技术领域technical field
本发明涉及通信领域,特别是涉及一种密钥传输方法和装置。The present invention relates to the communication field, in particular to a key transmission method and device.
背景技术Background technique
社区(Community)无线保真(Wireless-Fidelity,Wi-Fi)技术是指一种在家庭Wi-Fi的私人(Private)服务标识集(Service Set Identifier,SSID)的基础上,设定公共(Public)SSID以供他人接入的技术。在Community Wi-Fi的环境下,每一个家庭Wi-Fi的家庭网关(Residential Gateway,RG)可以视为一个网络接入点(Access Point,AP),各个AP与无线局域网络网关(Wireless Local Area Networks Gateway,WLAN GW)连接,通过WLANGW连接互联网。在部署有Community Wi-Fi的一种常见应用场景中,网络中不具有控制各个AP的无线接入控制器(Access controller,AC),并且在这种情况下,各个AP或者说RG之间没有数据交互,相对独立。这种部署有Community Wi-Fi但是不具有AC的网络中的AP可以视为为一种胖AP。Community (Community) Wireless-Fidelity (Wireless-Fidelity, Wi-Fi) technology refers to a private (Private) Service Set Identifier (Service Set Identifier, SSID) based on home Wi-Fi, set public ) SSID for access by others. In the Community Wi-Fi environment, the Residential Gateway (RG) of each home Wi-Fi can be regarded as a network access point (Access Point, AP), and each AP and Wireless Local Area Network Gateway (Wireless Local Area Network) Networks Gateway, WLAN GW) connection, connect to the Internet through WLANGW. In a common application scenario where Community Wi-Fi is deployed, there is no wireless access controller (Access controller, AC) controlling each AP in the network, and in this case, there is no Data interaction is relatively independent. APs deployed on a network with Community Wi-Fi but no AC can be regarded as fat APs.
移动终端需要经过认证才能接入网络,在Community Wi-Fi的802.1X认证场景的认证流程中,一般AP是认证点,WLAN GW作为远程用户拨号认证系统(RemoteAuthentication Dial In User Service,RADIUS)代理(Proxy)。当移动终端在部署有Community Wi-Fi但是不具有AC的网络中,移动终端可以通过与RADIUS中的鉴权,授权和记账(Authentication,Authorization and Accounting,AAA)模块交互认证并计算生成用于与AP建立数据连接的成对主密钥(Pairwise Master Key,PMK),所述移动终端可以使用该PMK与AP建立数据连接达到通过该AP登录互联网的效果。不过由于AP的Wi-Fi范围有限,当移动终端移动时,会出现移动终端离开一个AP范围,进入另一个AP范围的情况。这种情况下就需要移动终端切换连接的AP,以保持连接互联网。Mobile terminals need to be authenticated before they can access the network. In the authentication process of the Community Wi-Fi 802.1X authentication scenario, generally the AP is the authentication point, and the WLAN GW acts as the Remote Authentication Dial In User Service (RADIUS) proxy ( Proxy). When the mobile terminal is deployed in a network with Community Wi-Fi but without AC, the mobile terminal can interact with the authentication, authorization and accounting (Authentication, Authorization and Accounting, AAA) module in RADIUS for authentication and calculation to generate A pairwise master key (Pairwise Master Key, PMK) for establishing a data connection with the AP, and the mobile terminal can use the PMK to establish a data connection with the AP to log in to the Internet through the AP. However, due to the limited Wi-Fi range of the AP, when the mobile terminal moves, the mobile terminal may leave the range of one AP and enter the range of another AP. In this case, the mobile terminal needs to switch the connected AP to keep connected to the Internet.
在移动终端每次切换AP时,RADIUS都需要重新与移动终端计算生成一个新的PMK,信息交互和计算耗时较长。如果在切换的过程中移动终端在执行一些需要保证会话连续性的业务时,耗时较长的AP切换会为移动终端执行这类业务带来很大影响,甚至导致这类业务执行失败。带来不好的用户体验。Every time the mobile terminal switches APs, RADIUS needs to recalculate and generate a new PMK with the mobile terminal, and information exchange and calculation take a long time. If the mobile terminal performs some services that need to ensure session continuity during the handover process, the time-consuming AP handover will have a great impact on the mobile terminal's execution of such services, and even cause the execution of such services to fail. Bring bad user experience.
发明内容Contents of the invention
为了解决上述技术问题,本发明实施例提供了一种密钥传输方法和装置,所述WLAN GW向第二AP发送基于第一PMK生成对应第二AP的第二PMK,以使得所述移动终端在切换AP时,待切换的第二AP已经具有第二PMK,所述移动终端可以不用再与RADIUS重新计算新的PMK,达到了快速切换AP的效果。In order to solve the above technical problems, an embodiment of the present invention provides a key transmission method and device, wherein the WLAN GW sends to the second AP a second PMK generated based on the first PMK corresponding to the second AP, so that the mobile terminal When switching APs, the second AP to be switched already has a second PMK, and the mobile terminal does not need to recalculate a new PMK with RADIUS, thereby achieving the effect of quickly switching APs.
第一方面,本发明实施例提供了一种密钥传输方法,应用于部署了社区无线保真技术但不具有AC的网络中,所述网络中包括互为邻居关系的第一AP和第二AP,所述第一AP和第二AP通过WLAN GW与互联网相连,移动终端与所述第一AP具有数据连接,所述方法包括:In the first aspect, the embodiment of the present invention provides a key transmission method, which is applied to a network that deploys community Wi-Fi technology but does not have an AC. The network includes a first AP and a second AP that are neighbors. AP, the first AP and the second AP are connected to the Internet through the WLAN GW, the mobile terminal has a data connection with the first AP, and the method includes:
所述WLAN GW从RADIUS获取第一PMK,所述第一PMK是所述移动终端在与所述第一AP建立数据连接时,与RADIUS计算生成的;The WLAN GW acquires a first PMK from RADIUS, and the first PMK is calculated and generated by the mobile terminal and RADIUS when establishing a data connection with the first AP;
所述WLAN GW根据所述第一PMK生成对应所述第二AP的第二PMK;The WLAN GW generates a second PMK corresponding to the second AP according to the first PMK;
所述WLAN GW向所述第二AP发送所述第二PMK,使得所述第二AP根据所述第二PMK生成对应所述第二AP的第一PMK ID。The WLAN GW sends the second PMK to the second AP, so that the second AP generates a first PMK ID corresponding to the second AP according to the second PMK.
在第一方面的第一种可能的实现方式中,在所述WLAN GW根据所述第一PMK生成对应所述第二AP的第二PMK之前,还包括:In a first possible implementation manner of the first aspect, before the WLAN GW generates the second PMK corresponding to the second AP according to the first PMK, the method further includes:
所述WLAN GW获取所述第一AP发送的包含所述第一AP邻居列表的RADIUS报文,所述第一AP邻居列表包括所述第二AP的地址信息;The WLAN GW obtains the RADIUS message sent by the first AP and includes the neighbor list of the first AP, and the neighbor list of the first AP includes the address information of the second AP;
所述WLAN GW根据所述第一PMK生成对应所述第二AP的第二PMK,具体包括:The WLAN GW generates a second PMK corresponding to the second AP according to the first PMK, specifically including:
所述WLAN GW根据所述第一PMK以及所述第二AP的地址信息生成对应所述第二AP的第二PMK。The WLAN GW generates a second PMK corresponding to the second AP according to the first PMK and address information of the second AP.
结合第一方面的第一种可能的实现方式,在第二种可能的实现方式中,所述WLANGW向所述第二AP发送所述第二PMK,具体包括:With reference to the first possible implementation manner of the first aspect, in a second possible implementation manner, the WLANGW sending the second PMK to the second AP specifically includes:
所述WLAN GW根据所述第二AP的地址信息向所述第二AP发送携带所述第二PMK的第一RADIUS CoA报文。The WLAN GW sends the first RADIUS CoA message carrying the second PMK to the second AP according to the address information of the second AP.
结合第一方面的第二种可能的实现方式,在第三种可能的实现方式中,在所述WLAN GW根据所述第二AP的地址信息向所述第二AP发送携带所述第二PMK的RADIUS CoA报文之后,还包括:With reference to the second possible implementation manner of the first aspect, in a third possible implementation manner, the WLAN GW sends a message carrying the second PMK to the second AP according to the address information of the second AP. After the RADIUS CoA message, it also includes:
所述WLAN GW获取所述第二AP发送的第二RADIUS CoA报文,所述第二RADIUS CoA报文携带所述第二AP获得所述第二PMK的确认信息。The WLAN GW obtains a second RADIUS CoA packet sent by the second AP, where the second RADIUS CoA packet carries confirmation information that the second AP obtains the second PMK.
在第一方面的第四种可能的实现方式中,在所述WLAN GW根据所述第一PMK生成对应所述第二AP的第二PMK之前,还包括:In a fourth possible implementation manner of the first aspect, before the WLAN GW generates the second PMK corresponding to the second AP according to the first PMK, the method further includes:
所述WLAN GW接收到所述第二AP发送的RADIUS接入请求消息,所述RADIUS接入请求消息为所述第二AP接收到所述移动终端在切换AP时发送的携带有第二PMK ID的重关联消息后生成的,所述RADIUS接入请求消息包括所述移动终端标识;The WLAN GW receives the RADIUS access request message sent by the second AP, and the RADIUS access request message is received by the second AP and carries the second PMK ID sent by the mobile terminal when switching APs. Generated after the reassociation message of the RADIUS access request message includes the mobile terminal identifier;
所述WLAN GW根据所述移动终端标识以及预先获取的所述移动终端标识与所述第一PMK的对应关系查找到所述第一PMK;The WLAN GW finds the first PMK according to the mobile terminal identity and the pre-acquired correspondence between the mobile terminal identity and the first PMK;
所述WLAN GW向所述第二AP发送所述第二PMK,具体包括:The WLAN GW sending the second PMK to the second AP specifically includes:
所述WLAN GW向所述第二AP返回携带所述第二PMK的RADIUS接入确认消息。The WLAN GW returns a RADIUS access confirmation message carrying the second PMK to the second AP.
结合第一方面或者第一方面的第一种或第二种或第三种或第四种可能的实现方式,在第五种可能的实现方式中,In combination with the first aspect or the first or second or third or fourth possible implementation of the first aspect, in a fifth possible implementation,
所述第二PMK与第三PMK相同,所述第三PMK为所述移动终端与所述第一AP建立数据连接时所使用的且基于所述第一PMK生成的PMK。The second PMK is the same as the third PMK, and the third PMK is a PMK used when the mobile terminal establishes a data connection with the first AP and generated based on the first PMK.
第二方面,本发明实施例提供了一种密钥传输装置,应用于部署了社区无线保真技术但不具有AC的网络中,所述网络中包括互为邻居关系的第一AP和第二AP,所述第一AP和第二AP通过WLAN GW与互联网相连,移动终端与所述第一AP具有数据连接,所述密钥传输装置包括:In the second aspect, the embodiment of the present invention provides a key transmission device, which is applied to a network that deploys community Wi-Fi technology but does not have an AC. The network includes a first AP and a second AP that are neighbors. AP, the first AP and the second AP are connected to the Internet through the WLAN GW, the mobile terminal has a data connection with the first AP, and the key transmission device includes:
第一获取单元,用于从RADIUS获取第一PMK,所述第一PMK是所述移动终端在与所述第一AP建立数据连接时,与RADIUS计算生成的;The first acquiring unit is configured to acquire a first PMK from RADIUS, and the first PMK is calculated and generated by the mobile terminal and RADIUS when establishing a data connection with the first AP;
生成单元,用于根据所述第一PMK生成对应所述第二AP的第二PMK;a generating unit, configured to generate a second PMK corresponding to the second AP according to the first PMK;
发送单元,用于向所述第二AP发送所述第二PMK,使得所述第二AP根据所述第二PMK生成对应所述第二AP的第一PMK ID。A sending unit, configured to send the second PMK to the second AP, so that the second AP generates a first PMK ID corresponding to the second AP according to the second PMK.
在第二方面的第一种可能的实现方式中,在触发所述生成单元之前,还包括:In a first possible implementation manner of the second aspect, before triggering the generating unit, it further includes:
第二获取单元,用于获取所述第一AP发送的包含所述第一AP邻居列表的RADIUS报文,所述第一AP邻居列表包括所述第二AP的地址信息;a second obtaining unit, configured to obtain a RADIUS message sent by the first AP and containing the first AP neighbor list, where the first AP neighbor list includes address information of the second AP;
所述生成单元具体用于根据所述第一PMK以及所述第二AP的地址信息生成对应所述第二AP的第二PMK。The generating unit is specifically configured to generate a second PMK corresponding to the second AP according to the first PMK and address information of the second AP.
结合第二方面的第一种可能的实现方式,在第二种可能的实现方式中,In combination with the first possible implementation of the second aspect, in the second possible implementation,
所述发送单元具体用于根据所述第二AP的地址信息向所述第二AP发送携带所述第二PMK的第一RADIUS CoA报文。The sending unit is specifically configured to send the first RADIUS CoA message carrying the second PMK to the second AP according to the address information of the second AP.
结合第二方面的第二种可能的实现方式,在第三种可能的实现方式中,在触发所述发送单元之后,还包括:With reference to the second possible implementation of the second aspect, in a third possible implementation, after triggering the sending unit, further include:
第三获取单元,用于获取所述第二AP发送的第二RADIUS CoA报文,所述第二RADIUS CoA报文携带所述第二AP获得所述第二PMK的确认信息。A third obtaining unit, configured to obtain a second RADIUS CoA message sent by the second AP, where the second RADIUS CoA message carries confirmation information that the second AP obtains the second PMK.
在第二方面的第四种可能的实现方式中,在触发所述生成单元之前,还包括:In a fourth possible implementation manner of the second aspect, before triggering the generating unit, it further includes:
第四获取单元,用于接收到所述第二AP发送的RADIUS接入请求消息,所述RADIUS接入请求消息为所述第二AP接收到所述移动终端在切换AP时发送的携带有第二PMK ID的重关联消息后生成的,所述RADIUS接入请求消息包括所述移动终端标识;The fourth obtaining unit is configured to receive the RADIUS access request message sent by the second AP, where the RADIUS access request message is received by the second AP and sent by the mobile terminal when the AP is switched, and carries the first Generated after the reassociation message of two PMK IDs, the RADIUS access request message includes the mobile terminal identifier;
查找单元,用于根据所述移动终端标识以及预先获取的所述移动终端标识与所述第一PMK的对应关系查找到所述第一PMK;A search unit, configured to find the first PMK according to the mobile terminal identifier and the pre-acquired correspondence between the mobile terminal identifier and the first PMK;
所述发送单元具体用于向所述第二AP返回携带所述第二PMK的RADIUS接入确认消息。The sending unit is specifically configured to return a RADIUS access confirmation message carrying the second PMK to the second AP.
结合第二方面或者第二方面的第一种或第二种或第三种或第四种可能的实现方式,在第五种可能的实现方式中,In combination with the second aspect or the first or second or third or fourth possible implementation of the second aspect, in a fifth possible implementation,
所述第二PMK与第三PMK相同,所述第三PMK为所述移动终端与所述第一AP建立数据连接时所使用的且基于所述第一PMK生成的PMK。The second PMK is the same as the third PMK, and the third PMK is a PMK used when the mobile terminal establishes a data connection with the first AP and generated based on the first PMK.
第三方面,本发明实施例提供了一种密钥传输方法,应用于部署了社区无线保真技术但不具有AC的网络中,所述网络中包括互为邻居关系的第一AP和第二AP,所述第一AP和第二AP通过WLAN GW与互联网相连,移动终端与所述第一AP具有数据连接,所述移动终端具有第一PMK,所述第一PMK为所述移动终端在与所述第一AP建立数据连接时,与RADIUS计算生成的,所述方法包括:In the third aspect, the embodiment of the present invention provides a key transmission method, which is applied to a network that deploys community Wi-Fi technology but does not have an AC. The network includes a first AP and a second AP that are neighbors. AP, the first AP and the second AP are connected to the Internet through the WLAN GW, the mobile terminal has a data connection with the first AP, the mobile terminal has a first PMK, and the first PMK is the When establishing a data connection with the first AP, it is calculated and generated with RADIUS, and the method includes:
所述移动终端根据所述第一PMK生成对应所述第二AP的第二PMK;The mobile terminal generates a second PMK corresponding to the second AP according to the first PMK;
所述移动终端根据所述第二PMK以及预先获得的所述第二AP的地址信息生成对应所述第二AP的第二PMK ID;The mobile terminal generates a second PMK ID corresponding to the second AP according to the second PMK and the pre-acquired address information of the second AP;
所述移动终端向所述第二AP发送重关联信息,所述重关联信息中包括所述第二PMK ID;The mobile terminal sends reassociation information to the second AP, and the reassociation information includes the second PMK ID;
所述移动终端获取所述第二AP发送的确认消息,所述确认消息由所述第二AP通过对第一PMK ID和所述第二PMK ID比对成功后生成,所述第一PMK ID由所述第二AP基于所述WLAN GW发送的所述第二PMK生成;The mobile terminal acquires a confirmation message sent by the second AP, the confirmation message is generated by the second AP after successfully comparing the first PMK ID with the second PMK ID, and the first PMK ID generated by the second AP based on the second PMK sent by the WLAN GW;
所述移动终端完成切换AP,建立与所述第二AP的数据连接。The mobile terminal finishes switching APs, and establishes a data connection with the second AP.
在第三方面的第一种可能的实现方式中,In a first possible implementation of the third aspect,
所述第二PMK与第三PMK相同,所述第三PMK为所述移动终端与所述第一AP建立数据连接时所使用的且基于所述第一PMK生成的PMK。The second PMK is the same as the third PMK, and the third PMK is a PMK used when the mobile terminal establishes a data connection with the first AP and generated based on the first PMK.
第四方面,本发明实施例提供了一种密钥传输装置,应用于部署了社区无线保真技术但不具有AC的网络中,所述网络中包括互为邻居关系的第一AP和第二AP,所述第一AP和第二AP通过WLAN GW与互联网相连,移动终端与所述第一AP具有数据连接,所述移动终端具有第一PMK,所述第一PMK为所述移动终端在与所述第一AP建立数据连接时,与RADIUS计算生成的,所述密钥传输装置包括:In a fourth aspect, the embodiment of the present invention provides a key transmission device, which is applied to a network that deploys community Wi-Fi technology but does not have an AC. The network includes a first AP and a second AP that are neighbors. AP, the first AP and the second AP are connected to the Internet through the WLAN GW, the mobile terminal has a data connection with the first AP, the mobile terminal has a first PMK, and the first PMK is the When establishing a data connection with the first AP, calculated and generated with RADIUS, the key transmission device includes:
生成单元,用于根据所述第一PMK生成对应所述第二AP的第二PMK;a generating unit, configured to generate a second PMK corresponding to the second AP according to the first PMK;
获取单元,用于根据所述第二PMK以及预先获得的所述第二AP的地址信息生成对应所述第二AP的第二PMK ID;An obtaining unit, configured to generate a second PMK ID corresponding to the second AP according to the second PMK and the pre-acquired address information of the second AP;
发送单元,用于向所述第二AP发送重关联信息,所述重关联信息中包括所述第二PMK ID;a sending unit, configured to send reassociation information to the second AP, where the reassociation information includes the second PMK ID;
所述获取单元还用于获取所述第二AP发送的确认消息,所述确认消息由所述第二AP通过对第一PMK ID和所述第二PMK ID比对成功后生成,所述第一PMK ID由所述第二AP基于所述WLAN GW发送的所述第二PMK生成;The acquiring unit is further configured to acquire a confirmation message sent by the second AP, the confirmation message is generated by the second AP after successfully comparing the first PMK ID with the second PMK ID, and the second AP A PMK ID is generated by the second AP based on the second PMK sent by the WLAN GW;
建立单元,用于完成切换AP,建立与所述第二AP的数据连接。The establishing unit is configured to complete the switching of the AP, and establish the data connection with the second AP.
在第四方面的第一种可能的实现方式中,In the first possible implementation of the fourth aspect,
所述第二PMK与第三PMK相同,所述第三PMK为所述移动终端与所述第一AP建立数据连接时所使用的且基于所述第一PMK生成的PMK。The second PMK is the same as the third PMK, and the third PMK is a PMK used when the mobile terminal establishes a data connection with the first AP and generated based on the first PMK.
由上述技术方案可以看出,在移动终端与第一AP建立数据连接时,WLAN GW可以通过RADIUS获取所述移动终端和与所述RADIUS计算生成的第一PMK,所述WLAN GW将所述第一PMK生成对应第二AP的第二PMK,并向所述第二AP发送所述第二PMK,这样当所述移动终端需要切换AP到第二AP时,由于所述第二AP已经具有了所述第二PMK,不再需要所述移动终端重新与所述RADIUS计算新的PMK便具有与所述移动终端进行重关联的条件,由此使得所述移动终端可以快速切换AP,提高用户体验。It can be seen from the above technical solution that when the mobile terminal establishes a data connection with the first AP, the WLAN GW can obtain the mobile terminal and the first PMK calculated and generated by the RADIUS through RADIUS, and the WLAN GW will use the first PMK calculated by the RADIUS A PMK generates the second PMK corresponding to the second AP, and sends the second PMK to the second AP, so that when the mobile terminal needs to switch the AP to the second AP, since the second AP already has The second PMK does not require the mobile terminal to re-calculate a new PMK with the RADIUS to have the conditions for re-association with the mobile terminal, so that the mobile terminal can quickly switch APs and improve user experience .
附图说明Description of drawings
为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are only These are some embodiments of the present invention. For those skilled in the art, other drawings can also be obtained according to these drawings without any creative effort.
图1为本发明实施例提供的一种移动终端切换网络接入点的场景示意图;FIG. 1 is a schematic diagram of a scenario where a mobile terminal switches a network access point according to an embodiment of the present invention;
图2为本发明实施例提供的一种密钥传输方法的方法流程图;Fig. 2 is a method flowchart of a key transmission method provided by an embodiment of the present invention;
图3为本发明实施例提供的一种切换数据接入点方法的方法流程图;FIG. 3 is a flow chart of a method for switching a data access point provided by an embodiment of the present invention;
图4为本发明实施例提供的一种发送第二PMK的第一场景的信令流程图;FIG. 4 is a signaling flowchart of a first scenario of sending a second PMK according to an embodiment of the present invention;
图5为本发明实施例提供的一种发送第二PMK的第二场景的信令流程图;FIG. 5 is a signaling flowchart of a second scenario of sending a second PMK according to an embodiment of the present invention;
图6为本发明实施例提供的一种密钥传输装置的装置结构图;FIG. 6 is a device structural diagram of a key transmission device provided by an embodiment of the present invention;
图7为本发明实施例提供的一种密钥传输装置的装置结构图;FIG. 7 is a device structural diagram of a key transmission device provided by an embodiment of the present invention;
图8为本发明实施例提供的一种密钥传输装置的装置结构图;FIG. 8 is a device structural diagram of a key transmission device provided by an embodiment of the present invention;
图9为本发明实施例提供的一种密钥传输装置的装置结构图;FIG. 9 is a device structural diagram of a key transmission device provided by an embodiment of the present invention;
图10为本发明实施例提供的一种WLAN GW的硬件结构示意图;FIG. 10 is a schematic diagram of a hardware structure of a WLAN GW provided by an embodiment of the present invention;
图11为本发明实施例提供的一种移动终端的硬件结构示意图。FIG. 11 is a schematic diagram of a hardware structure of a mobile terminal provided by an embodiment of the present invention.
具体实施方式Detailed ways
在部署了Community Wi-Fi技术的网络中,如果不具有对AP统一控制、调配的AC设备,网络中的AP之间由于不能有数据传输,各个AP相对独立,这种网络下的AP可以理解为一种胖AP。如果移动终端需要在这种网络下切换与AP的数据连接,例如将原本与第一AP建立的数据连接,切换到与第二AP,建立与第二AP的数据连接,需要每次都与RADIUS重新计算出对应第二AP的PMK。移动终端与RADIUS计算PMK耗时较长,会直接导致移动终端切换AP时间较长,对移动终端的业务,尤其是需要保持会话连续性的业务带来影响,甚至导致业务失败或中断等,降低用户的体验。In a network deployed with Community Wi-Fi technology, if there is no AC device for unified control and deployment of APs, since there is no data transmission between APs in the network, each AP is relatively independent. APs under this network can understand It is a kind of fat AP. If the mobile terminal needs to switch the data connection with the AP under this kind of network, for example, switch the data connection originally established with the first AP to the second AP, and establish a data connection with the second AP, it needs to communicate with RADIUS every time. The PMK corresponding to the second AP is recalculated. It takes a long time for the mobile terminal and RADIUS to calculate the PMK, which will directly lead to a long time for the mobile terminal to switch APs, which will affect the mobile terminal business, especially the business that needs to maintain session continuity, and even cause business failure or interruption, etc., reducing user experience.
为此,本发明实施例提供了一种密钥传输方法和装置,在移动终端与第一AP建立数据连接时,WLAN GW可以通过RADIUS获取所述移动终端和与所述RADIUS计算生成的第一PMK,所述WLAN GW将所述第一PMK生成对应第二AP的第二PMK,并向所述第二AP发送所述第二PMK,这样当所述移动终端需要切换AP到第二AP时,由于所述第二AP已经具有了所述第二PMK,不再需要所述移动终端重新与所述RADIUS计算新的PMK便具有与所述移动终端进行重关联的条件,由此使得所述移动终端可以快速切换AP,提高用户体验。To this end, the embodiments of the present invention provide a key transmission method and device. When the mobile terminal establishes a data connection with the first AP, the WLAN GW can obtain the mobile terminal and the first key generated by the RADIUS calculation through RADIUS. PMK, the WLAN GW generates the second PMK corresponding to the second AP from the first PMK, and sends the second PMK to the second AP, so that when the mobile terminal needs to switch the AP to the second AP , since the second AP already has the second PMK, it is no longer necessary for the mobile terminal to recalculate a new PMK with the RADIUS to have a condition for re-association with the mobile terminal, thereby making the Mobile terminals can quickly switch APs to improve user experience.
通过改进和定义网络协议及其流程,在RADIUS报文中携带PMK,这样网络中的WLANGW可以根据所述第二AP发送的RADIUS接入请求消息向所述第二AP发送携带了所述第二PMK的RADIUS报文,以此使得所述第二AP获得所述第二PMK。通过使用现有的RADIUS报文携带PMK,不会为系统带来额外处理负担,也不用对硬件进行较多改进,提高了本发明技术方案的适用范围。By improving and defining the network protocol and its flow, the PMK is carried in the RADIUS message, so that the WLANGW in the network can send the RADIUS access request message carrying the second AP to the second AP according to the RADIUS access request message sent by the second AP. PMK RADIUS message, so that the second AP obtains the second PMK. By using the existing RADIUS message to carry the PMK, no additional processing burden will be brought to the system, and there is no need to make many improvements to the hardware, which improves the scope of application of the technical solution of the present invention.
本发明实施例中,所述第一AP可以将自身的邻居列表通过RADIUS报文发送给WLANGW,使得所述WLAN GW可以获取所述第二AP的地址信息。所述WLAN GW在获取所述第一PMK时,向所述第一AP的邻居AP下发基于所述第一PMK生成的第二PMK,以便所述第二AP可以通过所述第二PMK生成对应自身的PMK ID,由此快速完成与所述移动终端的切换AP。In the embodiment of the present invention, the first AP may send its own neighbor list to the WLAN GW through a RADIUS message, so that the WLAN GW may obtain the address information of the second AP. When acquiring the first PMK, the WLAN GW issues a second PMK generated based on the first PMK to a neighbor AP of the first AP, so that the second AP can generate a second PMK through the second PMK Corresponding to its own PMK ID, thereby quickly completing the AP switching with the mobile terminal.
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整的描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The technical solutions in the embodiments of the present invention will be clearly and completely described below in conjunction with the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only some, not all, embodiments of the present invention. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the protection scope of the present invention.
在通过实施例对本发明进行描述前,先说明本发明实施例应用的具体场景,如图1所示,图1为本发明实施例提供的一种移动终端切换网络接入点的场景示意图。其中,第一AP101和第二AP102互为邻居关系,所谓的邻居关系可以理解为各自的Wi-Fi范围相距较近或者有重叠部分。所述第一AP101和第二AP102均与WLAN GW103相连,WLAN GW103与RADIUS104相连,这里所述的相连可以理解为具有数据连接,并不局限为仅具有实体上的连接。移动终端100与所述第一AP101建有数据连接,并通过所述第一AP101与所述WLAN GW103建立软通用路由封装(soft Generic Routing Encapsulation,softGRE)隧道接入互联网。在所述移动终端100建立该数据连接的过程中,所述移动终端100和所述RADIUS104通过协商计算得到第一PMK,所述移动终端使用第三PMK用于与所述第一AP建立数据连接,所述第三PMK为所述移动终端与所述第一AP建立数据连接时所使用的且基于所述第一PMK生成的PMK。所述移动终端100由于自身位置变化或者Wi-Fi信号等原因,具有与所述第二AP102建立数据连接的需求,或者说具有切换AP的需求。Before describing the present invention through the embodiments, the specific application scenarios of the embodiments of the present invention will be described first, as shown in FIG. 1 , which is a schematic diagram of a scenario where a mobile terminal switches a network access point provided by an embodiment of the present invention. Wherein, the first AP 101 and the second AP 102 are in a neighbor relationship, and the so-called neighbor relationship can be understood as that their respective Wi-Fi ranges are relatively close to each other or have overlapping parts. Both the first AP 101 and the second AP 102 are connected to the WLAN GW 103, and the WLAN GW 103 is connected to the RADIUS 104. The connection mentioned here can be understood as having a data connection, and is not limited to only having a physical connection. The mobile terminal 100 establishes a data connection with the first AP101, and establishes a soft Generic Routing Encapsulation (softGRE) tunnel with the WLAN GW103 through the first AP101 to access the Internet. During the process of establishing the data connection by the mobile terminal 100, the mobile terminal 100 and the RADIUS 104 obtain the first PMK through negotiation and calculation, and the mobile terminal uses the third PMK to establish a data connection with the first AP , the third PMK is a PMK used when the mobile terminal establishes a data connection with the first AP and generated based on the first PMK. The mobile terminal 100 needs to establish a data connection with the second AP 102 due to its location change or Wi-Fi signal, or needs to switch APs.
图2为本发明实施例提供的一种密钥传输方法的方法流程图,应用于部署了社区无线保真技术但不具有AC的网络中,所述网络中包括互为邻居关系的第一AP和第二AP,所述第一AP和第二AP通过WLAN GW与互联网相连,移动终端与所述第一AP具有数据连接,所述方法包括:Fig. 2 is a method flowchart of a key transmission method provided by an embodiment of the present invention, which is applied to a network that deploys community Wi-Fi technology but does not have an AC, and the network includes first APs that are neighbors. and the second AP, the first AP and the second AP are connected to the Internet through the WLAN GW, the mobile terminal has a data connection with the first AP, and the method includes:
S201:所述WLAN GW从RADIUS获取第一PMK,所述第一PMK是所述移动终端在与所述第一AP建立数据连接时,与RADIUS计算生成的。S201: The WLAN GW acquires a first PMK from the RADIUS, and the first PMK is calculated and generated by the mobile terminal and the RADIUS when establishing a data connection with the first AP.
举例说明,所述第一PMK可以理解为所述移动终端与所述RADIUS计算生成的基础PMK,也可以叫做PMK-R0,所述WLAN GW和所述移动终端可以基于所述第一PMK生成其他PMK或者叫做PMK-R1,例如之后提及的第二PMK和第三PMK。For example, the first PMK can be understood as the basic PMK generated by the mobile terminal and the RADIUS calculation, which can also be called PMK-R0, and the WLAN GW and the mobile terminal can generate other PMKs based on the first PMK. The PMK is also called PMK-R1, such as the second PMK and the third PMK mentioned later.
在本发明实施例中,所述移动终端只有第一次和AP建立连接的时候需要和RADIUS协商计算获得PMK。也就是说,本发明实施例中的所述第一AP可以理解为所述移动终端在所述网络中第一次建立数据连接的AP。所述第一PMK由所述移动终端和RADIUS通过协商得到。所述移动终端在切换AP时,将不再和RADIUS重新协商计算出对应切换到的所述第二AP所需要的PMK,而是使用已经计算得出的所述第一PMK生成用于连接所述第二AP的第二PMK。相应的,所述第二AP也将从所述WLAN GW获取使用相同算法计算得出的所述第二PMK。本发明实施例提供了至少两种优选的所述WLAN GW向所述第二AP发送所述第二PMK的方式,之后将通过具体应用场景进行详细的说明。In the embodiment of the present invention, the mobile terminal only needs to negotiate with RADIUS to obtain the PMK when establishing a connection with the AP for the first time. That is to say, the first AP in the embodiment of the present invention can be understood as the AP with which the mobile terminal establishes a data connection for the first time in the network. The first PMK is obtained through negotiation between the mobile terminal and RADIUS. When the mobile terminal switches APs, it will no longer renegotiate with RADIUS to calculate the PMK required by the second AP to which it is switched, but use the calculated first PMK to generate the PMK used for connection. The second PMK of the second AP. Correspondingly, the second AP will also obtain the second PMK calculated by using the same algorithm from the WLAN GW. The embodiment of the present invention provides at least two preferred manners for the WLAN GW to send the second PMK to the second AP, which will be described in detail later through specific application scenarios.
S202:所述WLAN GW根据所述第一PMK生成对应所述第二AP的第二PMK。S202: The WLAN GW generates a second PMK corresponding to the second AP according to the first PMK.
举例说明,通过遵从相关的标准,所述WLAN GW用于生成第二PMK的预置算法应该与所述移动终端所使用的预置算法相同。这样才能使得所述移动终端在进行切换AP时,所述移动终端用于生成所述第二PMK ID的计算后的第一PMK和所述第二AP从所述WLAN GW获取的计算后的第一PMK相同。其中,所述相关的标准可以是按照802.11r标准的算法。For example, by complying with relevant standards, the preset algorithm used by the WLAN GW to generate the second PMK should be the same as the preset algorithm used by the mobile terminal. In this way, when the mobile terminal switches APs, the calculated first PMK used by the mobile terminal to generate the second PMK ID and the calculated first PMK obtained by the second AP from the WLAN GW A PMK is the same. Wherein, the related standard may be an algorithm according to the 802.11r standard.
本发明实施例提供了至少两种生成第二PMK的方式,第一种方式是生成的第二PMK与第三PMK相同,所述第三PMK为所述移动终端与所述第一AP建立数据连接时所使用的且基于所述第一PMK生成的PMK。第二种方式是生成的第二PMK与所述第三PMK不同,第二PMK为专门对应第二AP的PMK,第三PMK为专门对应第一AP的PMK。或者,进一步的,为了方便处理,所述第二PMK和所述第三PMK还可以均与所述第一PMK相同。The embodiment of the present invention provides at least two ways to generate the second PMK. The first way is that the generated second PMK is the same as the third PMK, and the third PMK establishes data for the mobile terminal and the first AP. A PMK used during connection and generated based on the first PMK. The second way is that the generated second PMK is different from the third PMK, the second PMK is a PMK specially corresponding to the second AP, and the third PMK is a PMK specially corresponding to the first AP. Or, further, for the convenience of processing, both the second PMK and the third PMK may be the same as the first PMK.
第一种方式对系统的处理负担小,所述移动终端与系统中每一个AP建立数据连接所用的PMK相同。The first method has less processing burden on the system, and the PMK used by the mobile terminal to establish a data connection with each AP in the system is the same.
第二种方式的安全性更高,所述移动终端每次在切换AP时,用于生成PMK ID的PMK都不同,即使黑客通过手段获取了与所述第一AP建立数据连接所用的计算后的第一PMK,也无法推导出用于生成与其他AP建立数据连接的PMK ID的PMK。The security of the second way is higher, the PMK used to generate the PMK ID is different every time the mobile terminal switches APs, even if the hacker obtains the calculated data used to establish a data connection with the first AP by means The first PMK, and the PMK that is used to generate the PMK ID for establishing data connections with other APs cannot be derived.
S203:所述WLAN GW向所述第二AP发送所述第二PMK,使得所述第二AP根据所述第二PMK生成对应所述第二AP的第一PMK ID。S203: The WLAN GW sends the second PMK to the second AP, so that the second AP generates a first PMK ID corresponding to the second AP according to the second PMK.
举例说明,在本发明实施例中,所述第二AP生成的第一PMK ID和后续提到的第二PMK ID的内容可以是:HMAC-SHA1-128(PMK,"PMK Name"|MAC_AP|MAC_STA)。其中HMAC-SHA1-128为一种哈希算法的名字,MAC_AP为第二AP的地址信息(本例子中具体为MAC地址),MAC_STA(Station)为所述移动终端标识(本例子中具体为MAC地址)。For example, in this embodiment of the present invention, the content of the first PMK ID generated by the second AP and the second PMK ID mentioned later may be: HMAC-SHA1-128(PMK,"PMK Name"|MAC_AP| MAC_STA). Wherein HMAC-SHA1-128 is the name of a kind of hash algorithm, MAC_AP is the address information of the second AP (specifically MAC address in this example), and MAC_STA (Station) is the mobile terminal identification (specifically MAC address in this example) address).
可见,在移动终端与第一AP建立数据连接时,WLAN GW可以通过RADIUS获取所述移动终端和与所述RADIUS计算生成的第一PMK,所述WLAN GW将所述第一PMK生成对应第二AP的第二PMK,并向所述第二AP发送所述第二PMK,这样当所述移动终端需要切换AP到第二AP时,由于所述第二AP已经具有了所述第二PMK,不再需要所述移动终端重新与所述RADIUS计算新的PMK便具有与所述移动终端进行重关联的条件,由此使得所述移动终端可以快速切换AP,提高用户体验。It can be seen that when the mobile terminal establishes a data connection with the first AP, the WLAN GW can obtain the mobile terminal and the first PMK calculated and generated by the RADIUS through RADIUS, and the WLAN GW will generate the first PMK corresponding to the second PMK. The second PMK of the AP, and send the second PMK to the second AP, so that when the mobile terminal needs to switch the AP to the second AP, since the second AP already has the second PMK, It is no longer necessary for the mobile terminal to re-calculate a new PMK with the RADIUS to have the conditions for re-association with the mobile terminal, so that the mobile terminal can quickly switch APs and improve user experience.
接下来将从所述移动终端的角度说明所述移动终端如何进行切换AP的操作,图3为本发明实施例提供的一种切换数据接入点方法的方法流程图,应用于部署了社区无线保真技术但不具有AC的网络中,所述网络中包括互为邻居关系的第一AP和第二AP,所述第一AP和第二AP通过WLAN GW与互联网相连,移动终端与所述第一AP具有数据连接,所述移动终端具有第一PMK,所述第一PMK为所述移动终端在与所述第一AP建立数据连接时,与RADIUS计算生成的,所述方法包括:Next, from the perspective of the mobile terminal, it will be described how the mobile terminal switches the AP. In a network with fidelity technology but without AC, the network includes a first AP and a second AP that are neighbors to each other, the first AP and the second AP are connected to the Internet through the WLAN GW, and the mobile terminal and the The first AP has a data connection, the mobile terminal has a first PMK, and the first PMK is calculated and generated with RADIUS when the mobile terminal establishes a data connection with the first AP, and the method includes:
S301:所述移动终端根据所述第一PMK生成对应所述第二AP的第二PMK。S301: The mobile terminal generates a second PMK corresponding to the second AP according to the first PMK.
举例说明,所述移动终端根据所述第一PMK生成所述第二PMK的生成方式与图2所对应实施例S202中所述WLAN GW基于所述第一PMK生成所述的第二PMK的方式相同。或者说本步骤中得到的所述第二PMK与图2所对应实施例S202中得到的所述第二PMK相同。For example, the way the mobile terminal generates the second PMK based on the first PMK is the same as the way the WLAN GW generates the second PMK based on the first PMK in the embodiment S202 corresponding to FIG. 2 same. In other words, the second PMK obtained in this step is the same as the second PMK obtained in the embodiment S202 corresponding to FIG. 2 .
在所述移动终端与所述第一AP建立数据连接时,所述第三PMK将分别存储在所述移动终端以及所述第一AP中。When the mobile terminal establishes a data connection with the first AP, the third PMK will be stored in the mobile terminal and the first AP respectively.
S302:所述移动终端根据所述第二PMK以及预先获得的所述第二AP的地址信息生成对应所述第二AP的第二PMK ID。S302: The mobile terminal generates a second PMK ID corresponding to the second AP according to the second PMK and the pre-acquired address information of the second AP.
举例说明,所述第二AP的地址信息可以理解为包括所述第二AP的媒体访问控制(Media Access Control,MAC)地址等用于标识所述第二AP位置的信息。所述移动终端可以在距所述第二AP的Wi-Fi范围较近时通过接收所述第二AP广播获取所述第二AP的地址信息。For example, the address information of the second AP may be understood as information including a Media Access Control (Media Access Control, MAC) address of the second AP and other information used to identify the location of the second AP. The mobile terminal may obtain the address information of the second AP by receiving the broadcast of the second AP when the Wi-Fi range of the second AP is relatively close.
S303:所述移动终端向所述第二AP发送重关联信息,所述重关联信息中包括所述第二PMK ID。S303: The mobile terminal sends reassociation information to the second AP, where the reassociation information includes the second PMK ID.
S304:所述移动终端获取所述第二AP发送的确认消息,所述确认消息由所述第二AP通过对第一PMK ID和所述第二PMK ID比对成功后生成,所述第一PMK ID由所述第二AP基于所述WLAN GW发送的所述第二PMK生成;S304: The mobile terminal acquires a confirmation message sent by the second AP, the confirmation message is generated by the second AP after successfully comparing the first PMK ID with the second PMK ID, and the first The PMK ID is generated by the second AP based on the second PMK sent by the WLAN GW;
S305:所述移动终端完成切换AP,建立与所述第二AP的数据连接。S305: The mobile terminal finishes switching APs, and establishes a data connection with the second AP.
举例说明,所述移动终端在计算好所述第二PKM ID后,将向所述第二AP发送携带所述第二PKM ID的重关联信息,希望通过所述重关联信息中携带的信息,完成从切换AP,建立与所述第二AP的数据连接。For example, after the mobile terminal has calculated the second PKM ID, it will send re-association information carrying the second PKM ID to the second AP, hoping that through the information carried in the re-association information, Complete the switchover from the AP, and establish a data connection with the second AP.
由于所述第二AP已经获取了所述第二PMK,故可以根据自身的地址信息以及获得的所述移动终端标识生成对应自身的所述第一PMK ID,所述移动终端的标识可以是从接收到的所述重关联信息中获得,或者从WLAN GW发送的RADIUS CoA报文中获得,随后所述第二AP对生成的所述第一PMK ID和接收到的所述第二PMK ID进行比对,当比对结果相同时,则可以向所述移动终端返回确认消息。当比对结果为相同时,可以理解为所述移动终端是合法终端,使用与所述第二AP相同的预设方式生成PMK ID。接下来,所述移动终端在获取确认消息时可以通过四次握手协商或者直接与所述第二AP建立数据连接,由此完成切换AP的操作。Since the second AP has acquired the second PMK, it can generate the first PMK ID corresponding to itself according to its own address information and the obtained mobile terminal identification, and the mobile terminal identification can be obtained from obtained from the received re-association information, or obtained from the RADIUS CoA message sent by the WLAN GW, and then the second AP performs the generated first PMK ID and the received second PMK ID comparison, and when the comparison results are the same, a confirmation message may be returned to the mobile terminal. When the comparison result is the same, it can be understood that the mobile terminal is a legitimate terminal, and the PMK ID is generated using the same preset method as that of the second AP. Next, when the mobile terminal obtains the confirmation message, it can negotiate with the four-way handshake or directly establish a data connection with the second AP, thereby completing the AP switching operation.
可以看出,移动终端在进行向所述第二AP切换AP时,不再需要和RADIUS重新计算出PMK,而是可以使用与所述WLAN GW所使用的相同算法生成第二PMK,并将根据所述第二PMK生成第二PMK ID携带在发向所述第二AP的重关联信息中,由于所述第二AP已经具有所述WLAN GW发送的第二PMK,故所述第二AP在比对自身生成的第一PMK ID和接收到的所述第二PMK ID时,将会得到比对成功的结果,由此所述移动终端可以建立与所述第二AP的数据连接,完成切换AP的操作并达到快速切换AP的效果,提高了用户体验。It can be seen that when the mobile terminal switches the AP to the second AP, it no longer needs to recalculate the PMK with RADIUS, but can use the same algorithm as that used by the WLAN GW to generate the second PMK, and will generate the second PMK according to The second PMK generates a second PMK ID and carries it in the reassociation information sent to the second AP. Since the second AP already has the second PMK sent by the WLAN GW, the second AP When comparing the first PMK ID generated by itself with the received second PMK ID, a successful comparison result will be obtained, so that the mobile terminal can establish a data connection with the second AP and complete the handover The operation of the AP achieves the effect of quickly switching the AP, which improves the user experience.
接下来将通过具体场景来对所述WLAN GW如何向所述第二AP发送所述第二PMK或者说所述第二AP如何从所述WLAN GW获取所述第二PMK进行说明。本发明实施例提供了至少两种向所述第二AP发送所述第二PMK的方式。Next, how the WLAN GW sends the second PMK to the second AP or how the second AP obtains the second PMK from the WLAN GW will be described through specific scenarios. The embodiment of the present invention provides at least two manners for sending the second PMK to the second AP.
第一种所述WLAN GW向所述第二AP发送所述第二PMK的方式是:所述WLAN GW根据获取的所述第一AP的邻居列表向所述第二AP发送所述第二PMK。The first manner in which the WLAN GW sends the second PMK to the second AP is: the WLAN GW sends the second PMK to the second AP according to the acquired neighbor list of the first AP. .
请参见图4,图4为本发明实施例提供的一种发送第二PMK的第一场景的信令流程图。Please refer to FIG. 4 . FIG. 4 is a signaling flowchart of a first scenario of sending a second PMK provided by an embodiment of the present invention.
S401:所述WLAN GW获取第一PMK。S401: The WLAN GW acquires a first PMK.
S402:所述WLAN GW获取所述第一AP发送的包含所述第一AP邻居列表的RADIUS报文,所述第一AP邻居列表包括所述第二AP的地址信息。S402: The WLAN GW acquires a RADIUS packet sent by the first AP and includes the first AP neighbor list, where the first AP neighbor list includes address information of the second AP.
举例说明,所述包含第一AP邻居列表(Neighbor List)的RADIUS报文可以为所述第一AP与所述WLAN GW之间交互的RADIUS报文,例如可以是RADIUS Accounting-Start报文。在RADIUS报文中需要为所述第一AP邻居列表设置对应的类型长度值(Type LengthValue,TLV),Type可以向互联网数字分配机构(The Internet Assigned NumbersAuthority,IANA)申请一个新的值,例如105,Value中包括邻居AP的地址信息例如MAC地址等。For example, the RADIUS message containing the neighbor list (Neighbor List) of the first AP may be a RADIUS message exchanged between the first AP and the WLAN GW, such as a RADIUS Accounting-Start message. In the RADIUS message, a corresponding type length value (Type LengthValue, TLV) needs to be set for the first AP neighbor list, and Type can apply for a new value, such as 105, to the Internet Assigned Numbers Authority (IANA). , Value includes address information of neighboring APs such as MAC addresses.
还需要说明的是,所述WLAN GW上维护的第一AP的邻居列表一方面可以参考上述第一AP提供的列表信息,另一方面,也可以由管理员手工配置,或者在认证时从AAA取得。另外,也可以使上述方法的组合,本发明对此不进行限定。It should also be noted that, on the one hand, the neighbor list of the first AP maintained on the WLAN GW can refer to the list information provided by the first AP, on the other hand, it can also be manually configured by the administrator, or from the AAA during authentication. obtain. In addition, a combination of the above-mentioned methods may also be used, and the present invention is not limited thereto.
本发明不限定步骤S401和S402的执行顺序。The present invention does not limit the execution order of steps S401 and S402.
S403:所述WLAN GW根据所述第一PMK以及所述第二AP的地址信息生成对应所述第二AP的第二PMK。S403: The WLAN GW generates a second PMK corresponding to the second AP according to the first PMK and address information of the second AP.
S404:所述WLAN GW根据所述第二AP的地址信息向所述第二AP发送包括所述第二PMK的第一RADIUS更改授权(Change of Authorization,CoA)报文。S404: The WLAN GW sends a first RADIUS change of authorization (Change of Authorization, CoA) message including the second PMK to the second AP according to the address information of the second AP.
S405:所述WLAN GW获取所述第二AP发送的第二RADIUS CoA报文,所述第二RADIUSCoA报文携带所述第二AP获取所述第二PMK的确认信息。S405: The WLAN GW acquires a second RADIUS CoA packet sent by the second AP, where the second RADIUS CoA packet carries confirmation information that the second AP acquires the second PMK.
举例说明,现有的网络协议下,RADIUS CoA报文并不能携带PMK或PMK类型的信息。故为此本发明实施例可以为此通过在国际互联网工程任务组(The Internet EngineeringTask Force,IETF)申请新的属性来通过RADIUS CoA报文携带PMK信息。例如可以使用报文号为43的RADIUS CoA报文。For example, under the existing network protocol, the RADIUS CoA message cannot carry PMK or PMK type information. Therefore, the embodiment of the present invention may carry PMK information through the RADIUS CoA message by applying for a new attribute at the Internet Engineering Task Force (The Internet Engineering Task Force, IETF). For example, the RADIUS CoA message whose message number is 43 can be used.
所述第二RADIUS CoA报文用于携带所述第二AP在获取所述第二PMK后生成的确认信息(Acknowledgement)。当所述WLAN GW获取所述第二RADIUS CoA报文时,则可以确认所述第二AP已经成功接收到所述RADIUS CoA报文,也就是已经获取所述第二PMK。否则所述WLAN GW将会再次向所述第二AP发送所述第二RADIUS CoA报文以确定所述第二AP能够收到所述第二PMK。The second RADIUS CoA message is used to carry acknowledgment information (Acknowledgment) generated by the second AP after acquiring the second PMK. When the WLAN GW obtains the second RADIUS CoA message, it can be confirmed that the second AP has successfully received the RADIUS CoA message, that is, the second PMK has been obtained. Otherwise, the WLAN GW will send the second RADIUS CoA message to the second AP again to determine that the second AP can receive the second PMK.
S406:所述WLAN GW获取所述第二AP发送的包含所述第二AP邻居列表的第二RADIUS报文。S406: The WLAN GW acquires a second RADIUS packet sent by the second AP and including the neighbor list of the second AP.
举例说明,所述WLAN GW还可以在当所述第二AP与所述移动终端建立数据连接时,获取所述第二AP发送的第二AP邻居列表。所述WLAN GW可以根据所述第二AP邻居列表向所述第二AP的邻居AP发送所述计算后第一PMK,以便为所述移动终端再次从所述第二AP进行切换AP服务。For example, the WLAN GW may also acquire the second AP neighbor list sent by the second AP when the second AP establishes a data connection with the mobile terminal. The WLAN GW may send the calculated first PMK to a neighbor AP of the second AP according to the neighbor list of the second AP, so as to switch AP services from the second AP again for the mobile terminal.
可见,所述WLAN GW通过获取所述第一AP的邻居列表的方式,可以预先向所述第一AP的邻居,第二AP发送所述第二PMK,使得所述第二AP可以在所述移动终端切换AP之前预先获得所述第二PMK。It can be seen that, by obtaining the neighbor list of the first AP, the WLAN GW can send the second PMK to the neighbor of the first AP, the second AP in advance, so that the second AP can The mobile terminal obtains the second PMK in advance before switching the AP.
第二种所述WLAN GW向所述第二AP发送所述第二PMK的方式是:所述WLAN GW根据所述第二AP发送的RADIUS接入请求消息向所述第二AP返回所述第二PMK。The second way for the WLAN GW to send the second PMK to the second AP is: the WLAN GW returns the second PMK to the second AP according to the RADIUS access request message sent by the second AP. Two PMK.
请参见图5,图5为本发明实施例提供的一种发送第二PMK的第二场景的信令流程图。Please refer to FIG. 5 . FIG. 5 is a signaling flowchart of a second scenario of sending a second PMK according to an embodiment of the present invention.
S501:所述WLAN GW获取所述第一PMK。S501: The WLAN GW acquires the first PMK.
S502:所述WLAN GW接收到所述第二AP发送的RADIUS接入请求消息,所述RADIUS接入请求消息为所述第二AP接收到所述移动终端发送的重关联消息后生成的,所述RADIUS接入请求消息包括所述移动终端标识。S502: The WLAN GW receives the RADIUS access request message sent by the second AP, the RADIUS access request message is generated after the second AP receives the reassociation message sent by the mobile terminal, and the The RADIUS access request message includes the mobile terminal identifier.
由于在如图3所对应实施例中的S303中,所述移动终端在向所述第二AP发送所述重关联消息时还会携带所述移动终端的标识。故所述第二AP在想所述WLAN GW发送的所述RADIUS接入请求消息(RADIUS Access-Request)中也可以携带有所述移动终端标识。Because in S303 in the embodiment corresponding to FIG. 3 , when the mobile terminal sends the reassociation message to the second AP, it will also carry the identifier of the mobile terminal. Therefore, the RADIUS Access-Request message (RADIUS Access-Request) sent by the second AP to the WLAN GW may also carry the mobile terminal identifier.
S503:所述WLAN GW根据所述移动终端标识以及预先获取的所述移动终端标识与所述第一PMK的对应关系查找到所述第一PMK。S503: The WLAN GW finds the first PMK according to the mobile terminal identifier and the pre-acquired correspondence between the mobile terminal identifier and the first PMK.
当所述WLAN GW查找到所述第一PMK,所述WLAN GW可以确认所述第二AP属于所述移动终端将要建立数据连接的AP。When the WLAN GW finds the first PMK, the WLAN GW can confirm that the second AP belongs to the AP to which the mobile terminal will establish a data connection.
所述对应关系可以为所述WLAN GW在所述移动终端与所述第一AP建立数据连接的过程中获取。The corresponding relationship may be obtained by the WLAN GW during the process of establishing a data connection between the mobile terminal and the first AP.
S504:所述WLAN GW根据所述第一PMK生成所述第二PMK。S504: The WLAN GW generates the second PMK according to the first PMK.
S505:所述WLAN GW向所述第二AP返回包括所述第二PMK的RADIUS接入确认消息。S505: The WLAN GW returns a RADIUS access confirmation message including the second PMK to the second AP.
举例说明,所述RADIUS接入确认消息具体为:RADIUS Access-Accept报文。For example, the RADIUS access confirmation message is specifically: a RADIUS Access-Accept message.
可见,所述WLAN GW可以根据所述第二AP发送的RADIUS接入请求消息中携带的所述移动终端标识查找出所述第一PMK,根据第一PMK生成第二PMK,并将第二PMK返回至所述第二AP。进一步降低了系统的处理负担,提高了效率。It can be seen that the WLAN GW can find out the first PMK according to the mobile terminal identifier carried in the RADIUS access request message sent by the second AP, generate a second PMK according to the first PMK, and store the second PMK Return to the second AP. The processing load of the system is further reduced, and the efficiency is improved.
图6为本发明实施例提供的一种密钥传输装置的装置结构图,应用于部署了社区无线保真技术但不具有AC的网络中,所述网络中包括互为邻居关系的第一AP和第二AP,所述第一AP和第二AP通过WLAN GW与互联网相连,移动终端与所述第一AP具有数据连接,所述密钥传输装置600包括:Fig. 6 is a device structure diagram of a key transmission device provided by an embodiment of the present invention, which is applied to a network that deploys community Wi-Fi technology but does not have an AC, and the network includes first APs that are neighbors. and the second AP, the first AP and the second AP are connected to the Internet through the WLAN GW, the mobile terminal has a data connection with the first AP, and the key transmission device 600 includes:
第一获取单元601,用于从RADIUS获取第一PMK,所述第一PMK是所述移动终端在与所述第一AP建立数据连接时,与RADIUS计算生成的。The first obtaining unit 601 is configured to obtain a first PMK from the RADIUS, and the first PMK is calculated and generated by the mobile terminal and the RADIUS when establishing a data connection with the first AP.
举例说明,所述第一PMK可以理解为所述移动终端与所述RADIUS计算生成的基础PMK,也可以叫做PMK-R0,所述WLAN GW和所述移动终端可以基于所述第一PMK生成其他PMK或者叫做PMK-R1,例如之后提及的第二PMK和第三PMK。For example, the first PMK can be understood as the basic PMK generated by the mobile terminal and the RADIUS calculation, which can also be called PMK-R0, and the WLAN GW and the mobile terminal can generate other PMKs based on the first PMK. The PMK is also called PMK-R1, such as the second PMK and the third PMK mentioned later.
在本发明实施例中,所述移动终端只有第一次和AP建立连接的时候需要和RADIUS协商计算获得PMK。也就是说,本发明实施例中的所述第一AP可以理解为所述移动终端在所述网络中第一次建立数据连接的AP。所述第一PMK由所述移动终端和RADIUS通过协商得到。所述移动终端在切换AP时,将不再和RADIUS重新协商计算出对应切换到的所述第二AP所需要的PMK,而是使用已经计算得出的所述第一PMK生成用于连接所述第二AP的第二PMK。相应的,所述第二AP也将从所述WLAN GW获取使用相同算法计算得出的所述第二PMK。本发明实施例提供了至少两种优选的所述发送单元603向所述第二AP发送所述第二PMK的方式,之后将通过具体应用场景进行详细的说明。In the embodiment of the present invention, the mobile terminal only needs to negotiate with RADIUS to obtain the PMK when establishing a connection with the AP for the first time. That is to say, the first AP in the embodiment of the present invention can be understood as the AP with which the mobile terminal establishes a data connection for the first time in the network. The first PMK is obtained through negotiation between the mobile terminal and RADIUS. When the mobile terminal switches APs, it will no longer renegotiate with RADIUS to calculate the PMK required by the second AP to which it is switched, but use the calculated first PMK to generate the PMK used for connection. The second PMK of the second AP. Correspondingly, the second AP will also obtain the second PMK calculated by using the same algorithm from the WLAN GW. The embodiment of the present invention provides at least two preferred ways for the sending unit 603 to send the second PMK to the second AP, which will be described in detail later through specific application scenarios.
生成单元602,用于根据所述第一PMK生成对应所述第二AP的第二PMK。A generating unit 602, configured to generate a second PMK corresponding to the second AP according to the first PMK.
举例说明,通过遵从相关的标准,所述生成单元602用于生成第二PMK的预置算法应该与所述移动终端所使用的预置算法相同。这样才能使得所述移动终端在进行切换AP时,所述移动终端用于生成所述第二PMK ID的计算后的第一PMK和所述第二AP从所述WLANGW获取的计算后的第一PMK相同。其中,所述相关的标准可以是按照802.11r标准的算法。For example, by complying with relevant standards, the preset algorithm used by the generating unit 602 to generate the second PMK should be the same as the preset algorithm used by the mobile terminal. In this way, when the mobile terminal switches APs, the calculated first PMK used by the mobile terminal to generate the second PMK ID and the calculated first PMK obtained by the second AP from the WLANGW PMKs are the same. Wherein, the related standard may be an algorithm according to the 802.11r standard.
本发明实施例提供了至少两种生成第二PMK的方式,第一种方式是生成的第二PMK与第三PMK相同,所述第三PMK为所述移动终端与所述第一AP建立数据连接时所使用的且基于所述第一PMK生成的PMK。第二种方式是生成的第二PMK与所述第三PMK不同,第二PMK为专门对应第二AP的PMK,第三PMK为专门对应第一AP的PMK。或者,进一步的,为了方便处理,所述第二PMK和所述第三PMK还可以均与所述第一PMK相同。The embodiment of the present invention provides at least two ways to generate the second PMK. The first way is that the generated second PMK is the same as the third PMK, and the third PMK establishes data for the mobile terminal and the first AP. A PMK used during connection and generated based on the first PMK. The second way is that the generated second PMK is different from the third PMK, the second PMK is a PMK specially corresponding to the second AP, and the third PMK is a PMK specially corresponding to the first AP. Or, further, for the convenience of processing, both the second PMK and the third PMK may be the same as the first PMK.
第一种方式对系统的处理负担小,所述移动终端与系统中每一个AP建立数据连接所用的PMK相同。The first method has less processing burden on the system, and the PMK used by the mobile terminal to establish a data connection with each AP in the system is the same.
第二种方式的安全性更高,所述移动终端每次在切换AP时,用于生成PMK ID的PMK都不同,即使黑客通过手段获取了与所述第一AP建立数据连接所用的计算后的第一PMK,也无法推导出用于生成与其他AP建立数据连接的PMK ID的PMK。The security of the second way is higher, the PMK used to generate the PMK ID is different every time the mobile terminal switches APs, even if the hacker obtains the calculated data used to establish a data connection with the first AP by means The first PMK, and the PMK that is used to generate the PMK ID for establishing data connections with other APs cannot be derived.
发送单元603,用于向所述第二AP发送所述第二PMK,使得所述第二AP根据所述第二PMK生成对应所述第二AP的第一PMK ID。A sending unit 603, configured to send the second PMK to the second AP, so that the second AP generates a first PMK ID corresponding to the second AP according to the second PMK.
举例说明,在本发明实施例中,所述第二AP生成的第一PMK ID和后续提到的第二PMK ID的内容可以是:HMAC-SHA1-128(PMK,"PMK Name"|MAC_AP|MAC_STA)。其中HMAC-SHA1-128为一种哈希算法的名字,MAC_AP为第二AP的地址信息(本例子中具体为MAC地址),MAC_STA为所述移动终端标识(本例子中具体为MAC地址)。For example, in this embodiment of the present invention, the content of the first PMK ID generated by the second AP and the second PMK ID mentioned later may be: HMAC-SHA1-128(PMK,"PMK Name"|MAC_AP| MAC_STA). Wherein HMAC-SHA1-128 is the name of a hash algorithm, MAC_AP is the address information of the second AP (specifically MAC address in this example), and MAC_STA is the mobile terminal identifier (specifically MAC address in this example).
可见,在移动终端与第一AP建立数据连接时,WLAN GW可以通过RADIUS获取所述移动终端和与所述RADIUS计算生成的第一PMK,所述WLAN GW将所述第一PMK生成对应第二AP的第二PMK,并向所述第二AP发送所述第二PMK,这样当所述移动终端需要切换AP到第二AP时,由于所述第二AP已经具有了所述第二PMK,不再需要所述移动终端重新与所述RADIUS计算新的PMK便具有与所述移动终端进行重关联的条件,由此使得所述移动终端可以快速切换AP,提高用户体验。It can be seen that when the mobile terminal establishes a data connection with the first AP, the WLAN GW can obtain the mobile terminal and the first PMK calculated and generated by the RADIUS through RADIUS, and the WLAN GW will generate the first PMK corresponding to the second PMK. The second PMK of the AP, and send the second PMK to the second AP, so that when the mobile terminal needs to switch the AP to the second AP, since the second AP already has the second PMK, It is no longer necessary for the mobile terminal to re-calculate a new PMK with the RADIUS to have the conditions for re-association with the mobile terminal, so that the mobile terminal can quickly switch APs and improve user experience.
接下来将从所述移动终端的角度说明所述移动终端如何进行切换AP的操作,图7为本发明实施例提供的一种密钥传输装置的装置结构图,应用于部署了社区无线保真技术但不具有AC的网络中,所述网络中包括互为邻居关系的第一AP和第二AP,所述第一AP和第二AP通过WLAN GW与互联网相连,移动终端与所述第一AP具有数据连接,所述移动终端具有第一PMK,所述第一PMK为所述移动终端在与所述第一AP建立数据连接时,与RADIUS计算生成的,所述密钥传输装置700包括:Next, from the perspective of the mobile terminal, how the mobile terminal performs the operation of switching APs will be described. FIG. In a network without AC technology, the network includes a first AP and a second AP that are neighbors to each other, the first AP and the second AP are connected to the Internet through the WLAN GW, and the mobile terminal and the first AP The AP has a data connection, the mobile terminal has a first PMK, and the first PMK is calculated and generated by the mobile terminal and RADIUS when establishing a data connection with the first AP, and the key transmission device 700 includes :
生成单元701,用于根据所述第一PMK生成对应所述第二AP的第二PMK。A generating unit 701, configured to generate a second PMK corresponding to the second AP according to the first PMK.
举例说明,所述生成单元701根据所述第一PMK生成所述第二PMK的生成方式与图6所对应实施例中所述生成单元602基于所述第一PMK生成所述的第二PMK的方式相同。或者说所述生成单元701得到的所述第二PMK与图6所对应实施例中所述生成单元602得到的所述第二PMK相同。For example, the generating unit 701 generates the second PMK based on the first PMK in the same way as the generating unit 602 generates the second PMK based on the first PMK in the embodiment corresponding to FIG. 6 the same way. In other words, the second PMK obtained by the generating unit 701 is the same as the second PMK obtained by the generating unit 602 in the embodiment corresponding to FIG. 6 .
在所述移动终端与所述第一AP建立数据连接时,所述第三PMK将分别存储在所述移动终端以及所述第一AP中。When the mobile terminal establishes a data connection with the first AP, the third PMK will be stored in the mobile terminal and the first AP respectively.
获取单元702,用于根据所述第二PMK以及预先获得的所述第二AP的地址信息生成对应所述第二AP的第二PMK ID。The obtaining unit 702 is configured to generate a second PMK ID corresponding to the second AP according to the second PMK and the pre-acquired address information of the second AP.
举例说明,所述第二AP的地址信息可以理解为包括所述第二AP的MAC地址等用于标识所述第二AP位置的信息。所述获取单元702可以在距所述第二AP的Wi-Fi范围较近时通过接收所述第二AP广播获取所述第二AP的地址信息。For example, the address information of the second AP may be understood as including information such as a MAC address of the second AP for identifying the location of the second AP. The obtaining unit 702 may obtain the address information of the second AP by receiving the second AP broadcast when the Wi-Fi range of the second AP is relatively close.
发送单元703,用于向所述第二AP发送重关联信息,所述重关联信息中包括所述第二PMK ID。The sending unit 703 is configured to send reassociation information to the second AP, where the reassociation information includes the second PMK ID.
所述获取单元702还用于获取所述第二AP发送的确认消息,所述确认消息由所述第二AP通过对第一PMK ID和所述第二PMK ID比对成功后生成,所述第一PMK ID由所述第二AP基于所述WLAN GW发送的所述第二PMK生成。The acquiring unit 702 is further configured to acquire a confirmation message sent by the second AP, the confirmation message is generated by the second AP after successfully comparing the first PMK ID with the second PMK ID, the The first PMK ID is generated by the second AP based on the second PMK sent by the WLAN GW.
建立单元704,用于完成切换AP,建立与所述第二AP的数据连接。The establishing unit 704 is configured to complete switching the AP, and establish a data connection with the second AP.
举例说明,所述发送单元703在计算好所述第二PKM ID后,将向所述第二AP发送携带所述第二PKM ID的重关联信息,希望通过所述重关联信息中携带的信息,完成从切换AP,建立与所述第二AP的数据连接。For example, after the sending unit 703 has calculated the second PKM ID, it will send the reassociation information carrying the second PKM ID to the second AP, hoping to use the information carried in the reassociation information to , completing the switchover from the AP, and establishing a data connection with the second AP.
由于所述第二AP已经获取了所述第二PMK,故可以根据自身的地址信息以及获得的所述移动终端标识生成对应自身的所述第一PMK ID,所述移动终端的标识可以是从接收到的所述重关联信息中获得,或者从WLAN GW发送的RADIUS CoA报文中获得,随后所述第二AP对生成的所述第一PMK ID和接收到的所述第二PMK ID进行比对,当比对结果相同时,则可以向所述移动终端返回确认消息。当比对结果为相同时,可以理解为所述移动终端是合法终端,使用与所述第二AP相同的预设方式生成PMK ID。接下来,所述建立单元704在所述获取单元702获取确认消息时可以通过四次握手协商或者直接与所述第二AP建立数据连接,由此完成切换AP的操作。Since the second AP has acquired the second PMK, it can generate the first PMK ID corresponding to itself according to its own address information and the obtained mobile terminal identification, and the mobile terminal identification can be obtained from obtained from the received re-association information, or obtained from the RADIUS CoA message sent by the WLAN GW, and then the second AP performs the generated first PMK ID and the received second PMK ID comparison, and when the comparison results are the same, a confirmation message may be returned to the mobile terminal. When the comparison result is the same, it can be understood that the mobile terminal is a legitimate terminal, and the PMK ID is generated using the same preset method as that of the second AP. Next, the establishing unit 704 may establish a data connection with the second AP through four-way handshake negotiation or directly establish a data connection when the obtaining unit 702 obtains the confirmation message, thereby completing the AP switching operation.
可以看出,移动终端在进行向所述第二AP切换AP时,不再需要和RADIUS重新计算出PMK,而是可以使用与所述WLAN GW所使用的相同算法生成第二PMK,并将根据所述第二PMK生成第二PMK ID携带在发向所述第二AP的重关联信息中,由于所述第二AP已经具有所述WLAN GW发送的第二PMK,故所述第二AP在比对自身生成的PMK ID和接收到的所述第二PMK ID时,将会得到比对成功的结果,由此所述移动终端可以建立与所述第二AP的数据连接,完成切换AP的操作并达到快速切换AP的效果,提高了用户体验。It can be seen that when the mobile terminal switches the AP to the second AP, it no longer needs to recalculate the PMK with RADIUS, but can use the same algorithm as that used by the WLAN GW to generate the second PMK, and will generate the second PMK according to The second PMK generates a second PMK ID and carries it in the reassociation information sent to the second AP. Since the second AP already has the second PMK sent by the WLAN GW, the second AP When comparing the PMK ID generated by itself with the received second PMK ID, a successful comparison result will be obtained, so that the mobile terminal can establish a data connection with the second AP and complete the process of switching the AP. Operate and achieve the effect of quickly switching APs, improving user experience.
在图6所对应实施例的基础上,对所述发送单元603如何向所述第二AP发送所述第二PMK进行说明。On the basis of the embodiment corresponding to FIG. 6 , how the sending unit 603 sends the second PMK to the second AP is described.
第一种方式下,所述发送单元603根据获取的所述第一AP的邻居列表向所述第二AP发送所述第二PMK。In the first manner, the sending unit 603 sends the second PMK to the second AP according to the acquired neighbor list of the first AP.
图8为本发明实施例提供的一种密钥传输装置的装置结构图,所述密钥传输装置600还包括:Fig. 8 is a device structure diagram of a key transmission device provided by an embodiment of the present invention, the key transmission device 600 further includes:
第二获取单元801,用于在触发所述生成单元602之前获取所述第一AP发送的包含所述第一AP邻居列表的RADIUS报文,所述第一AP邻居列表包括所述第二AP的地址信息。The second obtaining unit 801 is configured to obtain, before triggering the generating unit 602, a RADIUS message sent by the first AP that includes the neighbor list of the first AP, where the first AP neighbor list includes the second AP address information.
举例说明,所述包含第一AP邻居列表(Neighbor List)的RADIUS报文可以为所述第一AP与所述WLAN GW之间交互的RADIUS报文,例如可以是RADIUS Accounting-Start报文。在RADIUS报文中需要为所述第一AP邻居列表设置对应的类型长度值(Type LengthValue,TLV),Type可以向IANA申请一个新的值,例如105,Value中包括邻居AP的地址信息例如MAC地址等。For example, the RADIUS message containing the neighbor list (Neighbor List) of the first AP may be a RADIUS message exchanged between the first AP and the WLAN GW, such as a RADIUS Accounting-Start message. In the RADIUS message, a corresponding type length value (Type Length Value, TLV) needs to be set for the first AP neighbor list. Type can apply to IANA for a new value, such as 105, and the Value includes the address information of the neighbor AP such as MAC address etc.
所述生成单元602具体用于根据所述第一PMK以及所述第二AP的地址信息生成对应所述第二AP的第二PMK。The generating unit 602 is specifically configured to generate a second PMK corresponding to the second AP according to the first PMK and address information of the second AP.
所述发送单元603具体用于根据所述第二AP的地址信息向所述第二AP发送携带所述第二PMK的第一RADIUS更改授权CoA报文。The sending unit 603 is specifically configured to send the first RADIUS change authorization CoA message carrying the second PMK to the second AP according to the address information of the second AP.
在触发所述发送单元603之后,还包括:After triggering the sending unit 603, it also includes:
第三获取单元802,用于获取所述第二AP发送的第二RADIUS CoA报文,所述第二RADIUS CoA报文携带所述第二AP获得所述第二PMK的确认信息。The third obtaining unit 802 is configured to obtain a second RADIUS CoA message sent by the second AP, where the second RADIUS CoA message carries confirmation information that the second AP obtains the second PMK.
举例说明,现有的网络协议下,RADIUS CoA报文并不能携带PMK或PMK类型的信息。故为此本发明实施例可以为此通过在国际互联网工程任务组(The Internet EngineeringTask Force,IETF)申请新的属性来通过RADIUS CoA报文携带PMK信息。例如可以使用报文号为43的RADIUS CoA报文。For example, under the existing network protocol, the RADIUS CoA message cannot carry PMK or PMK type information. Therefore, the embodiment of the present invention may carry PMK information through the RADIUS CoA message by applying for a new attribute at the Internet Engineering Task Force (The Internet Engineering Task Force, IETF). For example, the RADIUS CoA message whose message number is 43 can be used.
所述第二RADIUS CoA报文用于携带所述第二AP在获取所述第二PMK后生成的确认信息(Acknowledgement)。当所述第三获取单元802获取所述第二RADIUS CoA报文时,则可以确认所述第二AP已经成功接收到所述RADIUS CoA报文,也就是已经获取所述第二PMK。否则所述发送单元603将会再次向所述第二AP发送所述第二RADIUS CoA报文以确定所述第二AP能够收到所述第二PMK。The second RADIUS CoA message is used to carry acknowledgment information (Acknowledgment) generated by the second AP after acquiring the second PMK. When the third obtaining unit 802 obtains the second RADIUS CoA message, it can be confirmed that the second AP has successfully received the RADIUS CoA message, that is, the second PMK has been obtained. Otherwise, the sending unit 603 will send the second RADIUS CoA message to the second AP again to determine that the second AP can receive the second PMK.
可见,所述WLAN GW通过获取所述第一AP的邻居列表的方式,可以预先向所述第一AP的邻居,第二AP发送所述第二PMK,使得所述第二AP可以在所述移动终端切换AP之前预先获得所述第二PMK。It can be seen that, by obtaining the neighbor list of the first AP, the WLAN GW can send the second PMK to the neighbor of the first AP, the second AP in advance, so that the second AP can The mobile terminal obtains the second PMK in advance before switching the AP.
第二种方式下,所述发送单元603根据所述第二AP发送的RADIUS接入请求消息向所述第二AP返回所述第二PMK。In the second manner, the sending unit 603 returns the second PMK to the second AP according to the RADIUS access request message sent by the second AP.
图9为本发明实施例提供的一种密钥传输装置的装置结构图,所述密钥传输装置600还包括:Fig. 9 is a device structure diagram of a key transmission device provided by an embodiment of the present invention, the key transmission device 600 further includes:
第四获取单元901,用于在触发所述生成单元602之前接收到所述第二AP发送的RADIUS接入请求消息,所述RADIUS接入请求消息为所述第二AP接收到所述移动终端在切换AP时发送的携带有第二PMK ID的重关联消息后生成的,所述RADIUS接入请求消息包括所述移动终端标识。The fourth obtaining unit 901 is configured to receive the RADIUS access request message sent by the second AP before triggering the generating unit 602, where the RADIUS access request message is received by the mobile terminal by the second AP Generated after the reassociation message carrying the second PMK ID sent when the AP is switched, the RADIUS access request message includes the mobile terminal identifier.
举例说明,所述RADIUS接入请求消息具体为:RADIUS Access-Request报文。For example, the RADIUS access request message is specifically: a RADIUS Access-Request message.
查找单元902,用于根据所述移动终端标识以及预先获取的所述移动终端标识与所述第一PMK的对应关系查找到所述第一PMK。The search unit 902 is configured to find the first PMK according to the mobile terminal identifier and the pre-acquired correspondence between the mobile terminal identifier and the first PMK.
所述发送单元603具体用于向所述第二AP返回携带所述第二PMK的RADIUS接入确认消息。The sending unit 603 is specifically configured to return a RADIUS access confirmation message carrying the second PMK to the second AP.
举例说明,所述RADIUS接入确认消息具体为:RADIUS Access-Accept报文。For example, the RADIUS access confirmation message is specifically: a RADIUS Access-Accept message.
可见,所述WLAN GW可以根据所述第二AP发送的RADIUS接入请求消息中携带的所述移动终端标识查找出所述第一PMK,根据第一PMK生成第二PMK,并将第二PMK返回至所述第二AP。进一步降低了系统的处理负担,提高了效率。It can be seen that the WLAN GW can find out the first PMK according to the mobile terminal identifier carried in the RADIUS access request message sent by the second AP, generate a second PMK according to the first PMK, and store the second PMK Return to the second AP. The processing load of the system is further reduced, and the efficiency is improved.
参阅图10,图10为本发明实施例提供的一种WLAN GW的硬件结构示意图,所述WLANGW1000位于部署了社区无线保真技术但不具有AC的网络中,所述网络中包括互为邻居关系的第一AP和第二AP,所述第一AP和第二AP通过所述WLAN GW1000与互联网相连,所述移动终端与所述第一AP具有数据连接,所述WLAN GW1000包括存储器1001、接收器1002和发送器1003,以及分别与所述存储器1001、所述接收器1002和所述发送器1003连接的处理器1004,所述存储器1001用于存储一组程序指令,所述处理器1004用于调用所述存储器1001存储的程序指令执行如下操作:Referring to FIG. 10 , FIG. 10 is a schematic diagram of a hardware structure of a WLAN GW provided by an embodiment of the present invention. The WLAN GW1000 is located in a network that deploys community Wi-Fi technology but does not have an AC, and the network includes mutual neighbor relationships The first AP and the second AP, the first AP and the second AP are connected to the Internet through the WLAN GW1000, the mobile terminal has a data connection with the first AP, and the WLAN GW1000 includes a memory 1001, a receiving device 1002 and transmitter 1003, and a processor 1004 connected to the memory 1001, the receiver 1002 and the transmitter 1003 respectively, the memory 1001 is used to store a set of program instructions, and the processor 1004 uses To call the program instructions stored in the memory 1001 to perform the following operations:
触发所述接收器1002从RADIUS获取第一PMK,所述第一PMK是所述移动终端在与所述第一AP建立数据连接时,与RADIUS计算生成的;triggering the receiver 1002 to acquire a first PMK from RADIUS, where the first PMK is calculated and generated by the mobile terminal and RADIUS when establishing a data connection with the first AP;
根据所述第一PMK生成对应所述第二AP的第二PMK;generating a second PMK corresponding to the second AP according to the first PMK;
触发所述发送器1003向所述第二AP发送所述第二PMK,使得所述第二AP根据所述第二PMK生成对应所述第二AP的第一PMK ID。The transmitter 1003 is triggered to send the second PMK to the second AP, so that the second AP generates a first PMK ID corresponding to the second AP according to the second PMK.
可选地,所述处理器1004可以为中央处理器(Central Processing Unit,CPU),所述存储器1001可以为随机存取存储器(Random Access Memory,RAM)类型的内部存储器,所述接收器1002和所述发送器1003可以包含普通物理接口,所述物理接口可以为以太(Ethernet)接口或异步传输模式(Asynchronous Transfer Mode,ATM)接口。所述处理器1004、发送器1003、接收器1002和存储器1001可以集成为一个或多个独立的电路或硬件,如:专用集成电路(Application Specific Integrated Circuit,ASIC)。Optionally, the processor 1004 may be a central processing unit (Central Processing Unit, CPU), the memory 1001 may be an internal memory of a random access memory (Random Access Memory, RAM) type, and the receiver 1002 and The transmitter 1003 may include a common physical interface, and the physical interface may be an Ethernet (Ethernet) interface or an Asynchronous Transfer Mode (Asynchronous Transfer Mode, ATM) interface. The processor 1004, the transmitter 1003, the receiver 1002 and the memory 1001 may be integrated into one or more independent circuits or hardware, such as application specific integrated circuits (Application Specific Integrated Circuit, ASIC).
参阅图11,图11为本发明实施例提供的一种移动终端的硬件结构示意图,所述移动终端1100位于部署了社区无线保真技术但不具有AC的网络中,所述网络中包括互为邻居关系的第一AP和第二AP,所述第一AP和第二AP通过所述WLAN GW与互联网相连,所述移动终端1100与所述第一AP具有数据连接,所述移动终端1100具有第一PMK,所述第一PMK为所述移动终端1100在与所述第一AP建立数据连接时,与RADIUS计算生成的,所述移动终端1100包括存储器1101、接收器1102和发送器1103,以及分别与所述存储器1101、所述接收器1102和所述发送器1103连接的处理器1104,所述存储器1101用于存储一组程序指令,所述处理器1104用于调用所述存储器1101存储的程序指令执行如下操作:Referring to FIG. 11 , FIG. 11 is a schematic diagram of a hardware structure of a mobile terminal provided by an embodiment of the present invention. The mobile terminal 1100 is located in a network that deploys community Wi-Fi technology but does not have an AC. The network includes mutual The first AP and the second AP in a neighbor relationship, the first AP and the second AP are connected to the Internet through the WLAN GW, the mobile terminal 1100 has a data connection with the first AP, and the mobile terminal 1100 has The first PMK, the first PMK is calculated and generated by the mobile terminal 1100 and RADIUS when establishing a data connection with the first AP, and the mobile terminal 1100 includes a memory 1101, a receiver 1102 and a transmitter 1103, and a processor 1104 connected to the memory 1101, the receiver 1102 and the transmitter 1103 respectively, the memory 1101 is used to store a set of program instructions, and the processor 1104 is used to call the memory 1101 to store The program instructions perform the following operations:
根据所述第一PMK生成对应所述第二AP的第二PMK;generating a second PMK corresponding to the second AP according to the first PMK;
根据所述第二PMK以及预先获得的所述第二AP的地址信息生成对应所述第二AP的第二PMK ID;generating a second PMK ID corresponding to the second AP according to the second PMK and the pre-acquired address information of the second AP;
触发所述发送器1103向所述第二AP发送重关联信息,所述重关联信息中包括所述第二PMK ID;triggering the transmitter 1103 to send reassociation information to the second AP, where the reassociation information includes the second PMK ID;
触发所述接收器1102获取所述第二AP发送的确认消息,所述确认消息由所述第二AP通过对第一PMK ID和所述第二PMK ID比对成功后生成,所述第一PMK ID由所述第二AP基于所述WLAN GW发送的所述第二PMK生成;triggering the receiver 1102 to obtain a confirmation message sent by the second AP, the confirmation message is generated by the second AP after successfully comparing the first PMK ID with the second PMK ID, and the first The PMK ID is generated by the second AP based on the second PMK sent by the WLAN GW;
完成切换AP,建立与所述第二AP的数据连接。After the AP switching is completed, a data connection with the second AP is established.
可选地,所述处理器1103可以为CPU,所述存储器1101可以为RAM类型的内部存储器,所述接收器1102可以包含普通物理接口,所述物理接口可以为Ethernet接口或ATM接口。所述处理器1103、接收器1102和存储器1101可以集成为一个或多个独立的电路或硬件,如:ASIC。Optionally, the processor 1103 may be a CPU, the memory 1101 may be a RAM-type internal memory, and the receiver 1102 may include a common physical interface, and the physical interface may be an Ethernet interface or an ATM interface. The processor 1103, the receiver 1102 and the memory 1101 may be integrated into one or more independent circuits or hardware, such as ASIC.
本发明实施例中提到的第一AP、第一PMK和第一RADIUS CoA报文的“第一”只是用来做名字标识,并不代表顺序上的第一。该规则同样适用于“第二”。The "first" in the first AP, first PMK and first RADIUS CoA message mentioned in the embodiment of the present invention is only used for name identification, and does not represent the first in order. The same rule applies to "second".
本领域普通技术人员可以理解:实现上述方法实施例的全部或部分步骤可以通过程序指令相关的硬件来完成,前述程序可以存储于一计算机可读取存储介质中,该程序在执行时,执行包括上述方法实施例的步骤;而前述的存储介质可以是下述介质中的至少一种:只读存储器(Read-Only Memory,ROM)、RAM、磁碟或者光盘等各种可以存储程序代码的介质。Those of ordinary skill in the art can understand that all or part of the steps to realize the above method embodiments can be completed by hardware related to program instructions, and the aforementioned program can be stored in a computer-readable storage medium. When the program is executed, the execution includes: The steps of the above-mentioned method embodiments; and the aforementioned storage medium can be at least one of the following media: various media that can store program codes such as read-only memory (Read-Only Memory, ROM), RAM, magnetic disk or optical disk .
需要说明的是,本说明书中的各个实施例均采用递进的方式描述,各个实施例之间相同相似的部分互相参见即可,每个实施例重点说明的都是与其他实施例的不同之处。尤其,对于设备及系统实施例而言,由于其基本相似于方法实施例,所以描述得比较简单,相关之处参见方法实施例的部分说明即可。以上所描述的设备及系统实施例仅仅是示意性的,其中作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部模块来实现本实施例方案的目的。本领域普通技术人员在不付出创造性劳动的情况下,即可以理解并实施。It should be noted that each embodiment in this specification is described in a progressive manner, the same and similar parts of each embodiment can be referred to each other, and each embodiment focuses on the differences from other embodiments. place. In particular, for the device and system embodiments, since they are basically similar to the method embodiments, the description is relatively simple, and for relevant parts, please refer to part of the description of the method embodiments. The device and system embodiments described above are only illustrative, and the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in One place, or it can be distributed to multiple network elements. Part or all of the modules can be selected according to actual needs to achieve the purpose of the solution of this embodiment. It can be understood and implemented by those skilled in the art without creative effort.
以上所述仅是本发明的优选实施方式,并非用于限定本发明的保护范围。应当指出,对于本技术领域的普通技术人员来说,在不脱离本发明原理的前提下,还可以做出若干改进和润饰,这些改进和润饰也应视为本发明的保护范围。The above descriptions are only preferred embodiments of the present invention, and are not intended to limit the protection scope of the present invention. It should be pointed out that those skilled in the art can make some improvements and modifications without departing from the principle of the present invention, and these improvements and modifications should also be regarded as the protection scope of the present invention.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510189090.8ACN106162633B (en) | 2015-04-20 | 2015-04-20 | A kind of cipher key transmission methods and device |
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510189090.8ACN106162633B (en) | 2015-04-20 | 2015-04-20 | A kind of cipher key transmission methods and device |
| Publication Number | Publication Date |
|---|---|
| CN106162633A CN106162633A (en) | 2016-11-23 |
| CN106162633Btrue CN106162633B (en) | 2019-11-29 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510189090.8AActiveCN106162633B (en) | 2015-04-20 | 2015-04-20 | A kind of cipher key transmission methods and device |
| Country | Link |
|---|---|
| CN (1) | CN106162633B (en) |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108012269B (en)* | 2017-12-08 | 2021-03-02 | 新华三技术有限公司 | Wireless access method, device and equipment |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1592475A (en)* | 2003-01-14 | 2005-03-09 | 三星电子株式会社 | Method of Fast Roaming in Wireless Network |
| CN101155092A (en)* | 2006-09-29 | 2008-04-02 | 西安电子科技大学 | A wireless local area network access method, device and system |
| CN101335621A (en)* | 2007-06-26 | 2008-12-31 | 中国科学院声学研究所 | A 802.11i Key Management Method |
| CN102333309A (en)* | 2011-10-27 | 2012-01-25 | 华为技术有限公司 | Method, device and system for key transfer in wireless local area network |
| CN103391543A (en)* | 2012-05-07 | 2013-11-13 | 中兴通讯股份有限公司 | Method and device for achieving roaming switch |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9246679B2 (en)* | 2007-12-28 | 2016-01-26 | Intel Corporation | Apparatus and method for negotiating pairwise master key for securing peer links in wireless mesh networks |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1592475A (en)* | 2003-01-14 | 2005-03-09 | 三星电子株式会社 | Method of Fast Roaming in Wireless Network |
| CN101155092A (en)* | 2006-09-29 | 2008-04-02 | 西安电子科技大学 | A wireless local area network access method, device and system |
| CN101335621A (en)* | 2007-06-26 | 2008-12-31 | 中国科学院声学研究所 | A 802.11i Key Management Method |
| CN102333309A (en)* | 2011-10-27 | 2012-01-25 | 华为技术有限公司 | Method, device and system for key transfer in wireless local area network |
| CN103391543A (en)* | 2012-05-07 | 2013-11-13 | 中兴通讯股份有限公司 | Method and device for achieving roaming switch |
| Title |
|---|
| IEEE-SA Standards Board.IEEE Std 802.11i™-2004.《IEEE Computer Society》.2004,第31-32页第7.2.2.25.4节、第64-65页8.4.1.2.1节.* |
| Publication number | Publication date |
|---|---|
| CN106162633A (en) | 2016-11-23 |
| Publication | Publication Date | Title |
|---|---|---|
| CN101848508B (en) | Mobile architecture using pre-authentication, pre-configuration and/or virtual soft handover | |
| US8861385B2 (en) | Communication device, communication method and communication control program | |
| US8665819B2 (en) | System and method for providing mobility between heterogenous networks in a communication environment | |
| US9577984B2 (en) | Network initiated alerts to devices using a local connection | |
| CN101542967B (en) | MIH pre-authentication | |
| EP2432265B1 (en) | Method and apparatus for sending a key on a wireless local area network | |
| CN101155396B (en) | Terminal node switching method | |
| KR100932325B1 (en) | Multiple PANA Sessions | |
| JP2012199929A (en) | Eap method for eap extension (eap-ext) | |
| CN104917605B (en) | The method and apparatus of key agreement during a kind of terminal device switching | |
| JP2010098713A (en) | Wireless communication system, access point, controller, network management device, and method of setting network identifier of access point | |
| CN103973658A (en) | Static user terminal authentication processing method and device | |
| US10716000B2 (en) | Protecting WLCP message exchange between TWAG and UE | |
| US8990916B2 (en) | System and method for supporting web authentication | |
| JP6038888B2 (en) | Method and related system and apparatus for providing public reachability | |
| CN108307391A (en) | A kind of terminal access method and system | |
| CN107820246B (en) | User authentication method, device and system | |
| WO2014063530A1 (en) | Method and system for mobile user to access fixed network | |
| WO2012151905A1 (en) | Method and device for network handover | |
| US9420465B2 (en) | Method and apparatus for device collaboration via a hybrid network | |
| CN106162633B (en) | A kind of cipher key transmission methods and device | |
| CN106162632B (en) | Key transmission method and device | |
| JP4642506B2 (en) | Identification address setting device and mobile network packet relay device having the same | |
| JP6213531B2 (en) | Wireless LAN system, wireless LAN system control method, and program | |
| CN103095860B (en) | Station address distribution method and system |
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |