, according to the group key update proxy request of the AC, when the group temporary key needs to be updated, the AP replaces the AC to update the group temporary key within the scope of the VAP, since the entire update process does not require the participation of the AC , reducing the processing burden on the AC, and reducing the update range from the ESS level to the VAP level, reducing the flow of the entire system network and mitigating system shocks.

图 11为本发明实施例提供的接入装置组成框图，请参照图 11，该装置上划分有多个虚拟接入点，所述装置包括： FIG. 11 is a block diagram of an access device provided by an embodiment of the present invention. Please refer to FIG. 11. The device is divided into multiple virtual access points, and the device includes:

检测单元 111，用于检测特定虚拟接入点是否需要更新组临时密匙。确定单元 112，用于在检测单元 111检测到特定虚拟接入点需要更新组临时密匙时，确定该特定虚拟接入点待更新的新组临时密匙。 A detection unit 111, configured to detect whether a specific virtual access point needs to update the group temporary key. The determining unit 112 is configured to determine a new group temporary key to be updated for the specific virtual access point when the detection unit 111 detects that the specific virtual access point needs to update the group temporary key.

更新单元 113，用于将所述新组临时密匙发送给所述特定虚拟接入点范围内在线无线站点以进行组临时密匙更新。 An update unit 113, configured to send the new group temporary key to online wireless stations within the range of the specific virtual access point to update the group temporary key.

所述接入装置还包括划分单元 114，用于根据接入控制点的业务配置请求将在所述接入装置上划分多个虚拟接入点。其中，所述检测单元 111具体可以包括第一检测模块 1111和第二检测模块 1112，其中： The access device further includes a division unit 114, configured to divide a plurality of virtual access points on the access device according to the service configuration request of the access control point. Wherein, the detection unit 111 may specifically include a first detection module 1111 and a second detection module 1112, wherein:

所述第一检测模块 1111 用于根据报文流量检测到无线站点下线时，判定所述无线站点所属的虚拟接入点需要更新组临时密匙。 The first detection module 1111 is configured to determine that the virtual access point to which the wireless station belongs needs to update the group temporary key when detecting that the wireless station is offline according to the packet flow.

所述第二检测模块 1112用于检测到无线站点发送的去关联请求或去认证请求时，确定所述无线站点所属的虚拟接入点需要更新组临时密钥。 The second detection module 1112 is configured to determine that the virtual access point to which the wireless station belongs needs to update the group temporary key when detecting the disassociation request or the deauthentication request sent by the wireless station.

所述更新单元 113还可以定时将新组临时密匙向虚拟接入点下的无线站点发送。 The update unit 113 can also periodically send the new group of temporary keys to the wireless stations under the virtual access point.

本实施例的装置的各组成部分分别用于实现前述方法实施例的各方法的歩骤，由于在方法实施例中，已经对各歩骤进行了详细说明，在此不再赘述。 The components of the device in this embodiment are respectively used to implement the steps of the methods in the foregoing method embodiments. Since the steps have been described in detail in the method embodiments, details will not be repeated here.

本实施例的装置可以应用于接入点 AP，在此不再赘述。 The apparatus of this embodiment can be applied to an access point AP, and details are not described here again.

通过本实施例的装置， AP根据 AC的组密钥更新代理请求，在需要更新组临时密钥时，代替 AC在 VAP范围内进行组临时密钥的更新，由于整个更新过程就不需要 AC 参与，减轻了 AC的处理负担，又由于更新的范围由 ESS级降到 VAP级，缩小了更新的范围，因此减少了整个系统网络的流量，减轻了系统的震荡。 Through the device of this embodiment, the AP replaces the AC to update the group temporary key within the scope of the VAP according to the group key update proxy request of the AC when the group temporary key needs to be updated. Since the entire update process does not require the participation of the AC , reducing the processing burden on the AC, and reducing the update range from the ESS level to the VAP level, reducing the flow of the entire system network and mitigating system shocks.

图 12为本发明实施例提供的一种通信系统组成框图，请参照图 12，该系统包括接入点（AP ) 122以及无线站点（STA) 123， AP 122上划分有多个虚拟接入点，其中： FIG. 12 is a composition block diagram of a communication system provided by an embodiment of the present invention. Please refer to FIG. 12, the system includes an access point (AP) 122 and a wireless station (STA) 123, and the AP 122 is divided into multiple virtual access points , in:

AP 122用于检测到特定虚拟接入点需要更新组临时密钥时，确定该特定虚拟接入点待更新的新组临时密钥；将确定的新组临时密钥发送给该特定虚拟接入点范围内的所有在线无线站点以进行组临时密钥更新。 When the AP 122 detects that a specific virtual access point needs to update the group temporary key, determine the new group temporary key to be updated for the specific virtual access point; send the determined new group temporary key to the specific virtual access point All online wireless stations within range of the point for group ephemeral key update.

所提供的系统还可以包括接入控制点（AC) 121，所述 AC 121用于向 AP 122下发业务配置请求， AP 122可以根据该业务配置请求将 AP 122划分成多个虚拟接入点。 The provided system may further include an access control point (AC) 121, and the AC 121 is configured to issue a service configuration request to the AP 122, and the AP 122 may divide the AP 122 into multiple virtual access points according to the service configuration request .

具体的， AC 121用于向 AP 122下发业务配置请求和组密钥更新代理请求。接入点 122用于根据 AC 121下发的业务配置请求将 AP 122划分为多个 VAPs, 例如 VAPl〜VAPn， n为正整数，其中，每一个 VAPi ( Ki<n) 具下发的组密钥更新代理请求，对 VA 范围内的无线站点进行组密钥更新。 Specifically, the AC 121 is configured to issue a service configuration request and a group key update proxy request to the AP 122. The access point 122 is configured to divide the AP 122 into multiple VAPs according to the service configuration request issued by the AC 121, such as VAP1~VAPn, where n is a positive integer, wherein, each VAPi (Ki<n) has a issued group secret The key update agent requests to update the group key for the wireless stations within the range of the VA.

在本实施例中，物理上，无线站点 STA是与接入点 122相连，但由于接入点 122被划分为了多个虚拟接入点 12 ，因此，连接到接入点 122下的无线站点 STA也分别隶属于该多个虚拟接入点 VAPi, 也即每一个虚拟接入点 VPAi对应多个无线站点。 In this embodiment, physically, the wireless station STA is connected to the access point 122, but since the access point 122 is divided into multiple virtual access points 12, therefore, the wireless station STA connected to the access point 122 They also belong to the multiple virtual access points VAPi respectively, that is, each virtual access point VPAi corresponds to multiple wireless stations.

在本实施例中，接入点 122可以包含图 11所示的接入装置，由于在图 11的说明中，已经对该通信装置进行了详细说明，在此不再赘述。 In this embodiment, the access point 122 may include the access device shown in FIG. 11. Since the communication device has been described in detail in the description of FIG. 11, details will not be repeated here.

无线站点 123用于接收所述接入点 122下发的更新后的组临时密钥。在本实施例中，该无线站点 123是与接入点 122相连的属于某一虚拟接入点 VA 的范围的无线站点，可以是多个，具体取决于接入点 122对虚拟接入点的划分及更新请求。例如，如果接入点 122被划分为 n个虚拟接入点 VAP, 即 VAPl~VAPn，根据接入控制点 121 的组密钥更新代理请求，需要对 VAP1范围内的 STA进行组密钥更新，则该接入点 122将 VAP1的组临时密钥更新后下发到 VAP1范围内的 STA。 The wireless station 123 is configured to receive the updated group temporary key issued by the access point 122. In this embodiment, the wireless station 123 is a wireless station connected to the access point 122 and belongs to the range of a certain virtual access point VA, and there may be multiple wireless stations, depending on the relationship between the access point 122 and the virtual access point. Divide and update requests. For example, if the access point 122 is divided into n virtual access points VAP, that is, VAP1~VAPn, according to the group key update proxy request of the access control point 121, it is necessary to update the group key for STAs within the range of VAP1, Then the access point 122 issues the updated group temporary key of VAP1 to the STAs within the range of VAP1.

通过本实施例的系统， AP根据 AC的组密钥更新代理请求，在需要更新组临时密钥时，代替 AC在 VAP范围内进行组临时密钥的更新，由于整个更新过程就不需要 AC 参与，减轻了 AC的处理负担，又由于更新的范围由 ESS级降到 VAP级，缩小了更新的范围，因此减少了整个系统网络的流量，减轻了系统的震荡。 Through the system of this embodiment, the AP replaces the AC to update the group temporary key within the scope of the VAP according to the group key update proxy request of the AC when the group temporary key needs to be updated, since the entire update process does not require the participation of the AC , reducing the processing burden on the AC, and reducing the update range from the ESS level to the VAP level, reducing the flow of the entire system network and mitigating system shocks.

本发明实施例提供的方法、装置和系统，与现有的组临时密钥更新方法相比，具有如下优势： Compared with the existing group temporary key update method, the method, device and system provided by the embodiments of the present invention have the following advantages:

1、改变了组密钥的管理的位置，由 AC转移到 AP，在瘦 AC集中式管理的网络模型下，极大的减轻了 AC的负担； 1. Changed the management position of the group key from the AC to the AP. Under the network model of the centralized management of the thin AC, the burden on the AC is greatly reduced;

2、改变了组密钥更新的范围，由 ESS级降到 VAP级，缩小了更新的范围，减少了整个系统网络的流量，减轻了系统的震荡； 2. Changed the scope of group key update, from ESS level to VAP level, narrowing the scope of updaterange, reducing the flow of the entire system network and reducing the shock of the system;

3、 WPA分为 WPA1和 WAP2两种标准，本发明实施例的技术方案，还对 WPA2的组密钥更新流程做了优化。 3. WPA is divided into two standards, WPA1 and WAP2. The technical solution of the embodiment of the present invention also optimizes the WPA2 group key update process.

结合本文中所公开的实施例描述的方法或算法的歩骤可以直接用硬件、处理器执行的软件模块，或者二者的结合来实施。软件模块可以置于随机存储器（RAM)、内存、只读存储器（ROM)、电可编程 ROM、电可擦除可编程 ROM、寄存器、硬盘、可移动磁盘、 CD-ROM、或技术领域内所公知的任意其它形式的存储介质中。 The steps of the methods or algorithms described in connection with the embodiments disclosed herein may be directly implemented by hardware, software modules executed by a processor, or a combination of both. The software module can be placed in random access memory (RAM), internal memory, read-only memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, removable disk, CD-ROM, or all Any other known storage medium.

以上所述的具体实施例，对本发明的目的、技术方案和有益效果进行了进一歩详细说明，所应理解的是，以上所述仅为本发明的具体实施例而已，并不用于限定本发明的保护范围，凡在本发明的精神和原则之内，所做的任何修改、等同替换、改进等，均应包含在本发明的保护范围之内。 The specific embodiments described above have further described the purpose, technical solutions and beneficial effects of the present invention in detail. It should be understood that the above descriptions are only specific embodiments of the present invention and are not intended to limit the present invention Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention shall be included in the protection scope of the present invention.

Claims

Claims
A kind of WLAN group temporary key update methods of 1, it is characterised in that methods described includes：
Access point is divided into multiple virtual access point；
Access point, which detects specific virtual access point, needs renewal group temporary key, determines the specific virtual access point new group of temporary key to be updated；
New group of temporary key of determination is sent to all online wireless sites in the range of the specific virtual access point and updated with carrying out group temporary key by access point.
2. according to the method described in claim 1, it is characterised in that determine that the specific virtual access point new group of temporary key Walk to be updated includes suddenly：
Access point specific virtual access point according to the key updating policy calculation being locally configured new group of temporary key to be updated.
3. according to the method described in claim 1, it is characterised in that methods described also includes：Access point receives the group temporary key for the virtual access point that access control point is periodically issued, and the service group identifier of virtual access point and group temporary key mapping table in local data base are updated using this group of temporary key；
The new group of temporary key Walk for determining that the specific virtual access point is to be updated includes suddenly：Access point obtains the service group identifier of specific virtual access point, and the group temporary key of the recent renewal matched with the service group identifier of the specific virtual access point is inquired about from group temporary key mapping table as new group temporary key.
4. the method according to any one of claims 1 to 3, it is characterised in that
Access point detects that particular radio site is offline according to message flow, determines that the virtual access point belonging to the wireless site needs renewal group temporary key.
5. the method according to any one of claims 1 to 3, it is characterised in that
Access point detects going association request or going certification request for particular radio site transmission, determines that the virtual access point belonging to the particular radio site needs renewal group temporary key.
6. a kind of access device, it is characterised in that being divided in described device has multiple virtual access point, and described device includes：
Detection unit, for detecting whether specific virtual access point needs renewal group temporary key；Determining unit, for when the detection unit detects the specific virtual access point and needs renewal group temporary key, determining the specific virtual access point new group of temporary key to be updated；
Updating block, is updated for the new group of temporary key to be sent into all online wireless sites in the range of the specific virtual access point with carrying out group temporary key.
7. device according to claim 6, it is characterised in that the detection unit is specifically included:First detection module, for according to message flow detect wireless site it is offline when, judge that the virtual access point belonging to the wireless site needs to update group temporal key.
8. device according to claim 7, it is characterised in that the detection unit also includes：Second detection module, for detecting going association request or going certification request for wireless site transmission, determines that the virtual access point belonging to the wireless site needs renewal group temporary key.
9. device according to claim 7, it is characterised in that described device also includes division unit, the division unit is used to the access device is divided into multiple virtual access point according to the request of the business configuration of access control point.
10. a kind of communication system, the system includes access point and wireless site, described access point, which connects to divide in the wireless site, described access point, multiple virtual access point, it is characterised in that：
Described access point, when needing renewal group temporary key for detecting specific virtual access point, determines the specific virtual access point new group of temporary key to be updated；New group of temporary key of determination is sent to all online wireless sites in the range of the specific virtual access point and updated with carrying out group temporary key.
11. system according to claim 10, it is characterised in that the system also includes access control point, for being asked to described access point issuing service configuring request and group secret key renewal agency.