公开(公告)号：US20080288777A1

公开(公告)日：2008-11-20

申请号：US11816715

申请日：2006-02-21

申请人： Xiaolong Lai ,  Jun Cao ,  Bianling Zhang ,  Zhenhai Huang ,  Hong Guo

发明人： Xiaolong Lai ,  Jun Cao ,  Bianling Zhang ,  Zhenhai Huang ,  Hong Guo

IPC分类号： H04L9/32

CPC分类号： H04L63/0869 ,  H04L9/0894 ,  H04L9/321 ,  H04L2209/80

摘要： A port based peer access control method, comprises the steps of: 1) enabling the authentication control entity; 2) two authentication control entities authenticating each other; 3) setting the status of the controlled port. The method may further comprise the steps of enabling the authentication server entity, two authentication subsystems negotiating the key. By modifying the asymmetry of background technique, the invention has advantages of peer control, distinguishable authentication control entity, good scalability, good security, simple key negotiation process, relatively complete system, high flexibility, thus the invention can satisfy the requirements of central management as well as resolve the technical issues of the prior network access control method, including complex process, poor security, poor scalability, so it provides essential guarantee for secure network access.

摘要翻译： 一种基于端口的对等接入控制方法，包括步骤：1）启用认证控制实体; 2）两个认证控制实体相互认证; 3）设置受控端口的状态。 该方法还可以包括以下步骤：启用认证服务器实体，两个认证子系统协商该密钥。 通过修改背景技术的不对称性，本发明具有对等控制，可区分认证控制实体，良好的可扩展性，良好的安全性，简单的密钥协商过程，系统相对完整，灵活性高等优点，因此本发明可以满足中央管理的要求 解决现有网络访问控制方法的技术问题，包括复杂过程，安全性差，可扩展性差，为安全网络访问提供了必要的保证。

公开(公告)号：US08813199B2

公开(公告)日：2014-08-19

申请号：US13203645

申请日：2009-12-14

申请人： Zhiqiang Du ,  Jun Cao ,  Manxia Tie ,  Xiaolong Lai ,  Zhenhai Huang

发明人： Zhiqiang Du ,  Jun Cao ,  Manxia Tie ,  Xiaolong Lai ,  Zhenhai Huang

IPC分类号： G06F15/16 ,  H04L29/06 ,  H04W12/06 ,  H04W84/12

CPC分类号： H04W12/06 ,  H04L63/08 ,  H04L63/10 ,  H04W84/12

摘要： A method for realizing a convergent Wireless Local Area Networks (WLAN) Authentication and Privacy Infrastructure (WAPI) network architecture with a split Medium Access Control (MAC) mode involves the steps: a split MAC mode for realizing WLAN Privacy Infrastructure (WPI) by an access controller is constructed through splitting the MAC function and the WAPI function of the wireless access point apart to a wireless terminal point and the access controller; integration of a WAPI and a convergent WLAN network system architecture is realized under the split MAC mode that the access controller realizes WPI; the association connection process is performed among a station point, a wireless terminal point and an access controller; the process for announcing the start of performing the WLAN Authentication Infrastructure (WAI) protocol between the access controller and the wireless terminal point is performed; the process for performing the WAI protocol between the station point and the access controller is performed; the process for announcing the end of performing the WAI protocol between the access controller and the wireless terminal point is performed; the secret communication process is performed between the wireless terminal point and the station point by using WPI.

摘要翻译： 用于实现具有分离式媒体接入控制（MAC）模式的融合无线局域网（WLAN）认证和隐私基础设施（WAPI）网络架构的方法包括以下步骤：用于通过以下方式实现WLAN隐私基础设施（WPI）的分割MAC模式 通过将无线接入点的MAC功能和WAPI功能分离到无线终端点和接入控制器来构建接入控制器; 在接入控制器实现WPI的分割MAC模式下实现WAPI和融合WLAN网络系统架构的集成; 在站点，无线终端点和访问控制器之间执行关联连接处理; 执行在接入控制器和无线终端点之间通知执行WLAN认证基础设施（WAI）协议的开始的过程; 执行在站点和访问控制器之间执行WAI协议的过程; 执行用于在接入控制器和无线终端点之间通知执行WAI协议的结束的过程; 通过使用WPI在无线终端点和站点之间执行秘密通信处理。

公开(公告)号：US08750521B2

公开(公告)日：2014-06-10

申请号：US13320496

申请日：2009-12-14

申请人： Zhiqiang Du ,  Jun Cao ,  Manxia Tie ,  Xiaolong Lai ,  Zhenhai Huang

发明人： Zhiqiang Du ,  Jun Cao ,  Manxia Tie ,  Xiaolong Lai ,  Zhenhai Huang

IPC分类号： H04L9/00 ,  H04L9/08 ,  H04L29/06 ,  G06F21/10 ,  H04W12/02 ,  H04W12/04

CPC分类号： H04L9/08 ,  G06F21/10 ,  H04L9/0838 ,  H04L63/062 ,  H04L63/205 ,  H04W12/02 ,  H04W12/04 ,  H04W36/0038 ,  H04W84/12

摘要： The invention involves a method and a system for station (STA) switching when a wireless terminal point (WTP) completes wireless local area network (WLAN) privacy infrastructure (WPI) in a convergent WLAN. The method includes steps as follows. The STA implements re-association rebinding process with a target access controller (AC) over a target WTP. A base key is requested by the target AC from an associated AC. An associated WTP is informed to delete the STA by the associated AC, and the target WTP is informed to add the STA by the target AC. A session key is negotiated based on the requested base key by the STA and the target AC, and is synchronized between the target AC and the target WTP. The method enables fast and safe switching of the STA between WTPs under the control of different controllers in the convergent WLAN based on WAPI protocol.

摘要翻译： 本发明涉及无线终端（WTP）完成融合WLAN中的无线局域网（WLAN）隐私基础设施（WPI）时的站（STA）切换的方法和系统。 该方法包括以下步骤。 STA通过目标访问控制器（AC）在目标WTP上实现重新关联重新绑定过程。 来自相关AC的目标AC请求基本密钥。 通知关联的WTP通过关联的AC删除STA，通知目标WTP通过目标AC添加STA。 会话密钥基于STA和目标AC所请求的基本密钥进行协商，并在目标AC与目标WTP之间同步。 该方法能够在基于WAPI协议的融合WLAN中的不同控制器的控制下，在WTP之间快速，安全地切换STA。

公开(公告)号：US08510565B2

公开(公告)日：2013-08-13

申请号：US12920931

申请日：2009-03-04

申请人： Manxia Tie ,  Jun Cao ,  Xiaolong Lai ,  Zhenhai Huang

发明人： Manxia Tie ,  Jun Cao ,  Xiaolong Lai ,  Zhenhai Huang

IPC分类号： H04L9/32

CPC分类号： H04L63/0807 ,  H04L63/0823 ,  H04L63/0869 ,  H04L63/0884

摘要： A bidirectional entity authentication method based on the credible third party includes the steps that: entity A receives message 1 sent from entity B including the authentication parameters of said entity B, and sends message 2 to the credible third party TP, said message 2 including the authentication parameters of entity B and the authentication parameters of entity A; entity A receives message 3 sent from said credible third party TP, said message 3 including the checking result after checking that whether said entity A and entity B are legal based on said message 2 by said credible third party TP; entity A gets the authentication result of entity B after authenticating said message 3, and sends message 4 to said entity B to make entity B authenticating based on said message 4 and getting the authentication result of entity A. The invention simplifies the operation condition of the protocol, reduces the computing capability requirement of the authentication entity, and satisfies the high security requirement of the network device lack of resource.

摘要翻译： 基于可信第三方的双向实体认证方法包括以下步骤：实体A接收从实体B发送的包括所述实体B的认证参数的消息1，并向可信第三方TP发送消息2，所述消息2包括 实体B的认证参数和实体A的认证参数; 实体A从所述可信第三方TP接收到从所述可信第三方TP发送的消息3，所述消息3在根据所述可信第三方TP的所述消息2检查所述实体A和实体B是否合法之后包括检查结果; 实体A在认证所述消息3之后获得实体B的认证结果，并向所述实体B发送消息4，以使实体B基于所述消息4进行认证，并获得实体A的认证结果。本发明简化了实体B的操作条件 协议，降低了认证实体的计算能力要求，满足了网络设备缺乏资源的高安全性要求。

公开(公告)号：US20120167190A1

公开(公告)日：2012-06-28

申请号：US13392915

申请日：2009-12-29

申请人： Manxia Tie ,  Jun Cao ,  Xiaolong Lai ,  Zhenhai Huang

发明人： Manxia Tie ,  Jun Cao ,  Xiaolong Lai ,  Zhenhai Huang

IPC分类号： G06F21/00

CPC分类号： H04L63/08 ,  H04L9/3213 ,  H04L9/3247 ,  H04L9/3263 ,  H04L9/3271 ,  H04L9/3297

摘要： An entity authentication method by introducing an online third party includes the following steps: 1) an entity B sends a message 1 to an entity A; 2) the entity A sends a message 2 to a trusted third party TP after receiving the message 1; 3) the trusted third party TP checks the validity of the entity A after receiving the message 2; 4) the trusted third party TP returns a message 3 to the entity A after checking the validity of the entity A; 5) the entity A sends a message 4 to the entity B after receiving the message 3; 6) and the entity B performs validation after receiving the message 4. The online retrieval and authentication mechanism of the public key simplifies the operating condition of a protocol, and realizes validity identification of the network for the user through the authentication of the entity B to the entity A.

摘要翻译： 通过引入在线第三方的实体认证方法包括以下步骤：1）实体B向实体A发送消息1; 2）实体A在接收到消息1之后向可信第三方TP发送消息2; 3）受信任的第三方TP在接收到消息2后检查实体A的有效性; 4）可信第三方TP在检查实体A的有效性之后向实体A返回消息3; 5）实体A在接收到消息3之后向实体B发送消息4; 6），实体B在接收到消息4后进行验证。公钥的在线检索和认证机制简化了协议的工作状态，通过对实体B的认证实现了用户对网络的有效性识别 实体A.

公开(公告)号：US20120060205A1

公开(公告)日：2012-03-08

申请号：US13320496

申请日：2009-12-14

申请人： Manxia Tie ,  Jun Cao ,  Zhiqiang Du ,  Xiaolong Lai ,  Zhenhai Huang

发明人： Manxia Tie ,  Jun Cao ,  Zhiqiang Du ,  Xiaolong Lai ,  Zhenhai Huang

IPC分类号： H04W12/04

CPC分类号： H04L9/08 ,  G06F21/10 ,  H04L9/0838 ,  H04L63/062 ,  H04L63/205 ,  H04W12/02 ,  H04W12/04 ,  H04W36/0038 ,  H04W84/12

摘要： The invention involves a method and a system for station (STA) switching when a wireless terminal point (WTP) completes wireless local area network (WLAN) privacy infrastructure (WPI) in a convergent WLAN. The method includes steps as follows. The STA implements re-association rebinding process with a target access controller (AC) over a target WTP. A base key is requested by the target AC from an associated AC. An associated WTP is informed to delete the STA by the associated AC, and the target WTP is informed to add the STA by the target AC. A session key is negotiated based on the requested base key by the STA and the target AC, and is synchronized between the target AC and the target WTP. The method enables fast and safe switching of the STA between WTPs under the control of different controllers in the convergent WLAN based on WAPI protocol.

摘要翻译： 本发明涉及无线终端（WTP）完成融合WLAN中的无线局域网（WLAN）隐私基础设施（WPI）时的站（STA）切换的方法和系统。 该方法包括以下步骤。 STA通过目标访问控制器（AC）在目标WTP上实现重新关联重新绑定过程。 来自相关AC的目标AC请求基本密钥。 通知关联的WTP通过关联的AC删除STA，通知目标WTP通过目标AC添加STA。 会话密钥基于STA和目标AC所请求的基本密钥进行协商，并在目标AC与目标WTP之间同步。 该方法能够在基于WAPI协议的融合WLAN中的不同控制器的控制下，在WTP之间快速，安全地切换STA。

公开(公告)号：US20110307943A1

公开(公告)日：2011-12-15

申请号：US13203645

申请日：2009-12-14

申请人： Zhiqiang Du ,  Jun Cao ,  Manxia Tie ,  Xiaolong Lai ,  Zhenhai Huang

发明人： Zhiqiang Du ,  Jun Cao ,  Manxia Tie ,  Xiaolong Lai ,  Zhenhai Huang

IPC分类号： H04W12/06 ,  H04W12/04 ,  H04L29/06

CPC分类号： H04W12/06 ,  H04L63/08 ,  H04L63/10 ,  H04W84/12

摘要： A method for realizing a convergent Wireless Local Area Networks (WLAN) Authentication and Privacy Infrastructure (WAPI) network architecture with a split Medium Access Control (MAC) mode involves the steps: a split MAC mode for realizing WLAN Privacy Infrastructure (WPI) by an access controller is constructed through splitting the MAC function and the WAPI function of the wireless access point apart to a wireless terminal point and the access controller; integration of a WAPI and a convergent WLAN network system architecture is realized under the split MAC mode that the access controller realizes WPI; the association connection process is performed among a station point, a wireless terminal point and an access controller; the process for announcing the start of performing the WLAN Authentication Infrastructure (WAI) protocol between the access controller and the wireless terminal point is performed; the process for performing the WAI protocol between the station point and the access controller is performed; the process for announcing the end of performing the WAI protocol between the access controller and the wireless terminal point is performed; the secret communication process is performed between the wireless terminal point and the station point by using WPI.

摘要翻译： 用于实现具有分离式媒体接入控制（MAC）模式的融合无线局域网（WLAN）认证和隐私基础设施（WAPI）网络架构的方法包括以下步骤：用于通过以下方式实现WLAN隐私基础设施（WPI）的分割MAC模式 通过将无线接入点的MAC功能和WAPI功能分离到无线终端点和接入控制器来构建接入控制器; 在接入控制器实现WPI的分割MAC模式下实现WAPI和融合WLAN网络系统架构的集成; 在站点，无线终端点和访问控制器之间执行关联连接处理; 执行在接入控制器和无线终端点之间通知执行WLAN认证基础设施（WAI）协议的开始的过程; 执行在站点和访问控制器之间执行WAI协议的过程; 执行用于在接入控制器和无线终端点之间通知执行WAI协议的结束的过程; 通过使用WPI在无线终端点和站点之间执行秘密通信处理。

公开(公告)号：US20110078438A1

公开(公告)日：2011-03-31

申请号：US12994712

申请日：2009-05-27

申请人： Manxia Tie ,  Jun Cao ,  Zhenhai Huang ,  Xiaolong Lai

发明人： Manxia Tie ,  Jun Cao ,  Zhenhai Huang ,  Xiaolong Lai

IPC分类号： H04L9/32

CPC分类号： H04L9/0844 ,  H04L9/3213 ,  H04L9/3263 ,  H04L9/3273 ,  H04L63/0823 ,  H04L63/0869 ,  H04W12/06

摘要： An entity bidirectional-identification method for supporting fast handoff involves three security elements, which includes two identification elements A and B and a trusted third party (TP). All identification entities of a same element share a public key certification or own a same public key. When any identification entity in identification element A and any identification entity in identification element B need to identify each other, if identification protocol has never been operated between the two identification elements that they belong to respectively, the whole identification protocol process will be operated; otherwise, interaction of identification protocol will be acted only between the two identification entities. Application of the present invention not only centralizes management of public key and simplifies protocol operation condition, but also utilizes the concept of security domain so as to reduce management complexity of public key, shorten identification time and satisfy fast handoff requirements on the premises of guaranteeing security characteristics such as one key for every pair of identification entities, one secret key for every identification and forward secrecy.

摘要翻译： 用于支持快速切换的实体双向识别方法涉及三个安全元件，其包括两个识别元件A和B以及可信第三方（TP）。 同一元素的所有识别实体共享公钥证书或拥有相同的公钥。 当识别元素A中的任何识别实体和识别元素B中的任何识别实体需要彼此识别时，如果识别协议在它们所属的两个识别元素之间从未被操作，则整个标识协议过程将被操作; 否则，识别协议的交互将仅在两个识别实体之间起作用。 本发明的应用不仅集中了公钥的管理，简化了协议的运行状况，而且利用了安全域的概念，降低了公钥的管理复杂度，缩短了识别时间，满足了保证安全性的前提下的快速切换要求 特征如每对识别实体的一个密钥，每个识别和转发保密的一个秘密密钥。

公开(公告)号：US20100316221A1

公开(公告)日：2010-12-16

申请号：US12863304

申请日：2009-01-14

申请人： Manxia Tie ,  Jun Cao ,  Liaojun Pang ,  Xiaolong Lai ,  Zhenhai Huang

发明人： Manxia Tie ,  Jun Cao ,  Liaojun Pang ,  Xiaolong Lai ,  Zhenhai Huang

IPC分类号： H04L9/08 ,  H04L9/00

CPC分类号： H04W12/04 ,  H04L9/0822 ,  H04L9/0844 ,  H04L9/0891 ,  H04L63/062 ,  H04L2209/80 ,  H04N7/1675 ,  H04N21/25816 ,  H04N21/64784

摘要： A secure transmission method for broadband wireless multimedia network broadcasting communication includes the following steps: a secure channel between big base station and small base station is established by utilizing security protocols; the big base station distributes a Broadcast Traffic Encryption Key to each small base station through the secure channel; the small base station transmits the Broadcast Traffic Encryption Key to the user passing the authentication and authorization. The above solution solves the problem of broadcast secure communication of the big base station working in the mixed covering mode of large and small cells, realizes the identification of not only the user but also the base station, and ensures that only the authorized user can receive broadcast service.

摘要翻译： 一种用于宽带无线多媒体网络广播通信的安全传输方法包括以下步骤：利用安全协议建立大基站与小型基站之间的安全通道; 大基站通过安全通道向每个小型基站分配广播业务加密密钥; 小基站向通过认证授权的用户发送广播业务加密密钥。 以上解决方案解决了以大小小区混合覆盖模式工作的大型基站的广播安全通信问题，不仅可以对用户进行识别，而且可以实现基站识别，确保只有授权用户可以接收 广播服务。

公开(公告)号：US20100257361A1

公开(公告)日：2010-10-07

申请号：US12743168

申请日：2008-11-14

申请人： Manxia Tie ,  Jun Cao ,  Liaojun Pang ,  Xiaolong Lai ,  Zhenhai Huang

发明人： Manxia Tie ,  Jun Cao ,  Liaojun Pang ,  Xiaolong Lai ,  Zhenhai Huang

IPC分类号： H04L9/32

CPC分类号： H04L63/06 ,  H04L9/0844 ,  H04L9/3236 ,  H04L9/3273 ,  H04L63/1458 ,  H04W12/04 ,  H04W12/12

摘要： A key management method, is an enhanced RSNA four-way Handshake protocol. Its preceding two way Handshake processes comprise: 1), an authenticator sending a new message 1 which is added a Key Negotiation IDentifier (KNID) and a Message Integrity Code (MIC) based on the intrinsic definition content of the message 1 to an supplicant; (2), after the supplicant receives the new message 1, checking whether the MIC therein is correct; if no, the supplicant discarding the received new message 1; if yes, checking the new message 2, if the checking is successful, sending a message 2 to the authenticator, the process of checking the new message is the same as checking process for the message 1 defined in the IEEE 802.11i-2004 standard document. The method solves the DoS attack problem of the key management protocol in the existing RSNA security mechanism.

摘要翻译： 一种密钥管理方法，是增强型RSNA四路握手协议。 其前两种握手过程包括：1）认证者发送新消息1，该新消息1基于消息1的内在定义内容向请求方添加了密钥协商标识符（KNID）和消息完整性代码（MIC）; （2），在请求者收到新消息1后，检查其中的MIC是否正确; 如果不是，请求者丢弃接收到的新消息1; 如果是，检查新消息2，如果检查成功，则向认证者发送消息2，检查新消息的过程与IEEE 802.11i-2004标准文档中定义的消息1的检查过程相同 。 该方法解决了现有RSNA安全机制中密钥管理协议的DoS攻击问题。