CN101431409B - Method for implementing secret communication in different wireless local area network - Google Patents

Method for implementing secret communication in different wireless local area network Download PDF

Info

Publication number
CN101431409B
CN101431409B CN2007101771020A CN200710177102A CN101431409B CN 101431409 B CN101431409 B CN 101431409B CN 2007101771020 A CN2007101771020 A CN 2007101771020A CN 200710177102 A CN200710177102 A CN 200710177102A CN 101431409 B CN101431409 B CN 101431409B
Authority
CN
China
Prior art keywords
key
access point
wireless access
encryption device
wireless
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN2007101771020A
Other languages
Chinese (zh)
Other versions
CN101431409A (en
Inventor
曹镇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Huaqi Information Digital Technology Co Ltd
Original Assignee
Beijing Huaqi Information Digital Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Huaqi Information Digital Technology Co Ltd filed Critical Beijing Huaqi Information Digital Technology Co Ltd
Priority to CN2007101771020A priority Critical patent/CN101431409B/en
Publication of CN101431409A publication Critical patent/CN101431409A/en
Application granted granted Critical
Publication of CN101431409B publication Critical patent/CN101431409B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Small-Scale Networks (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

本发明关于一种可在不同无线局域网中实现保密通信的方法,包括:(1)在加密装置中预置标识信息和密钥管理信息表,密钥管理信息表存储有各密钥管理服务器中的全部密钥,并可按密钥分配信息调取相应的密钥;(2)在通信终端上安装并运行专用驱动程序;(3)加密装置向无线接入点发送认证请求;(4)无线接入点根据认证请求中包含的标识信息进行认证,如认证成功,则生成密钥分配信息,调取对应的密钥,将该调取的密钥向无线接入点发送,并使密钥分配信息发送至加密装置;(5)加密装置接收密钥分配信息,并利用该密钥分配信息调取相应的密钥;(6)无线接入点与加密装置分别使用所获取的密钥对在无线信道中传输的数据进行加密、解密处理。

Figure 200710177102

The present invention relates to a method for realizing secure communication in different wireless local area networks, including: (1) Presetting identification information and a key management information table in the encryption device, and the key management information table is stored in each key management server (2) Install and run a dedicated driver program on the communication terminal; (3) The encryption device sends an authentication request to the wireless access point; (4) The wireless access point performs authentication according to the identification information contained in the authentication request. If the authentication is successful, it generates key distribution information, retrieves the corresponding key, sends the retrieved key to the wireless access point, and makes the encryption key The key distribution information is sent to the encryption device; (5) the encryption device receives the key distribution information, and uses the key distribution information to retrieve the corresponding key; (6) the wireless access point and the encryption device respectively use the obtained key Encrypt and decrypt the data transmitted in the wireless channel.

Figure 200710177102

Description

可在不同无线局域网中实现保密通信的方法 A method that can realize secure communication in different wireless local area networks

【技术领域】  【Technical field

本发明涉及通信终端与无线局域网内无线接入点的保密通信方法,特别涉及一种利用加密装置实现通信终端可以在不同无线局域网中的无线接入和安全通信的方法。 The invention relates to a secure communication method between a communication terminal and a wireless access point in a wireless local area network, in particular to a method for realizing wireless access and secure communication of a communication terminal in different wireless local area networks by using an encryption device. the

【背景技术】【Background technique】

目前,WLAN(Wireless Local Area Network,无线局域网)的无线接入系统通常是由无线网卡、无线接入点(AP,Access Point)、无线接入网关(AG,Access Server)和无线接入服务器(AS,Access Server)等各个部分组成。较为常见的组网方式是通过无线网卡与计算机、PDA等终端设备相连,取代以上设备中原有的有线网卡,从而实现终端设备间、终端设备与无线接入点间的无线连接,完成对无线信道的检测、选择、控制和管理,并能实现无线接收的增益控制、发射端的功率控制等功能。 At present, the wireless access system of WLAN (Wireless Local Area Network, wireless local area network) is usually composed of a wireless network card, a wireless access point (AP, Access Point), a wireless access gateway (AG, Access Server) and a wireless access server ( AS, Access Server) and other parts. The more common networking method is to connect terminal devices such as computers and PDAs through wireless network cards, replacing the original wired network cards in the above devices, so as to realize wireless connections between terminal devices, terminal devices and wireless access points, and complete wireless channel communication. detection, selection, control and management, and can realize gain control of wireless reception, power control of transmitting end and other functions. the

与有线传输相比,无线传输的保密性较差,因此需要一些额外的安全措施来保证无线接入点和各通信终端之间的通信安全,比如用户认证、信息加密等。现有的加密方式已经有很多种,总起来包括软件加密和硬件加密。软件加密是在通信系统的应用层中加入一个专门负责加密、解密的软件模块。由于这种加密方式的加密、解密密钥以及加密、解密过程中出现的数据都要在本机的内存中出现,因而容易被破译。另外,由于加密算法的运算量非常大,所以加、解密过程对系统资源的大量占有也是无法容忍的。硬件加密就是将加密密码算法和密钥存储到专用的硬件中去,该专用硬件通过通信接口与通信终端连接,加密、解密过程是首先将数据通过通信接口传输至专用硬件,再由硬件中的微处理器来完成加密、解密。上述硬件加密虽然从根本上克服了上述软件加密的缺点,但是如果所有待加密、解密处理的数据和所有处理后的数据均需通过通信接口在通信终端和专用硬件间传输,则通信接口的传输速度将会影响通信终端在无线局域网中的传输速度,同时频繁在通信终端与专用硬件间的数据传输也会占用大量的系统资源。 Compared with wired transmission, the confidentiality of wireless transmission is poor, so some additional security measures are needed to ensure the communication security between the wireless access point and each communication terminal, such as user authentication, information encryption, etc. There are many existing encryption methods, which generally include software encryption and hardware encryption. Software encryption is to add a software module specially responsible for encryption and decryption in the application layer of the communication system. Since the encryption and decryption keys of this encryption method and the data appearing in the encryption and decryption process all appear in the memory of the machine, they are easy to be deciphered. In addition, due to the large amount of calculation of the encryption algorithm, the encryption and decryption process occupies a large amount of system resources and cannot be tolerated. Hardware encryption is to store the encryption cipher algorithm and key in dedicated hardware, which is connected to the communication terminal through the communication interface. The encryption and decryption process is to first transmit the data to the dedicated hardware through the communication interface, and then the hardware in the hardware Microprocessor to complete encryption and decryption. Although the above-mentioned hardware encryption fundamentally overcomes the shortcomings of the above-mentioned software encryption, if all the data to be encrypted and decrypted and all the processed data need to be transmitted between the communication terminal and the dedicated hardware through the communication interface, the transmission of the communication interface The speed will affect the transmission speed of the communication terminal in the wireless local area network, and the frequent data transmission between the communication terminal and the dedicated hardware will also occupy a large amount of system resources. the

无线局域网标准IEEE802.11采用有线对等加密(Wired EquivalentPrivacy,WEP)技术对信息进行加密。WEP是一种对称加密技术,即加密通信双方使用相同的密钥进行加解密。在实际应用中,出于安全性的考虑,不同用户应该使用不同的密钥。通常密钥由网络管理者分配,并存储在通信双方,即通信终端和无线接入点(AP)上。这种密钥管理方法存在很多弊端。首先,在这种密钥管理方式下,为了支持用户的漫游,每个无线接入点(AP)都应该存储所有用户的密钥,而每次增加或修改用户的密钥,网络管理者就要在所有的无线接入点(AP)上增加或修改该用户的密钥,使密钥管理任务相当繁重,而且无线接入点(AP)的存储能力也可能达不到要求。另外,由于密钥分别存储在用户的通信终端和无线接入点中,而存储在通信终端的 密钥显然是不安全的,这为他人窃取密钥提供了可乘之机。 The wireless LAN standard IEEE802.11 uses Wired Equivalent Privacy (WEP) technology to encrypt information. WEP is a symmetric encryption technology, that is, both encrypted communication parties use the same key for encryption and decryption. In practical applications, for security reasons, different users should use different keys. Usually, the key is distributed by the network administrator and stored in the two communication parties, that is, the communication terminal and the wireless access point (AP). This approach to key management has many drawbacks. First of all, in this key management mode, in order to support user roaming, each wireless access point (AP) should store all user keys, and every time a user's key is added or modified, the network manager must To add or modify the user's key on all wireless access points (APs), the task of key management is quite heavy, and the storage capacity of the wireless access points (APs) may not meet the requirements. In addition, since the key is stored in the user's communication terminal and wireless access point respectively, the key stored in the communication terminal is obviously insecure, which provides an opportunity for others to steal the key. the

【发明内容】【Content of invention】

本发明提供一种可在不同无线局域网中实现保密通信的方法,所要解决的技术问题在于使通信终端不参与通信安全处理,而借助外置的加密装置可实现其与不同无线局域网的连接和传输数据的加密、解密处理,从而有效保证通信安全。 The invention provides a method for realizing secure communication in different wireless local area networks. The technical problem to be solved is to prevent the communication terminal from participating in communication security processing, and realize its connection and transmission with different wireless local area networks by means of an external encryption device Encryption and decryption of data to effectively ensure communication security. the

本发明关于一种可在不同无线局域网中实现保密通信的方法,设置有多个无线接入点(AP),且各无线接入点分属于多个不同的密钥管理服务器,所述方法包括以下步骤:(1)在具有无线网卡功能的加密装置中预置唯一地的标识信息和密钥管理信息表,该密钥管理信息表存储有各密钥管理服务器中的全部密钥,并可按密钥分配信息调取相应的密钥;(2)使具有无线网卡功能的加密装置与通信终端连接并获得供电,在通信终端上安装并运行加密装置的无线网卡专用驱动程序;(3)利用加密装置的无线网卡功能建立与无线接入点的无线信道,加密装置向无线接入点发送包含标识信息的认证请求;(4)无线接入点根据认证请求中包含的标识信息对加密装置进行认证,如果认证成功,则密钥管理服务器生成密钥分配信息,按照该密钥分配信息调取对应的密钥,将该调取的密钥向无线接入点发送,并使该生成的密钥分配信息经无线接入点发送至加密装置;(5)无线接入点直接从认证装置处接收密钥,加密装置接收密钥分配信息,并利用该密钥分配信息在密钥管理信息表中调取相应的密钥;(6)无线接入点与加密装置 分别使用所获取的密钥对在无线信道中传输的数据进行加密、解密处理。 The present invention relates to a method for realizing secure communication in different wireless local area networks. Multiple wireless access points (APs) are set, and each wireless access point belongs to multiple different key management servers. The method includes Following steps: (1) preset unique identification information and key management information table in the encryption device with wireless network card function, this key management information table stores all keys in each key management server, and can Retrieve the corresponding key according to the key distribution information; (2) connect the encryption device with the function of the wireless network card to the communication terminal and obtain power supply, install and run the special driver program for the wireless network card of the encryption device on the communication terminal; (3) Utilize the wireless network card function of encrypting device to set up the wireless channel with wireless access point, and encrypting device sends to wireless access point the authentication request that comprises identification information; Perform authentication, if the authentication is successful, the key management server generates key distribution information, retrieves the corresponding key according to the key distribution information, sends the retrieved key to the wireless access point, and makes the generated The key distribution information is sent to the encryption device through the wireless access point; (5) The wireless access point directly receives the key from the authentication device, and the encryption device receives the key distribution information, and uses the key distribution information in the key management information The corresponding key is retrieved from the table; (6) The wireless access point and the encryption device respectively use the obtained key to encrypt and decrypt the data transmitted in the wireless channel. the

前述的可在不同无线局域网中实现保密通信的方法,在每个所述的无线接入点中设置不同的业务组信息;所述的密钥管理服务器中设置有存储密钥的密钥数据库,且在密钥管理信息表中存储与各密钥管理服务器相同的密钥数据库及各无线接入点的业务组信息,并将业务组信息按照无线接入点所属的密钥管理服务器建立与密钥数据库对应关系;加密装置通过与无线接入点建立的无线信道获知所连接的无线接入点的业务组信息,并使加密装置在与该业务组信息对应的密钥数据库中查找与密钥分配信息对应的密钥。 In the aforementioned method for realizing secure communication in different wireless local area networks, different business group information is set in each of the wireless access points; a key database for storing keys is set in the key management server, In addition, the same key database as each key management server and the service group information of each wireless access point are stored in the key management information table, and the service group information is established and encrypted according to the key management server to which the wireless access point belongs. Key database correspondence; the encryption device obtains the service group information of the connected wireless access point through the wireless channel established with the wireless access point, and makes the encryption device search for the key in the key database corresponding to the service group information. The key corresponding to the distribution information. the

前述的可在不同无线局域网中实现保密通信的方法,所述的业务组信息是为该无线接入点的业务组标识符。 In the foregoing method for realizing secure communication in different wireless local area networks, the service group information is the service group identifier of the wireless access point. the

前述的可在不同无线局域网中实现保密通信的方法,在加密装置向无线接入点的认证成功后,无线接入点向加密装置发送该无线接入点的业务组信息。 In the foregoing method for realizing secure communication in different wireless local area networks, after the encryption device authenticates the wireless access point successfully, the wireless access point sends the service group information of the wireless access point to the encryption device. the

前述的可在不同无线局域网中实现保密通信的方法,所述的通信终端将向无线局域网发送的数据通过通信接口模块输出至加密装置,该加密装置将该数据加密后通过无线局域网模块向无线接入点发送;所述的加密装置通过无线局域网模块接收到无线接入点发送的加密数据,并在对该数据解密后通过通信接口模块输出至通信终端。 In the aforementioned method for realizing secure communication in different wireless local area networks, the communication terminal outputs the data sent to the wireless local area network to the encryption device through the communication interface module, and the encryption device encrypts the data to the wireless interface through the wireless local area network module. The access point sends: the encryption device receives the encrypted data sent by the wireless access point through the wireless local area network module, and outputs the encrypted data to the communication terminal through the communication interface module after decrypting the data. the

前述的可在不同无线局域网中实现保密通信的方法,所述的通信接口模块是为USB接口模块、SATA接口模块、ISA接口模块、PCI接 口模块、或PCMCIA接口模块。 Aforesaid method that can realize confidential communication in different wireless local area networks, described communication interface module is for USB interface module, SATA interface module, ISA interface module, PCI interface module or PCMCIA interface module. the

前述的可在不同无线局域网中实现保密通信的方法,所述的加密装置通过通信接口模块中设置的电源端子与通信终端的电源输出端子的电性连接,从而获得的供电。 In the aforementioned method for realizing secure communication in different wireless local area networks, the encryption device obtains power supply through the electrical connection between the power terminal provided in the communication interface module and the power output terminal of the communication terminal. the

如上所述,本发明可在不同无线局域网中实现保密通信的方法具有如下有益效果: As mentioned above, the method for realizing secure communication in different wireless local area networks in the present invention has the following beneficial effects:

本发明可在不同无线局域网中实现保密通信的方法是通过外置的加密装置与通信终端的连接实现通信终端与无线接入点间的无线连接,通信终端与无线局域网间传输的数据均通过加密装置接收和发送,而避免了使加密、解密工作在通信终端完成,由此,既可保障在无线通信的安全,在数据安全性上也有了显著的提高,而且借由加密装置完成无线通信的加密和解密工作,大大节省了系统资源。更为重要的是,通过连接加密装置和安装驱动程序,使更多的通信终端可以更为便捷地接入无线局域网中。 The method of the present invention that can realize secure communication in different wireless local area networks is to realize the wireless connection between the communication terminal and the wireless access point through the connection between the external encryption device and the communication terminal, and the data transmitted between the communication terminal and the wireless local area network are encrypted. The device receives and sends, and avoids the encryption and decryption work to be completed in the communication terminal, thus, the security of wireless communication can be guaranteed, and the data security has also been significantly improved, and the encryption device can be used to complete the wireless communication. Encryption and decryption work, greatly saving system resources. More importantly, by connecting the encryption device and installing the driver program, more communication terminals can be more conveniently connected to the wireless local area network. the

本发明的通信方法不需要由无线接入点向通信终端的密钥分发过程,而是通过密钥管理服务器分配密钥,再将分配的密钥发送给无线接入点,将密钥分配信息发送给加密装置,由加密装置调取相应的密钥,利用加密装置对所存储信息的保密功能,使加密密钥、密钥生成算法的安全得到了有效的保障,从而可保证了通信安全。 The communication method of the present invention does not need the key distribution process from the wireless access point to the communication terminal, but distributes the key through the key management server, and then sends the distributed key to the wireless access point, and sends the key distribution information Send it to the encryption device, the encryption device retrieves the corresponding key, and uses the encryption device's confidentiality function for the stored information to effectively guarantee the security of the encryption key and the key generation algorithm, thereby ensuring communication security. the

本发明利用加密装置对数据的保密存储功能,将多个无线局域网的密钥管理服务器中存储的密钥保密存储于其中,因此,通信终端用户可以在大于密钥管理服务器覆盖范围内跨区漫游,另外,由于无线 接入点无需管理用户信息,简化了无线接入点的结构从而降低了成本。 The present invention utilizes the encryption device's function of confidentially storing data to securely store the keys stored in the key management servers of multiple wireless local area networks, so that communication terminal users can roam across areas larger than the coverage of the key management servers , In addition, because the wireless access point does not need to manage user information, the structure of the wireless access point is simplified and the cost is reduced. the

【附图说明】【Description of drawings】

图1是本发明的加密装置的结构框图。 Fig. 1 is a structural block diagram of an encryption device of the present invention. the

图2是本发明可在不同无线局域网中实现保密通信的方法的示意图。 Fig. 2 is a schematic diagram of a method for realizing secure communication in different wireless local area networks according to the present invention. the

【具体实施方式】【Detailed ways】

为进一步阐述本发明达成预定目的所采取的技术手段及功效,以下结合附图及实施例,详细说明如下。 In order to further illustrate the technical means and functions adopted by the present invention to achieve the intended purpose, the detailed description is as follows in conjunction with the accompanying drawings and embodiments. the

请参阅图1所示,是本发明的加密装置的结构框图,该加密装置包括: Please refer to shown in Fig. 1, it is the structural block diagram of encryption device of the present invention, and this encryption device comprises:

微处理器模块:负责数据运算,通过调用数据存储模块与程序存储模块中的数据和程序,进行加密、解密运算,完成对通信中传递信息数据的加密、解密工作,即将准备通过无线局域网模块发送的数据进行加密,将通过无线局域网模块获取的数据进行解密。 Microprocessor module: responsible for data calculation, by calling the data and programs in the data storage module and program storage module, to perform encryption and decryption operations, to complete the encryption and decryption of the information transmitted in the communication, and to prepare to send it through the wireless LAN module The data is encrypted, and the data obtained through the wireless LAN module is decrypted. the

程序存储模块:与微处理器模块连接,主要存储加密、完整性保护算法,可以以密文的形式存放,在加电后,加载进密码运算器中,解密恢复出密文再运行。 Program storage module: connected with the microprocessor module, it mainly stores encryption and integrity protection algorithms, which can be stored in the form of ciphertext. After power-on, it is loaded into the cryptographic arithmetic unit, and the ciphertext is decrypted and restored to run again. the

数据存储模块:用来安全保存多个密钥管理服务器中的所有主密钥、非对称加密算法密钥对,在加电后按照密钥分配信息将相应的主 密钥、密钥对由数据存储模块调入微处理器模块中参与运算。 Data storage module: used to securely store all master keys and key pairs of asymmetric encryption algorithms in multiple key management servers. The storage module is transferred into the microprocessor module to participate in calculation. the

通信接口模块:通过数据线与微处理器模块连接,用来与需加密终端(即通信终端)相连接。 Communication interface module: connected to the microprocessor module through a data line, used to connect with a terminal requiring encryption (that is, a communication terminal). the

无线局域网模块:与微处理器模块连接,用于建立无线局域网与微处理器的连接,所述的微处理器模块将加密处理后的数据通过无线局域网模块向外发送,并将从无线局域网接收的数据解密后通过通信接口模块向需通信终端传送。 Wireless local area network module: connected with the microprocessor module, used to establish the connection between the wireless local area network and the microprocessor. The microprocessor module sends the encrypted data through the wireless local area network module and receives it from the wireless local area network. After the data is decrypted, it is transmitted to the communication terminal through the communication interface module. the

上述通信接口模块以USB接口模块为宜,由于USB接口即插即用,且支持非常高的数据传输速率,因此不仅方便使未配备无线网卡的通信终端可以与无线局域网连接,而且兼具传输速度高和通信安全的优点。 The above-mentioned communication interface module is preferably a USB interface module. Since the USB interface is plug-and-play and supports very high data transmission rates, it is not only convenient for communication terminals that are not equipped with wireless network cards to be connected to wireless LANs, but also has a high transmission speed. The advantages of high and communication security. the

具体而言,上述的无线局域网模块包括基带单元和RF单元,所述的基带单元对微处理器模块的数据进行调制/解调;所述的RF单元将基带单元的数据处理为高频信号进行传送,还接收和处理高频信号。上述的微处理器模块还具有用于存取输入输出的数据、及中间计算结果、与外部存储器交换的数据和暂存数据的RAM模块。 Specifically, the above-mentioned wireless local area network module includes a baseband unit and an RF unit, and the baseband unit modulates/demodulates the data of the microprocessor module; the RF unit processes the data of the baseband unit into high-frequency signals for Transmit, also receive and process high frequency signals. The above-mentioned microprocessor module also has a RAM module for accessing input and output data, intermediate calculation results, data exchanged with external memory, and temporary storage data. the

出于安全的需要,要可能对密钥进行更新和管理,并且也有可能对密码算法进行更新操作,因此,在微处理器模块中还包括负责密钥的更新和管理的密钥管理模块和负责加密算法的更新和管理的算法管理模块。 For security needs, it is possible to update and manage the key, and it is also possible to update the cryptographic algorithm. Therefore, the microprocessor module also includes a key management module responsible for updating and managing the key and responsible for An algorithm management module for updating and managing encryption algorithms. the

请参阅附图2所示,是本发明的可在不同无线局域网中实现保密 通信的方法的流程图。每个无线局域网设置有一个无线接入点(AP),每个无线接入点属于一个密钥管理服务器管理,多个无线接入点分属于多个不同的密钥管理服务器管理。本发明可在不同无线局域网中实现保密通信的方法包括以下步骤: Please refer to shown in accompanying drawing 2, be the flowchart of the method that can realize secure communication in different wireless local area networks of the present invention. Each wireless local area network is provided with a wireless access point (AP), each wireless access point is managed by a key management server, and multiple wireless access points are managed by multiple different key management servers. The method that the present invention can realize secure communication in different wireless local area networks comprises the following steps:

(1)在具有无线网卡功能的加密装置中预置唯一地的标识信息和密钥管理信息表,该密钥管理信息表存储有各密钥管理服务器中的全部密钥,并可按密钥分配信息调取相应的密钥; (1) Preset unique identification information and key management information table in the encryption device with wireless network card function, the key management information table stores all the keys in each key management server, and can press the key Assign information to retrieve the corresponding key;

(2)使具有无线网卡功能的加密装置与通信终端连接并获得供电,在通信终端上安装并运行加密装置的无线网卡专用驱动程序; (2) Connect the encryption device with wireless network card function to the communication terminal and obtain power supply, install and run the special driver program for the wireless network card of the encryption device on the communication terminal;

(3)加密装置的无线网卡功能建立与无线接入点的无线信道,加密装置向无线接入点发送包含标识信息的认证请求; (3) The wireless network card function of the encryption device establishes a wireless channel with the wireless access point, and the encryption device sends an authentication request including identification information to the wireless access point;

(4)无线接入点根据认证请求中包含的标识信息对加密装置进行认证,如果认证成功,则密钥管理服务器生成密钥分配信息,按照该密钥分配信息调取对应的密钥,将该调取的密钥向无线接入点发送,并使该生成的密钥分配信息经无线接入点发送至加密装置; (4) The wireless access point authenticates the encryption device according to the identification information contained in the authentication request. If the authentication is successful, the key management server generates key distribution information, and retrieves the corresponding key according to the key distribution information, and sends The retrieved key is sent to the wireless access point, and the generated key distribution information is sent to the encryption device through the wireless access point;

(5)无线接入点直接从认证装置处接收密钥,加密装置接收密钥分配信息,并利用该密钥分配信息在密钥管理信息表中调取相应的密钥; (5) The wireless access point directly receives the key from the authentication device, and the encryption device receives the key distribution information, and uses the key distribution information to retrieve the corresponding key in the key management information table;

(6)无线接入点与加密装置分别使用所获取的密钥对在无线信道中传输的数据进行加密、解密处理。 (6) The wireless access point and the encryption device respectively use the obtained key to encrypt and decrypt the data transmitted in the wireless channel. the

在上述步骤中,每个无线接入点中应设置不同、可代表其身份的业务组信息;密钥管理服务器中设置有存储密钥的密钥数据库,且在 密钥管理信息表中存储与各密钥管理服务器相同的密钥数据库及各无线接入点的业务组信息,并将业务组信息按照无线接入点所属的密钥管理服务器建立与密钥数据库对应关系;加密装置通过与无线接入点建立的无线信道获知所连接的无线接入点的业务组信息,并使加密装置在与该业务组信息对应的密钥数据库中查找与密钥分配信息对应的密钥。上述的业务组信息是为该无线接入点的业务组标识符。 In the above steps, each wireless access point should be set with different business group information that can represent its identity; a key database for storing keys is set in the key management server, and stored in the key management information table. Each key management server has the same key database and business group information of each wireless access point, and establishes a corresponding relationship between the business group information and the key database according to the key management server to which the wireless access point belongs; the encryption device communicates with the wireless The wireless channel established by the access point obtains the service group information of the connected wireless access point, and enables the encryption device to search for the key corresponding to the key distribution information in the key database corresponding to the service group information. The above service group information is the service group identifier of the wireless access point. the

无线接入点可以在加密装置向无线接入点的认证成功后,向加密装置发送该无线接入点的业务组信息。 The wireless access point may send the service group information of the wireless access point to the encryption device after the encryption device successfully authenticates the wireless access point. the

具体而言,在上述步骤(6)中,通信终端将向无线局域网发送的数据通过通信接口模块输出至加密装置,该加密装置将该数据加密后通过无线局域网模块向无线接入点发送;所述的加密装置通过无线局域网模块接收到无线接入点发送的加密数据,并在对该数据解密后通过通信接口模块输出至通信终端。 Specifically, in the above step (6), the communication terminal outputs the data sent to the wireless local area network to the encryption device through the communication interface module, and the encryption device encrypts the data and sends it to the wireless access point through the wireless local area network module; The encryption device described above receives the encrypted data sent by the wireless access point through the wireless local area network module, and outputs the encrypted data to the communication terminal through the communication interface module after decrypting the data. the

上述的通信接口模块是为USB接口模块、SATA接口模块、ISA接口模块、PCI接口模块、或PCMCIA接口模块。加密装置通过通信接口模块中设置的电源端子与通信终端的电源输出端子的电性连接,从而获得的供电。 The communication interface module mentioned above is a USB interface module, a SATA interface module, an ISA interface module, a PCI interface module, or a PCMCIA interface module. The encryption device obtains power supply through the electrical connection between the power terminal provided in the communication interface module and the power output terminal of the communication terminal. the

Claims (7)

1. the method that can realize secure communication in different wireless local area network is provided with a plurality of WAP (wireless access point) (AP), and each WAP (wireless access point) belongs to a plurality of different Key Management servers, it is characterized in that said method comprising the steps of:
(1) preset unique identification information and key management information table in having the encryption device of wireless network card function, this key management information table stores the whole keys in each Key Management server, and can transfer corresponding key by encryption key distribution information;
(2) encryption device with wireless network card function is connected with communication terminal and obtains power supply, on communication terminal, install and the wireless network card specific drivers of operation encryption device;
(3) utilize the wireless network card function foundation of encryption device and the wireless channel of WAP (wireless access point), encryption device sends the authentication request that comprises identification information to WAP (wireless access point);
(4) WAP (wireless access point) authenticates encryption device according to the identification information that comprises in the authentication request, if authentication success, then Key Management server generates encryption key distribution information, transfer corresponding key according to this encryption key distribution information, this key of transferring is sent to WAP (wireless access point), and make the encryption key distribution information of this generation be sent to encryption device through WAP (wireless access point);
(5) WAP (wireless access point) directly receives key from authenticate device, and encryption device receives encryption key distribution information, and utilizes this encryption key distribution information to transfer corresponding key in the key management information table;
(6) WAP (wireless access point) and encryption device use respectively the key that obtained to the data of in wireless channel, transmitting encrypt, decryption processing.
2. the method that can realize secure communication in different wireless local area network according to claim 1 is characterized in that being provided with different service groups information in each described WAP (wireless access point); Be provided with the key database of storage key in the described Key Management server, and in the key management information table, store the key database identical and the service groups information of each WAP (wireless access point), and set up the corresponding relation of service groups information and key database according to the Key Management server under the WAP (wireless access point) with each Key Management server; Encryption device is by knowing the service groups information of the WAP (wireless access point) that is connected with the wireless channel that WAP (wireless access point) is set up, and makes encryption device search the key corresponding with encryption key distribution information in the key database corresponding with this service groups information.
3. the method that can realize secure communication in different wireless local area network according to claim 2 is characterized in that the service set identifier of described service groups information for this WAP (wireless access point).
4. the method that can realize secure communication in different wireless local area network according to claim 2 is characterized in that at encryption device that behind the authentication success of WAP (wireless access point) WAP (wireless access point) sends the service groups information of this WAP (wireless access point) to encryption device.
5. the method that can in different wireless local area network, realize secure communication according to claim 1, it is characterized in that described communication terminal will export encryption device to by the communication interface modules that encryption device comprised to the data that WLAN (wireless local area network) sends, this encryption device sends to WAP (wireless access point) by the Wireless LAN module that self comprised after with this data encryption; Described encryption device receives the enciphered data that WAP (wireless access point) sends by described Wireless LAN module, and this enciphered data deciphering back is being exported to communication terminal by communication interface modules.
6. the method that can realize secure communication in different wireless local area network according to claim 5 is characterized in that described communication interface modules is to be usb interface module, SATA interface module, ISA interface module, pci interface module or pcmcia interface module.
7. the method that can in different wireless local area network, realize secure communication according to claim 5, it is characterized in that of the electric connection of described encryption device by the power output terminal of the power supply terminal that is provided with in the described communication interface modules and communication terminal, thus the power supply that obtains.
CN2007101771020A 2007-11-09 2007-11-09 Method for implementing secret communication in different wireless local area network Expired - Fee Related CN101431409B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2007101771020A CN101431409B (en) 2007-11-09 2007-11-09 Method for implementing secret communication in different wireless local area network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2007101771020A CN101431409B (en) 2007-11-09 2007-11-09 Method for implementing secret communication in different wireless local area network

Publications (2)

Publication Number Publication Date
CN101431409A CN101431409A (en) 2009-05-13
CN101431409B true CN101431409B (en) 2011-04-27

Family

ID=40646590

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2007101771020A Expired - Fee Related CN101431409B (en) 2007-11-09 2007-11-09 Method for implementing secret communication in different wireless local area network

Country Status (1)

Country Link
CN (1) CN101431409B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101959188B (en) * 2009-07-16 2012-11-14 北京中电华大电子设计有限责任公司 Key management method for wireless local area network (WLAN) card chip
CN105722070B (en) * 2016-05-10 2019-06-21 苏州磐网通信技术有限公司 A kind of WLAN encryption and authentication method and system
CN106411939A (en) * 2016-11-21 2017-02-15 国网四川省电力公司信息通信公司 Enterprise information intranet WI-FI access security reinforcing authentication method
CN107733639B (en) * 2017-08-24 2020-08-04 深圳壹账通智能科技有限公司 Key management method, device and readable storage medium
CN111614683B (en) * 2020-05-25 2023-01-06 成都卫士通信息产业股份有限公司 Data processing method, device and system and network card

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1379052A2 (en) * 2002-07-06 2004-01-07 Samsung Electronics Co., Ltd. Cryptographic method using dual encryption keys and a wireless local area network (LAN) system therefore
EP1484856A1 (en) * 2002-03-08 2004-12-08 Huawei Technologies Co., Ltd. The method for distributes the encrypted key in wireless lan
CN1599338A (en) * 2003-09-19 2005-03-23 皇家飞利浦电子股份有限公司 Method of improving safety, for radio local network

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1484856A1 (en) * 2002-03-08 2004-12-08 Huawei Technologies Co., Ltd. The method for distributes the encrypted key in wireless lan
EP1379052A2 (en) * 2002-07-06 2004-01-07 Samsung Electronics Co., Ltd. Cryptographic method using dual encryption keys and a wireless local area network (LAN) system therefore
CN1489338A (en) * 2002-07-06 2004-04-14 ���ǵ�����ʽ���� Encryption Method Using Double Key and Its Wireless Local Area Network System
CN1599338A (en) * 2003-09-19 2005-03-23 皇家飞利浦电子股份有限公司 Method of improving safety, for radio local network

Also Published As

Publication number Publication date
CN101431409A (en) 2009-05-13

Similar Documents

Publication Publication Date Title
US8838972B2 (en) Exchange of key material
CN101296086B (en) Method, system and device for access authentication
EP4164175B1 (en) Method for securely controlling smart home appliance and terminal device
CN105554747A (en) Wireless network connection method, device and system
CN107454590A (en) A kind of data ciphering method, decryption method and wireless router
CN101296138B (en) Wireless terminal configuration generating method, system and device
CN113612608A (en) Method and system for realizing cluster encryption based on public network for dual-mode walkie-talkie
CN115632779B (en) Quantum encryption communication method and system based on power distribution network
US12069478B2 (en) Multicast containment in a multiple pre-shared key (PSK) wireless local area network (WLAN)
CN101431453B (en) Method for implementing secret communication between communication terminal and wireless access point
CN115865907B (en) Desktop cloud server and terminal secure communication method
CN101094065B (en) Key distribution method and system in wireless communication network
CN101431455B (en) Method for implementing secret communication of wireless local area network
CN101431404B (en) Encryption apparatus capable of implementing soft access point function of communication terminal
CN101431409B (en) Method for implementing secret communication in different wireless local area network
JP2006109449A (en) Access point that wirelessly provides encryption key to authenticated wireless station
CN101431408B (en) Encryption apparatus capable of implementing connection between communication terminal and wireless local area network
CN101110671A (en) Multimedia Service Protection and Key Management Method Based on Mobile Terminal
CN101431454B (en) Wireless local area network building method
CN105721409A (en) Method for device with WLAN function to access network and device for realizing the same
CN101420687A (en) Identity verification method based on mobile terminal payment
CN101431752B (en) Using Multiple Algorithms to Realize the Secure Communication Method of Wireless Local Area Network
CN101640840B (en) Broadcast or multicast-based safe communication method and broadcast or multicast-based safe communication device
CN103974245B (en) Equipment configuration method, equipment and system
CN102325321B (en) Secret key obtaining method in evolution wireless communication network and user equipment

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20110427

Termination date: 20151109

EXPY Termination of patent right or utility model