公开(公告)号：US08726022B2

公开(公告)日：2014-05-13

申请号：US10534067

申请日：2003-08-05

Applicant: Manxia Tie ,  Houjian Tang ,  Bianling Zhang ,  Ning Zhang ,  Xumao Ye

Inventor： Manxia Tie ,  Houjian Tang ,  Bianling Zhang ,  Ning Zhang ,  Xumao Ye

IPC: H04L29/06

CPC classification number: H04W12/06 ,  H04L63/0442 ,  H04L63/0823 ,  H04L63/0869 ,  H04L63/10 ,  H04W8/00 ,  H04W12/04 ,  H04W80/04 ,  H04W84/12

Abstract: The present invention relates to a method for the secure access of mobile terminal to the Wireless Local Area Network (WLAN) and for secure data communication via wireless link, which, combining the common key encryption technology and the symmetry encryption technology, has resolved the failure in WLAN to provide effective control on secure MT access, and overcome the limitation on the confidentiality of the data communication via wireless link. When MT logs on AP, both parts must perform the certificate authentication through AS. Only the MT holding the legitimate certificate can access to AP holing the legitimate certificate; MT and AP perform the negotiation of common key for conversation, complete the dynamic revision of the secret key in each authentication, each secret key and in the process of conversation to achieve confidential data communication. Anyway, the method has not only achieved control on the access of MT, but also ensured the security of MT access and high confidentiality of communication.

Abstract translation: 本发明涉及移动终端安全接入无线局域网（WLAN）和通过无线链路进行安全数据通信的方法，其结合了公共密钥加密技术和对称加密技术，解决了故障 在WLAN中提供对安全MT接入的有效控制，并克服了通过无线链路对数据通信的机密性的限制。 当MT登录AP时，两个部分必须通过AS执行证书认证。 只有持有合法证书的MT才能访问AP合法证书; MT和AP执行会话通用密钥的协商，在每个认证，每个密钥和对话过程中完成密钥的动态修改，实现机密数据通信。 无论如何，该方法不仅可以实现对MT的访问控制，而且可以保证MT接入的安全性和高度的通信机密性。

公开(公告)号：US20100037302A1

公开(公告)日：2010-02-11

申请号：US12519955

申请日：2007-06-25

Applicant: Xiaolong Lai ,  Jun Cao ,  Manxia Tie ,  Bianling Zhang

Inventor： Xiaolong Lai ,  Jun Cao ,  Manxia Tie ,  Bianling Zhang

IPC: H04L29/06

CPC classification number: H04L63/0869

Abstract: This invention relates to a peer-to-peer access control method of a triple-unit structure for safely implementing bidirectional authentication between the terminal and the network. According to the method, on the basis of the access control method of the existing double-unit triple-entity structure, the authenticator function is implemented in the access controller, and the authentication protocol function is implemented in the terminal and the access controller, so that the terminal, the access controller and the server all participate in the authentication, and the trust relationship is established between the terminal and the access controller directly, which renders security very reliable. The invention not only solves the technical problems of the access control method of the existing double-unit double-entity structure that the access flexibility is limited and the extension of the number of the access controllers is inconvenient, but also solves the technical problems of the existing access control method of the double-unit triple-entity structure that the process for establishing the trust relationship is complicated and the security of the network may be influenced, thus achieving advantages of high security performance, no requirement of changing existing network structures and relative independency of the authentication protocol.

Abstract translation: 本发明涉及用于在终端和网络之间安全地实现双向认证的三单元结构的对等接入控制方法。 根据该方法，在现有的双单元三实体结构的访问控制方法的基础上，在接入控制器中实现认证方的功能，在终端和接入控制器中实现认证协议功能， 终端，接入控制器和服务器都参与认证，直接在终端和接入控制器之间建立信任关系，使安全性非常可靠。 本发明不仅解决了现有的双单元双实体结构的访问控制方法的技术问题，即访问灵活性有限，访问控制器数量的扩展不方便，而且解决了 建立信任关系的过程复杂，网络安全性可能受影响的双单元三实体结构的现有访问控制方法，从而实现高安全性能的优势，无需改变现有网络结构和相对性 认证协议的独立性。

公开(公告)号：US20090300358A1

公开(公告)日：2009-12-03

申请号：US12442513

申请日：2007-07-17

Applicant: Liaojun Pang ,  Jun Cao ,  Haibo Tian ,  Zhenhai Huang ,  Bianling Zhang

Inventor： Liaojun Pang ,  Jun Cao ,  Haibo Tian ,  Zhenhai Huang ,  Bianling Zhang

IPC: H04L9/32 ,  H04L9/06

CPC classification number: H04L9/0891 ,  H04L2209/80 ,  H04W12/04 ,  H04W12/10

Abstract: A method for managing network key and updating session key is provided. The step of the key management includes: constructing key request group, constructing key negotiation response group, and constructing key negotiation acknowledgement group. The step of multicasting key management method includes multicasting main key negotiation protocol and multicasting session key distribution protocol. The multicasting main key negotiation protocol comprises key updating informs group, constructing encryption key negotiation request group, constructing key negotiation response group and constructing key negotiation acknowledgement group. The multicasting session key distribution protocol comprises multicasting session key request and multicasting session key distribution.

Abstract translation: 提供了一种管理网络密钥和更新会话密钥的方法。 密钥管理的步骤包括：构建密钥请求组，建立密钥协商响应组，建立密钥协商确认组。 组播密钥管理方法的步骤包括组播主密钥协商协议和组播会话密钥分发协议。 组播主密钥协商协议包括密钥更新通知组，构建加密密钥协商请求组，建立密钥协商响应组，构建密钥协商确认组。 组播会话密钥分发协议包括组播会话密钥请求和组播会话密钥分发。

公开(公告)号：US08631232B2

公开(公告)日：2014-01-14

申请号：US12863272

申请日：2009-01-14

Applicant: Yuelei Xiao ,  Jun Cao ,  Xiaolong Lai ,  Zhenhai Huang ,  Bianling Zhang ,  Zhiqiang Qin ,  Qizhu Song

Inventor： Yuelei Xiao ,  Jun Cao ,  Xiaolong Lai ,  Zhenhai Huang ,  Bianling Zhang ,  Zhiqiang Qin ,  Qizhu Song

IPC: H04L29/00

CPC classification number: H04W12/04 ,  H04L63/205 ,  H04W12/06

Abstract: A wireless personal area network accessing method is provided, the method includes that: a coordinator broadcasts a beacon frame, the beacon frame includes the information about whether the coordinator sends an authentication requirement, the beacon frame also includes the authentication supported by the coordinator and key management package when a device receipts the authentication requirement, the device receives the beacon frame, the authentication between the coordinator and the device is made by using a authentication method corresponding to the authentication supported by the coordinator and key management package, when the device determines that the coordinator and the device is directly made according to the authentication result, or the association between the coordinator and the device is made after making session key negotiation.

Abstract translation: 提供了无线个人区域网络访问方法，该方法包括：协调器广播信标帧，信标帧包括关于协调器是否发送认证要求的信息，信标帧还包括由协调器和密钥支持的认证 管理包，当设备收到认证要求时，设备收到信标帧，协调器和设备之间的认证是通过使用与协调器和密钥管理包所支持的认证相对应的认证方法进行的，当设备确定 协调器和设备根据认证结果直接进行，或者在进行会话密钥协商之后进行协调器与设备之间的关联。

公开(公告)号：US08225092B2

公开(公告)日：2012-07-17

申请号：US11816743

申请日：2006-02-21

Applicant: Xiaolong Lal ,  Jun Cao ,  Hong Guo ,  Zhenhai Huang ,  Bianling Zhang

Inventor： Xiaolong Lal ,  Jun Cao ,  Hong Guo ,  Zhenhai Huang ,  Bianling Zhang

IPC: H04L29/06

CPC classification number: H04L63/0823 ,  H04L9/083 ,  H04L9/0891 ,  H04L9/3263 ,  H04L9/3273 ,  H04L2209/80

Abstract: An access authentication method includes pre-establishing a security channel between the authentication server of the access point and the authentication server of the user terminal and performing the authentication process at user terminal and access point. The authentication process includes 1) the access point sending the authentication_activating message; 2) the user terminal sending the authentication server of user terminal request message; 3) the authentication server of the user terminal sending to the user terminal response message; and 4) completing the authentication.

Abstract translation: 访问认证方法包括在接入点的认证服务器和用户终端的认证服务器之间预先建立安全信道，并在用户终端和接入点执行认证过程。 认证过程包括：1）接入点发送认证激活消息; 2）用户终端发送用户终端请求消息的认证服务器; 3）用户终端的认证服务器发送给用户终端应答消息; 和4）完成认证。

公开(公告)号：US08176325B2

公开(公告)日：2012-05-08

申请号：US11816715

申请日：2006-02-21

Applicant: Xiaolong Lai ,  Jun Cao ,  Bianling Zhang ,  Zhenhai Huang ,  Hong Guo

Inventor： Xiaolong Lai ,  Jun Cao ,  Bianling Zhang ,  Zhenhai Huang ,  Hong Guo

IPC: H04L29/06

CPC classification number: H04L63/0869 ,  H04L9/0894 ,  H04L9/321 ,  H04L2209/80

Abstract: A port based peer access control method, comprises the steps of: 1) enabling the authentication control entity; 2) two authentication control entities authenticating each other; 3) setting the status of the controlled port. The method may further comprise the steps of enabling the authentication server entity, two authentication subsystems negotiating the key. By modifying the asymmetry of background technique, the invention has advantages of peer control, distinguishable authentication control entity, good scalability, good security, simple key negotiation process, relatively complete system, high flexibility, thus the invention can satisfy the requirements of central management as well as resolve the technical issues of the prior network access control method, including complex process, poor security, poor scalability, so it provides essential guarantee for secure network access.

Abstract translation: 一种基于端口的对等接入控制方法，包括步骤：1）启用认证控制实体; 2）两个认证控制实体相互认证; 3）设置受控端口的状态。 该方法还可以包括以下步骤：启用认证服务器实体，两个认证子系统协商该密钥。 通过修改背景技术的不对称性，本发明具有对等控制，可区分认证控制实体，良好的可扩展性，良好的安全性，简单的密钥协商过程，系统相对完整，灵活性高等优点，因此本发明可以满足中央管理的要求 解决现有网络访问控制方法的技术问题，包括复杂过程，安全性差，可扩展性差，为安全网络访问提供了必要的保证。

公开(公告)号：US20110055561A1

公开(公告)日：2011-03-03

申请号：US11816743

申请日：2006-02-21

Applicant: Xiaolong Lai ,  Jun Cao ,  Hong Guo ,  Zhenhai Huang ,  Bianling Zhang

Inventor： Xiaolong Lai ,  Jun Cao ,  Hong Guo ,  Zhenhai Huang ,  Bianling Zhang

IPC: G06F21/00 ,  H04L9/32

CPC classification number: H04L63/0823 ,  H04L9/083 ,  H04L9/0891 ,  H04L9/3263 ,  H04L9/3273 ,  H04L2209/80

Abstract: An access authentication method includes pre-establishing a security channel between the authentication server of the access point and the authentication server of the user terminal and performing the authentication process at user terminal and access point. The authentication process includes 1) the access point sending the authentication_activating message; 2) the user terminal sending the authentication server of user terminal request message; 3) the authentication server of the user terminal sending to the user terminal response message; and 4) completing the authentication.

Abstract translation: 访问认证方法包括在接入点的认证服务器和用户终端的认证服务器之间预先建立安全信道，并在用户终端和接入点执行认证过程。 认证过程包括：1）接入点发送认证激活消息; 2）用户终端发送用户终端请求消息的认证服务器; 3）用户终端的认证服务器发送给用户终端应答消息; 和4）完成认证。

公开(公告)号：US08572378B2

公开(公告)日：2013-10-29

申请号：US13140632

申请日：2009-12-07

Applicant: Xiaolong Lai ,  Jun Cao ,  Yuelei Xiao ,  Manxia Tie ,  Zhenhai Huang ,  Bianling Zhang ,  Yanan Hu

Inventor： Xiaolong Lai ,  Jun Cao ,  Yuelei Xiao ,  Manxia Tie ,  Zhenhai Huang ,  Bianling Zhang ,  Yanan Hu

IPC: H04L29/06

CPC classification number: H04W12/10 ,  H04L9/0838 ,  H04L9/3242 ,  H04L9/3273 ,  H04L63/123 ,  H04L2209/80

Abstract: The present invention provides a method for protecting the first message of a security protocol and the method includes the following steps: 1) initialization step; 2) the initiating side sends the first message; 3) the responding side receives the first message. The method for protecting the first message of the security protocol provided by the present invention can implement that: 1) Pre-Shared Master Key (PSMK), which is shared by the initiating side and responding side, and the security parameter in the first message are bound by using computation function of Message Integrality Code (MIC) or Message Authentication Code (MAC), and thus the fabrication attack of the first message in the security protocol is avoided effectively; 2) during computing the MIC or MAC of the first message, only PSMK and the security parameter of the first message are selected to be computed, and thus the computation load of the initiating side and the responding side is effectively reduced and the computation resource is saved.

Abstract translation: 本发明提供一种保护安全协议的第一消息的方法，该方法包括以下步骤：1）初始化步骤; 2）发起方发送第一个消息; 3）响应端接收第一条消息。 用于保护本发明提供的安全协议的第一消息的方法可以实现：1）由起始侧和响应侧共享的预共享主密钥（PSMK）和第一消息中的安全参数 通过使用消息完整性代码（MIC）或消息认证码（MAC）的计算功能来限制，从而有效地避免了安全协议中的第一消息的制造攻击; 2）在计算第一个消息的MIC或MAC期间，仅选择PSMK和第一个消息的安全参数进行计算，从而有效减少发起方和响应方的计算负载，计算资源为 保存

公开(公告)号：US08417951B2

公开(公告)日：2013-04-09

申请号：US12990580

申请日：2009-05-11

Applicant: Bianling Zhang ,  Jun Cao ,  Xiaolong Lai

Inventor： Bianling Zhang ,  Jun Cao ,  Xiaolong Lai

IPC: H04W12/06

CPC classification number: H04W12/06 ,  H04L63/0823 ,  H04W84/12

Abstract: A roaming authentication method based on WAPI. The present invention includes the steps of adopting a terminal and a wireless access point to initiate a WAPI security mechanism, relating the terminal to the wireless access point, and initiating a WAPI authentication process and so on. And a highly safe and convenient roaming authentication method based on WAPI is provided, so as to solve the technical problem that how the specific method of certificate roaming authentication is realized, the certificate of external network authentication server can not be obtained to establish a trustful relationship, and the terminal perhaps can not realize roaming authentication.

Abstract translation: 基于WAPI的漫游认证方法。 本发明包括以下步骤：采用终端和无线接入点来发起WAPI安全机制，将终端与无线接入点相关联，并启动WAPI认证过程等。 并提供了一种基于WAPI的高度安全，便捷的漫游认证方法，解决了如何实现证书漫游认证的具体方法的技术问题，无法获得外部网络认证服务器的证书建立可信赖的关系 终端可能无法实现漫游认证。

公开(公告)号：US20110029776A1

公开(公告)日：2011-02-03

申请号：US12863285

申请日：2009-01-14

Applicant: Yuelei Xiao ,  Jun Cao ,  Xiaolong Lai ,  Zhenhai Huang ,  Bianling Zhang ,  Zhiqiang Qin ,  Qizhu Song

Inventor： Yuelei Xiao ,  Jun Cao ,  Xiaolong Lai ,  Zhenhai Huang ,  Bianling Zhang ,  Zhiqiang Qin ,  Qizhu Song

IPC: H04L9/32

CPC classification number: H04W12/04 ,  H04L29/08576 ,  H04L63/0428 ,  H04L63/08 ,  H04W12/06

Abstract: A wireless personal area network access method based on the primitive, includes: a coordinator broadcasts a beacon frame to the device which requests connecting to the wireless personal area network (WPAN), the beacon frame includes the authentication request information for the device and the authentication and a key management tool supported by the coordinator; the device authenticates the authentication request information, when the coordinator has an authentication request to the device, the coordinator and the device execute the authentication based on the primitive and obtains the conversation key.

Abstract translation: 基于原语的无线个人区域网络访问方法包括：协调器向请求连接到无线个域网（WPAN）的设备广播信标帧，信标帧包括用于设备的认证请求信息和认证 和协调员支持的关键管理工具; 设备对认证请求信息进行认证，当协调器向设备发送认证请求时，协调器和设备根据原语执行认证，获取会话密钥。