公开(公告)号：US20110004767A1

公开(公告)日：2011-01-06

申请号：US12920931

申请日：2009-03-04

申请人： Manxia Tie ,  Jun Cao ,  Xiaolong Lai ,  Zhenhai Huang

发明人： Manxia Tie ,  Jun Cao ,  Xiaolong Lai ,  Zhenhai Huang

IPC分类号： H04L9/32

CPC分类号： H04L63/0807 ,  H04L63/0823 ,  H04L63/0869 ,  H04L63/0884

摘要： A bidirectional entity authentication method based on the credible third party includes the steps that: entity A receives message 1 sent from entity B including the authentication parameters of said entity B, and sends message 2 to the credible third party TP, said message 2 including the authentication parameters of entity B and the authentication parameters of entity A; entity A receives message 3 sent from said credible third party TP, said message 3 including the checking result after checking that whether said entity A and entity B are legal based on said message 2 by said credible third party TP; entity A gets the authentication result of entity B after authenticating said message 3, and sends message 4 to said entity B to make entity B authenticating based on said message 4 and getting the authentication result of entity A. The invention simplifies the operation condition of the protocol, reduces the computing capability requirement of the authentication entity, and satisfies the high security requirement of the network device lack of resource.

摘要翻译： 基于可信第三方的双向实体认证方法包括以下步骤：实体A接收从实体B发送的包括所述实体B的认证参数的消息1，并向可信第三方TP发送消息2，所述消息2包括 实体B的认证参数和实体A的认证参数; 实体A从所述可信第三方TP接收到从所述可信第三方TP发送的消息3，所述消息3在根据所述可信第三方TP的所述消息2检查所述实体A和实体B是否合法之后包括检查结果; 实体A在认证所述消息3之后获得实体B的认证结果，并向所述实体B发送消息4，以使实体B基于所述消息4进行认证，并获得实体A的认证结果。本发明简化了实体B的操作条件 协议，降低了认证实体的计算能力要求，满足了网络设备缺乏资源的高安全性要求。

公开(公告)号：US20100313012A1

公开(公告)日：2010-12-09

申请号：US12745288

申请日：2008-12-02

申请人： Liaojun Pang ,  Jun Cao ,  Manxia Tie ,  Zhenhai Huang

发明人： Liaojun Pang ,  Jun Cao ,  Manxia Tie ,  Zhenhai Huang

IPC分类号： H04L9/32

CPC分类号： H04L9/321 ,  H04L2209/805

摘要： A light access authentication method and system, the method includes: the trustful third party writes the MSG cipher text formed by enciphering MSG into the first entity; the second entity attains the MSG cipher text from the first entity, and attains the key from the trustful third party after attaining the MSG cipher text; the MSG cipher text is deciphered according to the key, and the MSG plaintext is attained. The embodiment of the present invention can be widely applied at a condition limited by the equipment and environment, and the access authentication is simplified and lightened.

摘要翻译： 一种光接入认证方法和系统，所述方法包括：信任第三方将通过加密MSG形成的MSG密文写入第一实体; 第二实体从第一实体获得MSG密文，并在获得MSG密文后获得信任第三方的密钥; 根据密钥解密MSG密文，并获得MSG明文。 本发明的实施例可以在受设备和环境限制的条件下被广泛应用，并且访问认证被简化和减轻。

公开(公告)号：US09038143B2

公开(公告)日：2015-05-19

申请号：US13879136

申请日：2011-03-15

申请人： Zhiqiang Du ,  Manxia Tie ,  Zhenhai Huang ,  Jun Cao

发明人： Zhiqiang Du ,  Manxia Tie ,  Zhenhai Huang ,  Jun Cao

IPC分类号： G06F7/04 ,  H04L29/06

CPC分类号： H04L63/08

摘要： A method and a system for network access control are provided, which are based on cipher code mechanism. After a visitor has raised an access request, an access controller in the destination network processes the access request and initiates an authentication request on the visitor identity to an authentication server through the visitor. The access controller in the destination network accomplishes the authentication on the visitor identity according to the public authentication result of the authentication server transferred by the visitor, and performs according to the authorization policy the authorization management on the successfully authenticated visitor. The present invention solves the problem of incapableness of performing the access control when the access controller can not directly use the authentication service provided by the authentication server. The present invention can sufficiently satisfy the real application requirements of access control on visitor.

摘要翻译： 提供了一种基于密码机制的网络访问控制方法和系统。 在访问者提出访问请求之后，目的地网络中的访问控制器处理访问请求，并通过访问者向认证服务器发起对访问者身份的认证请求。 目的地网络中的接入控制器根据访问者转发的认证服务器的公共认证结果对访客身份进行认证，并根据认证策略对成功认证的访问者进行授权管理。 本发明解决了当访问控制器不能直接使用认证服务器提供的认证服务时执行访问控制的不适用性的问题。 本发明可以充分满足访客访问控制的实际应用需求。

公开(公告)号：US08813199B2

公开(公告)日：2014-08-19

申请号：US13203645

申请日：2009-12-14

申请人： Zhiqiang Du ,  Jun Cao ,  Manxia Tie ,  Xiaolong Lai ,  Zhenhai Huang

发明人： Zhiqiang Du ,  Jun Cao ,  Manxia Tie ,  Xiaolong Lai ,  Zhenhai Huang

IPC分类号： G06F15/16 ,  H04L29/06 ,  H04W12/06 ,  H04W84/12

CPC分类号： H04W12/06 ,  H04L63/08 ,  H04L63/10 ,  H04W84/12

摘要： A method for realizing a convergent Wireless Local Area Networks (WLAN) Authentication and Privacy Infrastructure (WAPI) network architecture with a split Medium Access Control (MAC) mode involves the steps: a split MAC mode for realizing WLAN Privacy Infrastructure (WPI) by an access controller is constructed through splitting the MAC function and the WAPI function of the wireless access point apart to a wireless terminal point and the access controller; integration of a WAPI and a convergent WLAN network system architecture is realized under the split MAC mode that the access controller realizes WPI; the association connection process is performed among a station point, a wireless terminal point and an access controller; the process for announcing the start of performing the WLAN Authentication Infrastructure (WAI) protocol between the access controller and the wireless terminal point is performed; the process for performing the WAI protocol between the station point and the access controller is performed; the process for announcing the end of performing the WAI protocol between the access controller and the wireless terminal point is performed; the secret communication process is performed between the wireless terminal point and the station point by using WPI.

摘要翻译： 用于实现具有分离式媒体接入控制（MAC）模式的融合无线局域网（WLAN）认证和隐私基础设施（WAPI）网络架构的方法包括以下步骤：用于通过以下方式实现WLAN隐私基础设施（WPI）的分割MAC模式 通过将无线接入点的MAC功能和WAPI功能分离到无线终端点和接入控制器来构建接入控制器; 在接入控制器实现WPI的分割MAC模式下实现WAPI和融合WLAN网络系统架构的集成; 在站点，无线终端点和访问控制器之间执行关联连接处理; 执行在接入控制器和无线终端点之间通知执行WLAN认证基础设施（WAI）协议的开始的过程; 执行在站点和访问控制器之间执行WAI协议的过程; 执行用于在接入控制器和无线终端点之间通知执行WAI协议的结束的过程; 通过使用WPI在无线终端点和站点之间执行秘密通信处理。

公开(公告)号：US08787574B2

公开(公告)日：2014-07-22

申请号：US13637375

申请日：2010-05-12

申请人： Yanan Hu ,  Jun Cao ,  Manxia Tie ,  Zhenhai Huang

发明人： Yanan Hu ,  Jun Cao ,  Manxia Tie ,  Zhenhai Huang

IPC分类号： H04K1/00 ,  H04L9/00 ,  H04L9/32

CPC分类号： H04W12/04 ,  H04L12/189 ,  H04L63/065 ,  H04W12/10

摘要： The present invention discloses a multicast key negotiation method suitable for group calling system and a system thereof. The method includes that: a user terminal (UT) negotiates about a unicast key with a base station (BS), derives an information encryption key and an integrity verifying key according to the unicast key, and registers a service group identifier that the UT belongs to at the BS; the BS notifies the UT the multicast key of the service group that the UT needs to apply, constructs a multicast key notification packet, and sends it to the UT; after receiving the multicast key notification packet sent by the BS, the UT obtains the multicast key of the service group that the UT needs to apply by decrypting a service group key application list, constructs a multicast key confirmation packet, and sends it to the BS; the BS confirms that the multicast key of the UT service group is built successfully according to the multicast key confirmation packet sent by the UT.

摘要翻译： 本发明公开了适用于群呼系统的组播密钥协商方法及其系统。 该方法包括：用户终端（UT）与基站（BS）协商关于单播密钥，根据单播密钥导出信息加密密钥和完整性验证密钥，并注册UT所属的服务组标识符 到BS; BS向UT通知UT需要应用的业务组的组播密钥，构建组播密钥通知报文，并将其发送给UT; UT收到BS发送的组播密钥通知报文后，通过解密业务组密钥应用列表获取UT需要应用的业务组的组播密钥，构成组播密钥确认报文，并发送给BS ; 根据UT发送的组播密钥确认包，BS确认UT服务组的组播密钥成功建立。

公开(公告)号：US08750521B2

公开(公告)日：2014-06-10

申请号：US13320496

申请日：2009-12-14

申请人： Zhiqiang Du ,  Jun Cao ,  Manxia Tie ,  Xiaolong Lai ,  Zhenhai Huang

发明人： Zhiqiang Du ,  Jun Cao ,  Manxia Tie ,  Xiaolong Lai ,  Zhenhai Huang

IPC分类号： H04L9/00 ,  H04L9/08 ,  H04L29/06 ,  G06F21/10 ,  H04W12/02 ,  H04W12/04

CPC分类号： H04L9/08 ,  G06F21/10 ,  H04L9/0838 ,  H04L63/062 ,  H04L63/205 ,  H04W12/02 ,  H04W12/04 ,  H04W36/0038 ,  H04W84/12

摘要： The invention involves a method and a system for station (STA) switching when a wireless terminal point (WTP) completes wireless local area network (WLAN) privacy infrastructure (WPI) in a convergent WLAN. The method includes steps as follows. The STA implements re-association rebinding process with a target access controller (AC) over a target WTP. A base key is requested by the target AC from an associated AC. An associated WTP is informed to delete the STA by the associated AC, and the target WTP is informed to add the STA by the target AC. A session key is negotiated based on the requested base key by the STA and the target AC, and is synchronized between the target AC and the target WTP. The method enables fast and safe switching of the STA between WTPs under the control of different controllers in the convergent WLAN based on WAPI protocol.

摘要翻译： 本发明涉及无线终端（WTP）完成融合WLAN中的无线局域网（WLAN）隐私基础设施（WPI）时的站（STA）切换的方法和系统。 该方法包括以下步骤。 STA通过目标访问控制器（AC）在目标WTP上实现重新关联重新绑定过程。 来自相关AC的目标AC请求基本密钥。 通知关联的WTP通过关联的AC删除STA，通知目标WTP通过目标AC添加STA。 会话密钥基于STA和目标AC所请求的基本密钥进行协商，并在目标AC与目标WTP之间同步。 该方法能够在基于WAPI协议的融合WLAN中的不同控制器的控制下，在WTP之间快速，安全地切换STA。

公开(公告)号：US08572378B2

公开(公告)日：2013-10-29

申请号：US13140632

申请日：2009-12-07

申请人： Xiaolong Lai ,  Jun Cao ,  Yuelei Xiao ,  Manxia Tie ,  Zhenhai Huang ,  Bianling Zhang ,  Yanan Hu

发明人： Xiaolong Lai ,  Jun Cao ,  Yuelei Xiao ,  Manxia Tie ,  Zhenhai Huang ,  Bianling Zhang ,  Yanan Hu

IPC分类号： H04L29/06

CPC分类号： H04W12/10 ,  H04L9/0838 ,  H04L9/3242 ,  H04L9/3273 ,  H04L63/123 ,  H04L2209/80

摘要： The present invention provides a method for protecting the first message of a security protocol and the method includes the following steps: 1) initialization step; 2) the initiating side sends the first message; 3) the responding side receives the first message. The method for protecting the first message of the security protocol provided by the present invention can implement that: 1) Pre-Shared Master Key (PSMK), which is shared by the initiating side and responding side, and the security parameter in the first message are bound by using computation function of Message Integrality Code (MIC) or Message Authentication Code (MAC), and thus the fabrication attack of the first message in the security protocol is avoided effectively; 2) during computing the MIC or MAC of the first message, only PSMK and the security parameter of the first message are selected to be computed, and thus the computation load of the initiating side and the responding side is effectively reduced and the computation resource is saved.

摘要翻译： 本发明提供一种保护安全协议的第一消息的方法，该方法包括以下步骤：1）初始化步骤; 2）发起方发送第一个消息; 3）响应端接收第一条消息。 用于保护本发明提供的安全协议的第一消息的方法可以实现：1）由起始侧和响应侧共享的预共享主密钥（PSMK）和第一消息中的安全参数 通过使用消息完整性代码（MIC）或消息认证码（MAC）的计算功能来限制，从而有效地避免了安全协议中的第一消息的制造攻击; 2）在计算第一个消息的MIC或MAC期间，仅选择PSMK和第一个消息的安全参数进行计算，从而有效减少发起方和响应方的计算负载，计算资源为 保存

公开(公告)号：US08560847B2

公开(公告)日：2013-10-15

申请号：US12745288

申请日：2008-12-02

申请人： Liaojun Pang ,  Jun Cao ,  Manxia Tie ,  Zhenhai Huang

发明人： Liaojun Pang ,  Jun Cao ,  Manxia Tie ,  Zhenhai Huang

IPC分类号： H04L9/28 ,  H04K1/00

CPC分类号： H04L9/321 ,  H04L2209/805

摘要： A light access authentication method and system, the method includes: the trustful third party writes the MSG cipher text formed by enciphering MSG into the first entity; the second entity attains the MSG cipher text from the first entity, and attains the key from the trustful third party after attaining the MSG cipher text; the MSG cipher text is deciphered according to the key, and the MSG plaintext is attained. The embodiment of the present invention can be widely applied at a condition limited by the equipment and environment, and the access authentication is simplified and lightened.

摘要翻译： 一种光接入认证方法和系统，所述方法包括：信任第三方将通过加密MSG形成的MSG密文写入第一实体; 第二实体从第一实体获得MSG密文，并在获得MSG密文后获得信任第三方的密钥; 根据密钥解密MSG密文，并获得MSG明文。 本发明的实施例可以在受设备和环境限制的条件下被广泛应用，并且访问认证被简化和减轻。

公开(公告)号：US08533781B2

公开(公告)日：2013-09-10

申请号：US13058099

申请日：2009-07-28

申请人： Manxia Tie ,  Jun Cao ,  Yuelei Xiao ,  Zhenhai Huang ,  Xiaolong Lai

发明人： Manxia Tie ,  Jun Cao ,  Yuelei Xiao ,  Zhenhai Huang ,  Xiaolong Lai

IPC分类号： G06F7/04

CPC分类号： H04W12/06 ,  H04W48/10

摘要： The embodiments of the invention disclose an access method suitable for wireless personal area network (WPAN). After the coordinator broadcasts the beacon frame, according to the beacon frame, the equipment identifies the authentication demand and the authentication mode required by the coordinator to the equipment. If the coordinator has no authentication demand to the equipment, the equipment and the coordinator carry out the association processes directly; otherwise, based on a selected authentication mode and the corresponding authentication mechanism negotiation information, the equipment sends the authentication access request to the coordinator; then based on the authentication mode selected by the equipment, the coordinator carries out the processes of authentication and session key negotiation with the equipment; finally, the coordinator sends the authentication access response to the equipment, when the authentication state in the authentication access response is success, the equipment carries out the association processes with the coordinator. The processes of authentication and the session key negotiation can be based on primitive control, and also can be based on port control. If the equipment is associated with the coordinator successfully, the coordinator distributes a network address to the equipment, and therefore the equipment can communicate with the coordinator normally. The invention solves the technical problems of lower security and lower efficiency in the existing WPAN access methods.

摘要翻译： 本发明的实施例公开了适用于无线个人区域网（WPAN）的接入方法。 在协调器广播信标帧之后，根据信标帧，设备识别协调器对设备所需的认证需求和认证方式。 如果协调人对设备没有认证需求，则设备和协调人直接进行关联过程; 否则，根据所选择的认证方式和相应的认证机制协商信息，设备向协调器发送认证访问请求; 然后根据设备选择的认证方式，协调器与设备进行认证和会话密钥协商过程; 最后，协调器向设备发送认证接入响应，当认证接入响应的认证状态成功时，设备与协调器进行关联过程。 认证和会话密钥协商的过程可以基于原语控制，也可以基于端口控制。 如果设备与协调器成功关联，则协调器将网络地址分配给设备，因此设备可以正常与协调器进行通信。 本发明解决了现有WPAN接入方式安全性较低，效率较低的技术问题。

公开(公告)号：US08510565B2

公开(公告)日：2013-08-13

申请号：US12920931

申请日：2009-03-04

申请人： Manxia Tie ,  Jun Cao ,  Xiaolong Lai ,  Zhenhai Huang

发明人： Manxia Tie ,  Jun Cao ,  Xiaolong Lai ,  Zhenhai Huang

IPC分类号： H04L9/32

CPC分类号： H04L63/0807 ,  H04L63/0823 ,  H04L63/0869 ,  H04L63/0884

摘要： A bidirectional entity authentication method based on the credible third party includes the steps that: entity A receives message 1 sent from entity B including the authentication parameters of said entity B, and sends message 2 to the credible third party TP, said message 2 including the authentication parameters of entity B and the authentication parameters of entity A; entity A receives message 3 sent from said credible third party TP, said message 3 including the checking result after checking that whether said entity A and entity B are legal based on said message 2 by said credible third party TP; entity A gets the authentication result of entity B after authenticating said message 3, and sends message 4 to said entity B to make entity B authenticating based on said message 4 and getting the authentication result of entity A. The invention simplifies the operation condition of the protocol, reduces the computing capability requirement of the authentication entity, and satisfies the high security requirement of the network device lack of resource.

摘要翻译： 基于可信第三方的双向实体认证方法包括以下步骤：实体A接收从实体B发送的包括所述实体B的认证参数的消息1，并向可信第三方TP发送消息2，所述消息2包括 实体B的认证参数和实体A的认证参数; 实体A从所述可信第三方TP接收到从所述可信第三方TP发送的消息3，所述消息3在根据所述可信第三方TP的所述消息2检查所述实体A和实体B是否合法之后包括检查结果; 实体A在认证所述消息3之后获得实体B的认证结果，并向所述实体B发送消息4，以使实体B基于所述消息4进行认证，并获得实体A的认证结果。本发明简化了实体B的操作条件 协议，降低了认证实体的计算能力要求，满足了网络设备缺乏资源的高安全性要求。