公开(公告)号：US20120167190A1

公开(公告)日：2012-06-28

申请号：US13392915

申请日：2009-12-29

申请人： Manxia Tie ,  Jun Cao ,  Xiaolong Lai ,  Zhenhai Huang

发明人： Manxia Tie ,  Jun Cao ,  Xiaolong Lai ,  Zhenhai Huang

IPC分类号： G06F21/00

CPC分类号： H04L63/08 ,  H04L9/3213 ,  H04L9/3247 ,  H04L9/3263 ,  H04L9/3271 ,  H04L9/3297

摘要： An entity authentication method by introducing an online third party includes the following steps: 1) an entity B sends a message 1 to an entity A; 2) the entity A sends a message 2 to a trusted third party TP after receiving the message 1; 3) the trusted third party TP checks the validity of the entity A after receiving the message 2; 4) the trusted third party TP returns a message 3 to the entity A after checking the validity of the entity A; 5) the entity A sends a message 4 to the entity B after receiving the message 3; 6) and the entity B performs validation after receiving the message 4. The online retrieval and authentication mechanism of the public key simplifies the operating condition of a protocol, and realizes validity identification of the network for the user through the authentication of the entity B to the entity A.

摘要翻译： 通过引入在线第三方的实体认证方法包括以下步骤：1）实体B向实体A发送消息1; 2）实体A在接收到消息1之后向可信第三方TP发送消息2; 3）受信任的第三方TP在接收到消息2后检查实体A的有效性; 4）可信第三方TP在检查实体A的有效性之后向实体A返回消息3; 5）实体A在接收到消息3之后向实体B发送消息4; 6），实体B在接收到消息4后进行验证。公钥的在线检索和认证机制简化了协议的工作状态，通过对实体B的认证实现了用户对网络的有效性识别 实体A.

公开(公告)号：US20120060205A1

公开(公告)日：2012-03-08

申请号：US13320496

申请日：2009-12-14

申请人： Manxia Tie ,  Jun Cao ,  Zhiqiang Du ,  Xiaolong Lai ,  Zhenhai Huang

发明人： Manxia Tie ,  Jun Cao ,  Zhiqiang Du ,  Xiaolong Lai ,  Zhenhai Huang

IPC分类号： H04W12/04

CPC分类号： H04L9/08 ,  G06F21/10 ,  H04L9/0838 ,  H04L63/062 ,  H04L63/205 ,  H04W12/02 ,  H04W12/04 ,  H04W36/0038 ,  H04W84/12

摘要： The invention involves a method and a system for station (STA) switching when a wireless terminal point (WTP) completes wireless local area network (WLAN) privacy infrastructure (WPI) in a convergent WLAN. The method includes steps as follows. The STA implements re-association rebinding process with a target access controller (AC) over a target WTP. A base key is requested by the target AC from an associated AC. An associated WTP is informed to delete the STA by the associated AC, and the target WTP is informed to add the STA by the target AC. A session key is negotiated based on the requested base key by the STA and the target AC, and is synchronized between the target AC and the target WTP. The method enables fast and safe switching of the STA between WTPs under the control of different controllers in the convergent WLAN based on WAPI protocol.

摘要翻译： 本发明涉及无线终端（WTP）完成融合WLAN中的无线局域网（WLAN）隐私基础设施（WPI）时的站（STA）切换的方法和系统。 该方法包括以下步骤。 STA通过目标访问控制器（AC）在目标WTP上实现重新关联重新绑定过程。 来自相关AC的目标AC请求基本密钥。 通知关联的WTP通过关联的AC删除STA，通知目标WTP通过目标AC添加STA。 会话密钥基于STA和目标AC所请求的基本密钥进行协商，并在目标AC与目标WTP之间同步。 该方法能够在基于WAPI协议的融合WLAN中的不同控制器的控制下，在WTP之间快速，安全地切换STA。

公开(公告)号：US20110307943A1

公开(公告)日：2011-12-15

申请号：US13203645

申请日：2009-12-14

申请人： Zhiqiang Du ,  Jun Cao ,  Manxia Tie ,  Xiaolong Lai ,  Zhenhai Huang

发明人： Zhiqiang Du ,  Jun Cao ,  Manxia Tie ,  Xiaolong Lai ,  Zhenhai Huang

IPC分类号： H04W12/06 ,  H04W12/04 ,  H04L29/06

CPC分类号： H04W12/06 ,  H04L63/08 ,  H04L63/10 ,  H04W84/12

摘要： A method for realizing a convergent Wireless Local Area Networks (WLAN) Authentication and Privacy Infrastructure (WAPI) network architecture with a split Medium Access Control (MAC) mode involves the steps: a split MAC mode for realizing WLAN Privacy Infrastructure (WPI) by an access controller is constructed through splitting the MAC function and the WAPI function of the wireless access point apart to a wireless terminal point and the access controller; integration of a WAPI and a convergent WLAN network system architecture is realized under the split MAC mode that the access controller realizes WPI; the association connection process is performed among a station point, a wireless terminal point and an access controller; the process for announcing the start of performing the WLAN Authentication Infrastructure (WAI) protocol between the access controller and the wireless terminal point is performed; the process for performing the WAI protocol between the station point and the access controller is performed; the process for announcing the end of performing the WAI protocol between the access controller and the wireless terminal point is performed; the secret communication process is performed between the wireless terminal point and the station point by using WPI.

摘要翻译： 用于实现具有分离式媒体接入控制（MAC）模式的融合无线局域网（WLAN）认证和隐私基础设施（WAPI）网络架构的方法包括以下步骤：用于通过以下方式实现WLAN隐私基础设施（WPI）的分割MAC模式 通过将无线接入点的MAC功能和WAPI功能分离到无线终端点和接入控制器来构建接入控制器; 在接入控制器实现WPI的分割MAC模式下实现WAPI和融合WLAN网络系统架构的集成; 在站点，无线终端点和访问控制器之间执行关联连接处理; 执行在接入控制器和无线终端点之间通知执行WLAN认证基础设施（WAI）协议的开始的过程; 执行在站点和访问控制器之间执行WAI协议的过程; 执行用于在接入控制器和无线终端点之间通知执行WAI协议的结束的过程; 通过使用WPI在无线终端点和站点之间执行秘密通信处理。

公开(公告)号：US20110145890A1

公开(公告)日：2011-06-16

申请号：US13058099

申请日：2009-07-28

申请人： Manxia Tie ,  Jun Cao ,  Yuelei Xiao ,  Zhenhai Huang ,  Xiaolong Lai

发明人： Manxia Tie ,  Jun Cao ,  Yuelei Xiao ,  Zhenhai Huang ,  Xiaolong Lai

IPC分类号： G06F7/04

CPC分类号： H04W12/06 ,  H04W48/10

摘要： The embodiments of the invention disclose an access method suitable for wireless personal area network (WPAN). After the coordinator broadcasts the beacon frame, according to the beacon frame, the equipment identifies the authentication demand and the authentication mode required by the coordinator to the equipment. If the coordinator has no authentication demand to the equipment, the equipment and the coordinator carry out the association processes directly; otherwise, based on a selected authentication mode and the corresponding authentication mechanism negotiation information, the equipment sends the authentication access request to the coordinator; then based on the authentication mode selected by the equipment, the coordinator carries out the processes of authentication and session key negotiation with the equipment; finally, the coordinator sends the authentication access response to the equipment, when the authentication state in the authentication access response is success, the equipment carries out the association processes with the coordinator. The processes of authentication and the session key negotiation can be based on primitive control, and also can be based on port control. If the equipment is associated with the coordinator successfully, the coordinator distributes a network address to the equipment, and therefore the equipment can communicate with the coordinator normally. The invention solves the technical problems of lower security and lower efficiency in the existing WPAN access methods.

摘要翻译： 本发明的实施例公开了适用于无线个人区域网（WPAN）的接入方法。 在协调器广播信标帧之后，根据信标帧，设备识别协调器对设备所需的认证需求和认证方式。 如果协调人对设备没有认证需求，则设备和协调人直接进行关联过程; 否则，根据所选择的认证方式和相应的认证机制协商信息，设备向协调器发送认证访问请求; 然后根据设备选择的认证方式，协调器与设备进行认证和会话密钥协商过程; 最后，协调器向设备发送认证接入响应，当认证接入响应的认证状态成功时，设备与协调器进行关联过程。 认证和会话密钥协商的过程可以基于原语控制，也可以基于端口控制。 如果设备与协调器成功关联，则协调器将网络地址分配给设备，因此设备可以正常与协调器进行通信。 本发明解决了现有WPAN接入方式安全性较低，效率较低的技术问题。

公开(公告)号：US20110078438A1

公开(公告)日：2011-03-31

申请号：US12994712

申请日：2009-05-27

申请人： Manxia Tie ,  Jun Cao ,  Zhenhai Huang ,  Xiaolong Lai

发明人： Manxia Tie ,  Jun Cao ,  Zhenhai Huang ,  Xiaolong Lai

IPC分类号： H04L9/32

CPC分类号： H04L9/0844 ,  H04L9/3213 ,  H04L9/3263 ,  H04L9/3273 ,  H04L63/0823 ,  H04L63/0869 ,  H04W12/06

摘要： An entity bidirectional-identification method for supporting fast handoff involves three security elements, which includes two identification elements A and B and a trusted third party (TP). All identification entities of a same element share a public key certification or own a same public key. When any identification entity in identification element A and any identification entity in identification element B need to identify each other, if identification protocol has never been operated between the two identification elements that they belong to respectively, the whole identification protocol process will be operated; otherwise, interaction of identification protocol will be acted only between the two identification entities. Application of the present invention not only centralizes management of public key and simplifies protocol operation condition, but also utilizes the concept of security domain so as to reduce management complexity of public key, shorten identification time and satisfy fast handoff requirements on the premises of guaranteeing security characteristics such as one key for every pair of identification entities, one secret key for every identification and forward secrecy.

摘要翻译： 用于支持快速切换的实体双向识别方法涉及三个安全元件，其包括两个识别元件A和B以及可信第三方（TP）。 同一元素的所有识别实体共享公钥证书或拥有相同的公钥。 当识别元素A中的任何识别实体和识别元素B中的任何识别实体需要彼此识别时，如果识别协议在它们所属的两个识别元素之间从未被操作，则整个标识协议过程将被操作; 否则，识别协议的交互将仅在两个识别实体之间起作用。 本发明的应用不仅集中了公钥的管理，简化了协议的运行状况，而且利用了安全域的概念，降低了公钥的管理复杂度，缩短了识别时间，满足了保证安全性的前提下的快速切换要求 特征如每对识别实体的一个密钥，每个识别和转发保密的一个秘密密钥。

公开(公告)号：US20100316221A1

公开(公告)日：2010-12-16

申请号：US12863304

申请日：2009-01-14

申请人： Manxia Tie ,  Jun Cao ,  Liaojun Pang ,  Xiaolong Lai ,  Zhenhai Huang

发明人： Manxia Tie ,  Jun Cao ,  Liaojun Pang ,  Xiaolong Lai ,  Zhenhai Huang

IPC分类号： H04L9/08 ,  H04L9/00

CPC分类号： H04W12/04 ,  H04L9/0822 ,  H04L9/0844 ,  H04L9/0891 ,  H04L63/062 ,  H04L2209/80 ,  H04N7/1675 ,  H04N21/25816 ,  H04N21/64784

摘要： A secure transmission method for broadband wireless multimedia network broadcasting communication includes the following steps: a secure channel between big base station and small base station is established by utilizing security protocols; the big base station distributes a Broadcast Traffic Encryption Key to each small base station through the secure channel; the small base station transmits the Broadcast Traffic Encryption Key to the user passing the authentication and authorization. The above solution solves the problem of broadcast secure communication of the big base station working in the mixed covering mode of large and small cells, realizes the identification of not only the user but also the base station, and ensures that only the authorized user can receive broadcast service.

摘要翻译： 一种用于宽带无线多媒体网络广播通信的安全传输方法包括以下步骤：利用安全协议建立大基站与小型基站之间的安全通道; 大基站通过安全通道向每个小型基站分配广播业务加密密钥; 小基站向通过认证授权的用户发送广播业务加密密钥。 以上解决方案解决了以大小小区混合覆盖模式工作的大型基站的广播安全通信问题，不仅可以对用户进行识别，而且可以实现基站识别，确保只有授权用户可以接收 广播服务。

公开(公告)号：US20100257361A1

公开(公告)日：2010-10-07

申请号：US12743168

申请日：2008-11-14

申请人： Manxia Tie ,  Jun Cao ,  Liaojun Pang ,  Xiaolong Lai ,  Zhenhai Huang

发明人： Manxia Tie ,  Jun Cao ,  Liaojun Pang ,  Xiaolong Lai ,  Zhenhai Huang

IPC分类号： H04L9/32

CPC分类号： H04L63/06 ,  H04L9/0844 ,  H04L9/3236 ,  H04L9/3273 ,  H04L63/1458 ,  H04W12/04 ,  H04W12/12

摘要： A key management method, is an enhanced RSNA four-way Handshake protocol. Its preceding two way Handshake processes comprise: 1), an authenticator sending a new message 1 which is added a Key Negotiation IDentifier (KNID) and a Message Integrity Code (MIC) based on the intrinsic definition content of the message 1 to an supplicant; (2), after the supplicant receives the new message 1, checking whether the MIC therein is correct; if no, the supplicant discarding the received new message 1; if yes, checking the new message 2, if the checking is successful, sending a message 2 to the authenticator, the process of checking the new message is the same as checking process for the message 1 defined in the IEEE 802.11i-2004 standard document. The method solves the DoS attack problem of the key management protocol in the existing RSNA security mechanism.

摘要翻译： 一种密钥管理方法，是增强型RSNA四路握手协议。 其前两种握手过程包括：1）认证者发送新消息1，该新消息1基于消息1的内在定义内容向请求方添加了密钥协商标识符（KNID）和消息完整性代码（MIC）; （2），在请求者收到新消息1后，检查其中的MIC是否正确; 如果不是，请求者丢弃接收到的新消息1; 如果是，检查新消息2，如果检查成功，则向认证者发送消息2，检查新消息的过程与IEEE 802.11i-2004标准文档中定义的消息1的检查过程相同 。 该方法解决了现有RSNA安全机制中密钥管理协议的DoS攻击问题。

公开(公告)号：US20100031031A1

公开(公告)日：2010-02-04

申请号：US12442462

申请日：2007-07-16

申请人： Haibo Tian ,  Jun Cao ,  Liaojun Pang ,  Manxia Tie ,  Zhenhai Huang ,  Bianling Zhang

发明人： Haibo Tian ,  Jun Cao ,  Liaojun Pang ,  Manxia Tie ,  Zhenhai Huang ,  Bianling Zhang

IPC分类号： H04L9/32

CPC分类号： H04L9/3268 ,  H04L63/06 ,  H04L63/08 ,  H04L63/0823 ,  H04L2209/60 ,  H04L2209/80

摘要： Exemplary embodiments of systems, methods and computer-accessible medium can be provided for obtaining and verifying a public key certificate status. In particular, it is possible to construct and send a certificate query request, construct and send a combined certificate query request, construct and send a combined certificate status response, deliver a certificate status response, perform a verification by the general access point, and/or perform a verification by the user equipment. The exemplary embodiments address some of the deficiencies of conventional methods which have a complicated implementation as well as likely inability of such conventional methods to be applied to the network architecture of user equipment, a general access point and a server. The exemplary embodiments of the systems, methods and computer-accessible medium can obtain a user certificate status to provide certificate statuses of the user or the user equipment and the general access point when the user equipment accesses the network via the general access point. Message exchanges can be reduced, bandwidth and calculation resources can be saved, and higher efficiency can be achieved. According to another exemplary embodiment, by way of adding random numbers into the certificate query request and the combined certificate query request, as well as the message m, freshness of the certificate status response can be facilitated and even ensured, and security protection can be enhanced.

摘要翻译： 可以提供系统，方法和计算机可访问介质的示例性实施例，以获得和验证公钥证书状态。 特别地，可以构建和发送证书查询请求，构造和发送组合的证书查询请求，构造并发送组合证书状态响应，递送证书状态响应，由一般接入点执行验证和/ 或执行用户设备的验证。 示例性实施例解决了具有复杂实现的常规方法的一些缺陷以及这种常规方法可能不适用于用户设备，通用接入点和服务器的网络架构的一些缺陷。 当用户设备经由通用接入点访问网络时，系统，方法和计算机可访问介质的示例性实施例可以获得用户证书状态以提供用户或用户设备以及通用接入点的证书状态。 可以减少消息交换，节省带宽和计算资源，实现更高的效率。 根据另一示例性实施例，通过在证书查询请求和组合证书查询请求中添加随机数以及消息m，可以促进并甚至确保证书状态响应的新鲜度，并且可以增强安全性保护 。

公开(公告)号：US09009466B2

公开(公告)日：2015-04-14

申请号：US13995641

申请日：2011-06-17

申请人： Qin Li ,  Jun Cao ,  Manxia Tie

发明人： Qin Li ,  Jun Cao ,  Manxia Tie

IPC分类号： H04L29/06 ,  H04L9/08

CPC分类号： H04L63/0428 ,  H04L9/08 ,  H04L63/162

摘要： There are a terminal device capable of link layer encryption and decryption and a data process method thereof, and the terminal device includes a link layer processing module including a control module, a data frame encryption module, a data frame decryption module, a key management module, an algorithm module, a transmission port and a reception port; and the control module is connected with the transmission port through the data frame encryption module, the reception port is connected with the control module through the data frame decryption module, the control module is connected with the key management module, the data frame encryption module is connected with the data frame decryption module through the key management module, and the data frame encryption module is connected with the data frame decryption module through the algorithm module.

摘要翻译： 存在能够进行链路层加密和解密的终端设备及其数据处理方法，并且终端设备包括链路层处理模块，该链路层处理模块包括控制模块，数据帧加密模块，数据帧解密模块，密钥管理模块 算法模块，传输端口和接收端口; 控制模块通过数据帧加密模块与传输端口连接，接收端口通过数据帧解密模块与控制模块连接，控制模块与密钥管理模块连接，数据帧加密模块为 通过密钥管理模块与数据帧解密模块相连，数据帧加密模块通过算法模块与数据帧解密模块连接。

公开(公告)号：US20130283045A1

公开(公告)日：2013-10-24

申请号：US13995641

申请日：2011-06-17

申请人： Qin Li ,  Jun Cao ,  Manxia Tie

发明人： Qin Li ,  Jun Cao ,  Manxia Tie

IPC分类号： H04L29/06 ,  H04L9/08

CPC分类号： H04L63/0428 ,  H04L9/08 ,  H04L63/162

摘要： There are a terminal device capable of link layer encryption and decryption and a data process method thereof, and the terminal device includes a link layer processing module including a control module, a data frame encryption module, a data frame decryption module, a key management module, an algorithm module, a transmission port and a reception port; and the control module is connected with the transmission port through the data frame encryption module, the reception port is connected with the control module through the data frame decryption module, the control module is connected with the key management module, the data frame encryption module is connected with the data frame decryption module through the key management module, and the data frame encryption module is connected with the data frame decryption module through the algorithm module.

摘要翻译： 存在能够进行链路层加密和解密的终端设备及其数据处理方法，并且终端设备包括链路层处理模块，该链路层处理模块包括控制模块，数据帧加密模块，数据帧解密模块，密钥管理模块 算法模块，传输端口和接收端口; 控制模块通过数据帧加密模块与传输端口连接，接收端口通过数据帧解密模块与控制模块连接，控制模块与密钥管理模块连接，数据帧加密模块为 通过密钥管理模块与数据帧解密模块相连，数据帧加密模块通过算法模块与数据帧解密模块连接。