[go: up one dir, main page]

WO2018040805A1 - Procédé d'établissement d'une association dans un réseau local sans fil, terminal et point d'accès - Google Patents

Procédé d'établissement d'une association dans un réseau local sans fil, terminal et point d'accès Download PDF

Info

Publication number
WO2018040805A1
WO2018040805A1 PCT/CN2017/094374 CN2017094374W WO2018040805A1 WO 2018040805 A1 WO2018040805 A1 WO 2018040805A1 CN 2017094374 W CN2017094374 W CN 2017094374W WO 2018040805 A1 WO2018040805 A1 WO 2018040805A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal
access point
message
association
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2017/094374
Other languages
English (en)
Chinese (zh)
Inventor
方平
杨云松
庞高昆
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from CN201610995436.8A external-priority patent/CN107786972B/zh
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to EP17845107.6A priority Critical patent/EP3499936B1/fr
Priority to US16/328,842 priority patent/US10674353B2/en
Publication of WO2018040805A1 publication Critical patent/WO2018040805A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/22Processing or transfer of terminal data, e.g. status or physical capabilities
    • H04W8/24Transfer of terminal data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/08Access restriction or access information delivery, e.g. discovery data delivery
    • H04W48/14Access restriction or access information delivery, e.g. discovery data delivery using user query or user detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/10Connection setup
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/10Small scale networks; Flat hierarchical networks
    • H04W84/12WLAN [Wireless Local Area Networks]

Definitions

  • the embodiments of the present invention relate to the field of communications, and in particular, to a method, a terminal, and an access point for establishing association in a wireless local area network in the communication field.
  • WiFi Wireless Fidelity
  • APs WiFi access points
  • WiFi network interface for low-cost or free network access.
  • the terminal Before sending the association request message to the AP, the terminal first sends a probe request message to the AP, where the probe request message carries the device information of the terminal, for example, the capability information of the device, the supported rate information (Support rates), and the extended support. Extended Supported Rates and Vendor Specific.
  • the device information does not change under normal conditions, that is, the device information carried in the probe request message before the terminal is associated with the AP remains unchanged for a long time.
  • One of the pieces of information is not global or globally unique between different devices, but a combination of one or more of the information may become a kind of "fingerprint" information of the device. "Information in a local area or even the entire network may be able to uniquely identify the device to a large extent.
  • the eavesdropper receives the probe request message on the air interface and analyzes the "fingerprint" information carried in the message.
  • the device can be traced to obtain the user's private information. For example, the eavesdropper obtains the location and time that the user often appears, so that the user's living habits, social relationships, and even social relationships can be obtained through a large amount of data analysis.
  • the present application proposes a method, a terminal and an access point for establishing association in a wireless local area network, so as to solve the problem that user privacy is leaked in the process of association between the terminal and the access point.
  • the first aspect provides a method for establishing association in a wireless local area network, where the method includes: the terminal generates the encrypted capability information of the terminal; and the terminal receives the pre-association index information related to the terminal sent by the access point.
  • the pre-association index information is used by the access point to identify the terminal when the terminal has not established association with the access point; and the terminal sends the encrypted terminal capability to the access point.
  • the association request message includes the pre-association index information; the terminal receives an association response message sent by the access point according to the capability information of the terminal and the pre-association index information, thereby The terminal is associated with the access point.
  • the pre-association index information can identify the terminal.
  • the terminal may be in the process of establishing the current association or the association.
  • the method includes: when the STA sends an association request message to the AP, or when the AP receives the association request message sent by the STA.
  • the index information may also be used after the terminal successfully establishes the association with the access point, for example, for the next time before the terminal associates with the access point or during the association process.
  • the capability information of the terminal is sent to the access point in an encrypted manner, and the terminal is identified by associating the pre-index information, so that the eavesdropper can monitor the capability information of the terminal even before the association or during the association process.
  • the capability information of the terminal cannot be obtained, so that the eavesdropper can be prevented from determining the location, time, and other information of the terminal according to the capability information of the terminal, thereby avoiding leakage of user privacy.
  • the terminal sends, to the access point, the encrypted capability information of the terminal and an association request message (which may be referred to as an Association Request message), including:
  • the terminal sends the association request message to the access point, where the association request message includes the encrypted capability information of the terminal.
  • the capability information of the encrypted terminal is carried by the association request message, which can further save signaling overhead and improve utilization of radio resources.
  • the terminal sends the encrypted capability information and the association request message of the terminal to the access point, including: the terminal to the access point Sending a first message, where the first message includes the encrypted capability information of the terminal, the first message is a management message; and the terminal sends the association request message to the access point.
  • the method before the terminal sends the encrypted capability information of the terminal to the access point, the method further includes: the terminal is connected to the terminal Transmitting a public key of the terminal, the public key of the terminal is used by the access point to generate a decryption key for decrypting capability information of the encrypted terminal, where the terminal receives the access point to send The pre-association index information related to the terminal occurs after the terminal sends the public key of the terminal to the access point; the terminal receives the public key of the access point sent by the access point The terminal generates an encryption key of the terminal according to the public key of the access point, and the encryption key of the terminal is used to encrypt capability information of the terminal.
  • the transmitting, by the terminal, the public key of the terminal to the access point includes: the terminal sending a probe request message to the access point (ie, : Probe Request message), the probe request message includes a public key of the terminal; or the terminal sends a second message to the access point, where the second message includes a public key of the terminal,
  • the second message is a management message.
  • the receiving, by the terminal, the public key of the access point that is sent by the access point includes: the terminal receiving the detection sent by the access point a response message (Probe Response message), the probe response message includes a public key of the access point; or the terminal receives a third message sent by the access point, where the third message includes the access The public key of the point, the third message is a management message; or the terminal receives a beacon frame sent by the access point, where the beacon frame includes a public key of the access point.
  • the method further includes: the terminal receiving indication information sent by the access point, where the indication information is used to indicate that the access point supports Transmitting, by the terminal, device capability information of the terminal that is encrypted.
  • the method further includes: receiving, by the terminal, the indication information sent by the access point, where the terminal receives the detection sent by the access point a response message, the probe response message includes the indication information; or the terminal receives a fourth message sent by the access point, the fourth message includes the indication information, and the fourth message is a management message Or the terminal receives a beacon frame (ie, a Beacon frame) sent by the access point, where the beacon frame includes the indication information.
  • a beacon frame ie, a Beacon frame
  • the receiving, by the terminal, the pre-association index information sent by the access point includes: receiving, by the terminal, a fifth message sent by the access point, where the The fifth message includes the pre-association index information, and the fifth message is The management message (eg, an Action Frame); or the terminal receives the probe response message sent by the access point, where the probe response message includes the pre-association index information.
  • the management message eg, an Action Frame
  • the terminal sends the MAC address used by the association request message to the access point, and the terminal sends the association to the access point.
  • the MAC address used before the request message is different.
  • the access point can still identify the terminal.
  • the first message and the second message are the same message, and the message includes content included in the first message and the second message.
  • the first message and the second message are separate messages.
  • independent message herein may be a concept opposite to the same message described above, that is, the first message and the second message may be different separately transmitted messages.
  • the third message, the fourth message, and the fifth message are the same message, and the message includes the third message, the fourth message, and the fifth message. What is included.
  • At least two of the third message, the fourth message, and the fifth message are independent messages.
  • independent message herein may be a concept opposite to the same message described above, that is, at least two of the third message, the fourth message, and the fifth message may be different separately transmitted messages.
  • a second aspect provides a method for establishing association in a wireless local area network, where the method includes: an access point generates pre-association index information related to a terminal, where the pre-association index information is used by the access point at the terminal Identifying the terminal when the connection point has not been associated; the access point sends the pre-association index information to the terminal; and the access point receives the encrypted terminal capability sent by the terminal Information and association request message, the association request message includes the pre-association index information; the access point decrypts the capability information of the encrypted terminal; the access point is based on the capability information of the terminal and the association
  • the pre-index information sends an association response message (which may be referred to as an Association Response message) to the terminal, so that the access point establishes association with the terminal.
  • the access point receives, by the terminal, the encrypted capability information and the association request message of the terminal, where the access point receives the The association request message sent by the terminal, where the association request message includes the encrypted capability information of the terminal.
  • the access point receives, by the terminal, the encrypted capability information and the association request message of the terminal, where the access point receives the The first message sent by the terminal, the first message includes the encrypted capability information of the terminal, the first message is a management message, and the access point receives an association request message sent by the terminal.
  • the method before the access point receives the encrypted capability information of the terminal sent by the terminal, the method further includes: receiving, by the access point a public key of the terminal sent by the terminal, where the sending, by the access point, the pre-association index information to the terminal occurs after the access point receives the public key of the terminal sent by the terminal.
  • the access point generates a decryption key according to the public key of the terminal, the decryption key is used to decrypt the encrypted capability information of the terminal; and the access point sends the connection to the terminal
  • the public key of the ingress, the public key of the access point is used by the terminal to generate an encryption key for encrypting capability information of the terminal.
  • the receiving, by the access point, the public key of the terminal sent by the terminal includes: the access point receiving a probe request message sent by the terminal The probe request message includes a public key of the terminal; or the access point receives a second message sent by the terminal, the second message includes a public key of the terminal, and the second message is Manage messages.
  • the sending, by the access point, the public key of the access point to the terminal includes: the access point sending a probe response message to the terminal The probe response message includes a public key of the access point; or the access point sends a third message to the terminal, where the third message includes a public key of the access point, where the The three messages are management messages; or the access point sends a beacon frame to the terminal, the beacon frame including a public key of the access point.
  • the method further includes: the access point sending the indication information to the terminal, where the indication information is used to indicate that the access point supports and The transmission of the device capability information of the terminal that the terminal performs encryption.
  • the sending, by the access point, the indication information to the terminal that: the access point sends a probe response message to the terminal, the probe response message Including the indication information; or the access point sends a fourth message to the terminal, the fourth message includes the indication information, and the fourth message is a management message; or, the access point is The terminal transmits a beacon frame, and the beacon frame includes the indication information.
  • the sending, by the access point, the pre-association index information to the terminal includes: the access point sending a fifth message to the terminal, where The fifth message includes the pre-association index information, and the fifth message is a management message; or the access point sends a probe response message to the terminal, where the probe response message includes the pre-association index information.
  • the method before the receiving the association request message sent by the terminal, the method further includes: the access point generating an encrypted access point Capability information; the access point transmits capability information of the encrypted access point to the terminal.
  • a third aspect provides a terminal, where the terminal is configured to perform the method provided by the foregoing method embodiments, where the terminal includes: a generating module, configured to generate an encrypted capability information of the terminal; and a receiving module, And a pre-association index information sent by the access point, where the pre-association index information is used by the access point to identify the terminal, and the sending module is configured to send, to the access point, the encrypted capability information of the terminal.
  • the association request message the association request message includes the pre-association index information; the receiving module is further configured to receive an association response message sent by the access point according to the capability information of the terminal, so that the terminal and the The access point establishes an association.
  • a fourth aspect provides an access point, where the access point is used to perform the method provided by the foregoing method embodiments of the second aspect, where the access point includes: a generating module, configured to generate an association related to the terminal Index information, the pre-association index information is used by the access point to identify the terminal when the terminal has not been associated with the access point, and the sending module is configured to send the pre-association index to the terminal.
  • the access point includes: a generating module, configured to generate an association related to the terminal Index information, the pre-association index information is used by the access point to identify the terminal when the terminal has not been associated with the access point, and the sending module is configured to send the pre-association index to the terminal.
  • a receiving module configured to receive the encrypted capability information of the terminal and the association request message sent by the terminal, where the association request message includes the pre-association index information
  • a decryption module configured to decrypt the encrypted terminal
  • the sending module is further configured to: send an association response message to the terminal according to the capability information of the terminal and the pre-association index information, so that the access point establishes an association with the terminal.
  • a fifth aspect provides a terminal, where the terminal is configured to perform the method provided by the foregoing method embodiments, where the terminal includes: a processor 1101, a memory 1102, a transmitter 1103, and a receiver 1105.
  • the aforementioned various components are coupled together by a coupling, the receiver 1105 receives data through the antenna 1104, and the transmitter 1103 transmits data through the antenna 1104.
  • the processor 1101 is configured to generate the encrypted capability information of the terminal, and the receiver 1105 is configured to receive pre-association index information sent by the access point, where the pre-association index information is used by the access point identifier.
  • a transmitter 1103 configured to send, to the access point, the encrypted capability information of the terminal and an association request message, where the association request message includes the pre-association index information; the receiver 1104 further uses Receiving, by the access point, an association response message sent according to the capability information of the terminal and the pre-association index information, so that the terminal establishes association with the access point.
  • the sixth aspect provides an access point, where the access point is used to perform the method provided by the foregoing method embodiments, where the access point includes: a processor 1201, a memory 1202, a transmitter 1203, and a receiving 1205, each component in the terminal passes through the coupled side Connected together, receiver 1205 receives data via antenna 1204, and transmitter 1203 transmits data via antenna 1204.
  • the processor 1201 is configured to generate pre-association index information related to the terminal, where the pre-association index information is used by the access point to identify the terminal when the terminal has not established association with the access point.
  • the sender 1203 is configured to send the pre-association index information to the terminal, and the receiver 1205 is configured to receive the encrypted capability information of the terminal and the association request message sent by the terminal, where the association request message includes The pre-association index information; the processor 1201 is configured to decrypt the capability information of the encrypted terminal; the transmitter 1203 is further configured to send, according to the capability information of the terminal and the pre-association index information, to the terminal The response message is associated such that the access point and the terminal establish an association.
  • a seventh aspect a computer readable medium for storing a computer program, the computer program comprising instructions for performing the method of the first aspect or any of the possible implementations of the first aspect.
  • a computer readable medium for storing a computer program comprising instructions for performing the method of the second aspect or any of the possible implementations of the second aspect.
  • a ninth aspect a system for communication, comprising the terminal of the third aspect and the access point of the fourth aspect.
  • a tenth aspect a system for communication, comprising the terminal according to the fifth aspect and the access point according to the sixth aspect.
  • the capability information of the terminal is sent to the access point in an encrypted manner, so that the eavesdropper cannot decrypt the capability of acquiring the encrypted terminal even if it is listening to the capability information of the encrypted terminal in the air interface before the association or in the association process.
  • the information can prevent the eavesdropper from determining the location, time, and other information of the terminal according to the capability information of the terminal, thereby avoiding leakage of user privacy.
  • the access point identifies the terminal by assigning pre-association index information to the terminal by using the pre-association index information, so that the terminal uses the MAC address used before sending the association request message to the access point and sending the association request message.
  • the MAC address is different, and the access point can still identify the terminal by associating the pre-index information, and determine the decryption key to decrypt the device capability information of the encrypted terminal, thereby obtaining the device capability information of the terminal.
  • FIG. 1 is an application scenario that may be used in an embodiment of the present invention
  • FIG. 2 is a schematic block diagram of a smartphone according to an embodiment of the present invention.
  • FIG. 3 is a flowchart of a method for establishing association in a wireless local area network according to an embodiment of the present invention
  • FIG. 4 is a flowchart of a method for establishing association in a wireless local area network according to another embodiment of the present invention.
  • FIG. 5 is a flowchart of a method for establishing association in a wireless local area network according to still another embodiment of the present invention.
  • FIG. 6 is a flowchart of a method for establishing association in a wireless local area network according to still another embodiment of the present invention.
  • FIG. 7 is a flowchart of a method for establishing association in a wireless local area network according to still another embodiment of the present invention.
  • FIG. 8 is a flowchart of a method for establishing association in a wireless local area network according to still another embodiment of the present invention.
  • FIG. 9 is a schematic block diagram of a terminal according to an embodiment of the present invention.
  • FIG. 10 is a schematic block diagram of an access point according to an embodiment of the present invention.
  • FIG. 11 is a schematic block diagram of a terminal according to another embodiment of the present invention.
  • FIG. 12 is a schematic block diagram of an access point according to another embodiment of the present invention.
  • FIG. 13 is a schematic block diagram of a terminal according to still another embodiment of the present invention.
  • Figure 14 is a schematic block diagram of an access point in accordance with still another embodiment of the present invention.
  • Embodiments of the present invention can be applied to various wireless communication systems, such as: Wireless Fidelity (WIFI), Bluetooth, and Worldwide Interoperability for Microwave Access (WiMAX), A system such as a Wireless LAN Authentication and Privacy Infrastructure (WAPI) and other communication systems that interconnect terminals wirelessly.
  • WIFI Wireless Fidelity
  • WiMAX Worldwide Interoperability for Microwave Access
  • a system such as a Wireless LAN Authentication and Privacy Infrastructure (WAPI) and other communication systems that interconnect terminals wirelessly.
  • WiFI Wireless Fidelity
  • WiMAX Worldwide Interoperability for Microwave Access
  • a system such as a Wireless LAN Authentication and Privacy Infrastructure (WAPI) and other communication systems that interconnect terminals wirelessly.
  • An Access Point also known as a wireless access point or bridge or hotspot, can access a server or communication network.
  • STA which may be a wireless sensor, a wireless communication terminal or a mobile terminal, such as a mobile phone (or "cellular" phone) that supports WiFi communication function and a computer with wireless communication function, for example, may support WiFi Communication, portable, pocket, handheld, computer built-in or in-vehicle wireless communication devices that exchange language and/or data with a wireless access network.
  • STA may be a wireless sensor, a wireless communication terminal or a mobile terminal, such as a mobile phone (or "cellular" phone) that supports WiFi communication function and a computer with wireless communication function, for example, may support WiFi Communication, portable, pocket, handheld, computer built-in or in-vehicle wireless communication devices that exchange language and/or data with a wireless access network.
  • FIG. 1 is an application scenario that may be used in an embodiment of the present invention.
  • the STA before sending an association request to an AP, the STA first sends a probe request message to the AP, where the probe request message may include device information of the STA, and receive a probe response message sent by the AP according to the content of the probe request message.
  • the terminal receives the beacon frame sent by the access point, and the beacon frame may include device information of the access point.
  • the terminal then sends an association request message to the AP, receives the association response message sent by the AP, and completes association with the AP.
  • the terminal After being associated with the AP, the terminal can establish a secure connection with the AP through the security authentication message, so as to perform subsequent data transmission.
  • the device information of the STA carried in the probe request message and/or the association request message is sent through an air interface, and the personalized information in the device information of the STA easily constitutes the STA.
  • the fingerprint information can be traced to the STA by the eavesdropper by receiving and analyzing the probe request message and/or the association request message message on the air interface, resulting in leakage of the user's private information.
  • the STA with the WiFi function when the STA with the WiFi function is in the unconnected state, the STA will periodically send a probe request message to scan the surrounding access points. Even if the STA is connected to the current AP, the STA will still be in the actual situation. The sending probe request message scans the surrounding access points, so that when the signal of the current access point becomes weak, the STA can quickly complete the switching of the access point.
  • the STA sends a probe request in the associated state and the unassociated state, and the probe request carries device information, such as device capability information, support rate information, and other personalized information, MAC address information, etc., of which all of these devices
  • device information such as device capability information, support rate information, and other personalized information, MAC address information, etc., of which all of these devices
  • the information or part of the information easily constitutes the "fingerprint" information of the STA, and the eavesdropper can obtain the information such as the location and time of the STA by listening to the information, thereby obtaining the user's private information through analysis.
  • the problem of leaking user privacy for the MAC address of the STA can be solved by the method of the temporary MAC address, that is, when the STA sends the probe request, the STA uses the temporary MAC address, and uses the real MAC address in the actual association process with the AP.
  • This method can prevent the eavesdropper from leaking the user's private information by listening to the MAC address to a certain extent, but the "fingerprint" information formed by the device information included in the probe request still reveals the user's private information.
  • FIG. 2 is a block diagram showing a partial structure of a smartphone 100 related to an embodiment of the present invention.
  • the smart phone 100 includes a radio frequency (Radio Frequency, abbreviated as "RF") circuit 110, a memory 120, an input unit 130, a display unit 140, an audio circuit 150, a WiFi module 160, a processor 170, and a power source 180.
  • RF Radio Frequency
  • FIG. 4 does not constitute a limitation to the mobile phone, and may include more or less components than those illustrated, or combine some components, or split some components, or Different parts are arranged.
  • the RF circuit 110 can be used for receiving and transmitting signals during transmission and reception of information or during a call.
  • the processing is performed by the processor 170.
  • data related to the uplink is sent to Base station.
  • the RF circuit 110 includes, but is not limited to, an antenna, at least one amplifier, a transceiver, a coupler, and a low noise amplifier (Low Noise) Amplifier, referred to as "LNA", duplexer, etc.
  • LNA Low Noise amplifier
  • RF circuitry 110 can also communicate with the network and other devices via wireless communication.
  • the wireless communication can use any communication standard or protocol, including but not limited to Global System of Mobile Communication (“GSM”), General Packet Radio Service (“GPRS”). , Code Division Multiple Access (“CDMA”), Wideband Code Division Multiple Access (WCDMA), Long Term Evolution (LTE) , email, short message service (Short Messaging Service, referred to as "SMS").
  • GSM Global System of Mobile Communication
  • GPRS General Packet Radio Service
  • CDMA Code Division Multiple Access
  • WCDMA Wideband Code Division Multiple Access
  • LTE Long Term Evolution
  • SMS short message service
  • the memory 120 can be used to store software programs, and the processor 170 executes various functional applications and data processing of the smartphone 100 by running software programs stored in the memory 120.
  • the memory 120 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application required for at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may be stored. Data (such as audio data, phone book, etc.) created according to the use of the smartphone 100.
  • memory 120 can include high speed random access memory, and can also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device.
  • the input unit 130 can be configured to receive input numeric or character information and to generate key signal inputs related to user settings and function control of the smartphone 100.
  • the input unit 130 may include a touch panel and other input devices.
  • a touch panel also referred to as a touch screen, can collect touch operations on or near the user (such as the user using a finger, a stylus, or the like, any suitable object or accessory on or near the touch panel).
  • the corresponding connecting device is driven according to a preset program.
  • the touch panel may include two parts: a touch detection device and a touch controller.
  • the touch detection device detects the touch orientation of the user, and detects a signal brought by the touch operation, and transmits the signal to the touch controller; the touch controller receives the touch information from the touch detection device, converts the touch information into contact coordinates, and sends the touch information.
  • touch panels can be implemented in various types such as resistive, capacitive, infrared, and surface acoustic waves.
  • the input unit may also include other input devices. Specifically, other input devices may include, but are not limited to, one or more of a physical keyboard, function keys (such as volume control buttons, switch buttons, etc.), trackballs, mice, joysticks, and the like.
  • the display unit 140 can be used to display information input by the user or information provided to the user as well as various menus of the device.
  • the display unit 140 may include a display panel.
  • the display panel may be configured in the form of a Liquid Crystal Display (“LCD”) or an Organic Light-Emitting Diode (OLED).
  • the touch panel may cover the display panel, and when the touch panel detects a touch operation on or near the touch panel, the touch panel transmits to the processor to determine the type of the touch event, and then the processor 170 displays the panel according to the type of the touch event. Provide corresponding visual output on it.
  • the touch panel and the display panel are two independent components to implement the input and output functions of the smart phone 100, in some embodiments, the touch panel and the display panel may be integrated to realize the smart function. The input and output functions of the mobile phone 100.
  • the audio circuit 150, the speaker, and the microphone can provide an audio interface between the user and the smartphone 100.
  • the audio circuit 150 can transmit the converted electrical data of the received audio data to the speaker, and convert it into a sound signal output by the speaker; on the other hand, the microphone converts the collected sound signal into an electrical signal, which is received by the audio circuit 150 and then converted.
  • the audio data is output to memory 170 for further processing.
  • the WiFi module 160 is a chip basic circuit set integrating the WiFi function, and the WiFi module 160 can perform wireless transmission according to the protocol.
  • the processor 170 is a control center of the smartphone 100 that connects various portions of the entire smartphone 100 using various interfaces and lines, by running or executing software programs and/or modules stored in the memory, and recalling stored in the memory 120. Number According to the various functions and processing data of the smartphone 100, the smartphone 100 is monitored as a whole.
  • the processor 170 may include one or more processing units; optionally, the processor 170 may integrate an application processor and a modem processor, where the application processor mainly processes an operating system, a user interface, and an application. Etc.
  • the modem processor primarily handles wireless communications. It can be understood that the above modem processor may not be integrated into the processor 170.
  • the foregoing mobile phone including the WiFi module can serve as both an access point and a terminal associated with the access point, regardless of whether it is an access point or a terminal as an associated access point, since the mobile phone contains a large amount of personal privacy information of the user. Therefore, the mobile phone has a privacy protection requirement when it is used as a terminal associated with the access point or as an access point.
  • the mobile phone as the terminal associated with the access point may be an application scenario of the embodiment of the present invention, that is, the terminal in the embodiment of the present invention may be the mobile phone described herein, and the structure of the terminal may be referred to.
  • a partial structural block diagram of the handset e.g., the transmitter and receiver of the terminal may correspond to the RF circuitry of the handset, which may perform similar or identical functions) and may have more or fewer components.
  • FIG. 3 is a schematic diagram of a method for establishing an association in a wireless local area network according to an embodiment of the present invention.
  • the method may be used in an application scenario where a wearable device is used as an AP and a mobile phone as an AP.
  • a STA may also be called a terminal, and the method includes:
  • the terminal generates capability information of the encrypted terminal.
  • the terminal may encrypt the personalized capability information of the terminal to generate capability information of the encrypted terminal.
  • the personalized capability information of the terminal may be capability information unique to the terminal, that is, the eavesdropper may track the device according to the “fingerprint” information composed of the personalized information of the terminal.
  • the capability information of the terminal may also include the general capability information of the terminal, and the capability information of the terminal may be all the information or the partial information in the device information of the terminal, which is not limited in this embodiment of the present invention.
  • the AP may also generate capability information of the encrypted AP. It should be understood that the capability information of the AP may be all information or partial information in the device information of the AP.
  • the AP can determine the capability information of the AP that performs the encrypted transmission according to the requirements of the secure transmission.
  • the AP is associated with the AP, and the AP may also have the requirement of protecting the privacy.
  • the AP may also generate the capability information of the encrypted AP, where the AP capability information may be all in the AP device information. Or part of the information.
  • the access point generates pre-association index information related to the terminal, where the pre-association index information is used to identify the terminal when the terminal has not established association with the access point.
  • the access point generates the pre-association index information, and the pre-association index information may not change in a period of time.
  • the AP may also set the pre-association index to be long enough, and the pre-association index information is in a long time. Can be kept unique. In this way, after the AP generates the pre-association index, the AP can identify a specific terminal for a long time, and then determine the capability information of the terminal corresponding to the pre-association index according to the pre-association index information, and can determine the use in the subsequent association process. Establish an association with the capabilities corresponding to the terminal.
  • the pre-association index information may also correspond to a terminal, and the pre-association index information generated by the AP remains unique within the valid time of the index information, that is, each terminal corresponds to different pre-association index information, that is, before the association.
  • the index information is in a one-to-one relationship with the terminal.
  • the pre-association index information herein may be an identity (ID) identifier, or a string of numbers, or a certain character, or a combination of numbers and characters, etc., for which the embodiment of the present invention does not Make a limit.
  • the pre-association index information may be generated before the association, and the validity period may be different.
  • the STA may be invalid after the STA completes the association with the AP; or may be for a long time, so that the STA completes the association with the AP.
  • the pre-association index information is still valid when the STA is associated with the AP next time.
  • the AP generates pre-association index information, where the pre-association index information may also identify the terminal. Capability information. For example, when the terminal has the capability information 1, the AP generates pre-association index information 1 corresponding to the capability information 1. When the terminal has the capability information 2, the AP generates pre-association index information 2 corresponding to the capability information 2. During the actual association between the AP and the terminal, the AP may determine the capability information of the terminal according to the pre-association index information, and then use the corresponding capability to perform data transmission with the terminal.
  • the pre-association index information generated by the AP corresponds to different device capability information
  • the same pre-association index information may correspond to multiple terminals, which is a one-to-many relationship.
  • the terminal having the capability information 1 may correspond to Associated information 1.
  • the pre-association index information is used to identify the capability information of the terminal, there may be only a limited number of pre-association index information, so that the personalized device capability information of the terminal is prevented from forming a "fingerprint", which causes leakage of private information and improves terminal privacy. Protection ability.
  • the AP may also generate encrypted pre-association index information.
  • the eavesdropper can prevent the eavesdropper from obtaining the pre-association index information through the air interface, thereby better protecting the privacy of the user.
  • the order relationship between the capability information of the S110 generating the encrypted terminal and the pre-association index information generated by S320 is not limited. It can be the capability information of the terminal Mr. Encryption, or it can be the index information of Mr. AP before the association.
  • the access point sends the pre-association index information to the terminal.
  • the access point may also send the encrypted pre-association index information to the terminal, which is not limited in this embodiment of the present invention.
  • the access point may send a fifth message to the terminal, where the fifth message includes the pre-association index information.
  • the fifth message may be a newly defined frame.
  • the fifth message may be a management frame, such as an Action frame or a Public Action frame, in the Action frame. Carry the above pre-association index information.
  • the access point may further receive an associated frame sent by the terminal, where the associated frame may include general capability information of the terminal, where the associated frame may also be A newly defined management frame, for example, an Action frame. That is, when the terminal sends the general capability information of the terminal to the access point through the newly defined management frame, the access point may send the pre-association index information to the terminal through the newly defined fifth message.
  • the access point may also send the encrypted pre-association index information through the fifth message.
  • the access point may send a probe response message to the terminal, where the probe response message includes pre-association index information.
  • the method further includes: the terminal sending the probe request message to the access point.
  • the terminal sends a probe request message to the AP, where the probe request message may include general capability information of the terminal, and it should be understood that the terminal may also determine the probe according to the demand for privacy protection.
  • the general capability information included in the request information for example, when the terminal has a high demand for privacy protection, all device capability information that can be used by the eavesdropper to generate a "fingerprint" will not be transmitted.
  • the access point may also encrypt the pre-association index information, that is, the access point may send the encrypted pre-association index information to the terminal by detecting the response message. After the access point receives the probe request message of the terminal, the access point sends a probe response message of the probe request message to the terminal, where the probe response message may include pre-association index information generated by the AP.
  • the access point when the terminal sends the newly defined management frame to transmit the general capability information, the access point sends the newly defined associated frame to the terminal, which is used to transmit the pre-association index information.
  • the terminal may carry the general capability information of the terminal by using the probe request message, and the access point may send the pre-association index information to the terminal by using the newly defined frame.
  • the terminal may send the pre-association index information of the terminal to the access point by using the newly defined frame, and the access point may send the pre-association index information to the terminal in the probe response message.
  • the newly defined frame here can be a management frame, such as an Action frame.
  • the S330 step does not define a sequential relationship with the S310 step.
  • the AP transmits the pre-association index information as long as the terminal initiates the association request.
  • the pre-association index information is used by the terminal to be carried in the association request, so that the AP identifies the terminal corresponding to the association request.
  • the terminal sends the capability information and the association request message of the encrypted terminal to the access point, where the pre-association request message includes the pre-association index information.
  • the capability information and the association request message of the encrypted terminal may be sent simultaneously, or may be sent in different messages.
  • the capability information of the encrypted terminal is sent first, and then the association request message is sent.
  • the capability information for the terminal to send the encrypted terminal to the access point can be implemented in various ways, which will be described below for a specific implementation.
  • the terminal sends the capability information and the association request message of the encrypted terminal to the access point, including:
  • the terminal sends an association request message to the access point, where the association request message includes the encrypted capability information of the terminal.
  • the terminal may include an IE in the association request message sent to the AP, where the IE carries the encrypted capability information of the terminal, that is, by creating a new information element in the pre-association request message. (Information Element, IE) to carry the encrypted capability information of the terminal.
  • the AP may determine the terminal according to the pre-association index information, and determine a key previously negotiated with the terminal, so that the AP determines to use the corresponding key to decrypt the received encrypted terminal. Capability information.
  • the terminal sends the encrypted capability information and the association request message of the terminal to the access point, including:
  • the terminal sends a first message to the access point, where the first message includes the encrypted capability information of the terminal, where the first message is a management message;
  • the terminal sends the association request message to the access point.
  • the first message may be a newly defined frame.
  • the first message may be a management frame, such as an Action frame or a Public Action frame, and the terminal may carry the encrypted terminal by using the Action frame. Capability information, of course, the first message can also be other types of frames.
  • the terminal sends an association request message to the access point, where the association request message carries the pre-association index information.
  • an IE may be created in the association request message, and the pre-association index information is carried in the IE.
  • the pre-association index information is generated by the AP and sent to the terminal, and the terminal may carry the pre-association index information in the association request information, so that the AP can determine the terminal according to the pre-association index information. In this way, even if the associated message and the message previously sent by the terminal to the AP use different MAC addresses, the AP can still determine the correspondence between the terminals according to the pre-association index information.
  • the terminal may send the first message to the access point before the terminal sends the association request message, that is, before the terminal sends the association request message to the AP, the AP may already acquire the capability information of the terminal; the AP sends the association to the terminal.
  • the pre-index information may be used before the terminal sends the first message, or after the terminal sends the first message, which is not limited in this embodiment of the present invention; however, the AP sends the pre-association index information before the terminal sends the association request message; The in-point sends the pre-association index information to the terminal.
  • the terminal After the terminal sends the first message, the terminal sends the encrypted capability information of the terminal by using the first message, and the AP sends the pre-association index to the terminal after receiving the capability information of the terminal.
  • the information is sent to the terminal, and when the terminal sends the association request message to the access point, the pre-association index information allocated by the previous AP for the terminal is carried, so that the terminal sends the association request message.
  • the AP can also determine the capability information of the terminal according to the pre-association index information carried in the association request message.
  • the AP allocates pre-association index information to the terminal.
  • the pre-association index information allocated by the access point for the terminal may be used to identify the capability information of the terminal, for example, After the access point obtains the encrypted capability information of the terminal, the access point identifies the capability information 1 of the terminal by using the pre-association index information 1 and sends the pre-association index information 1 to the terminal.
  • the pre-association index information 1 can be used by the access point to determine the capability information of the terminal by using the pre-association index information 1.
  • the capability information of the terminal may be sent before the association request message by using the first message, and therefore, the capability information of the terminal may not be included in the association request message, or the association request message may be Only the general capability information of the terminal is included, and the access point can determine the corresponding terminal by associating the pre-request message.
  • the terminal sending the encrypted capability information of the terminal to the access point includes:
  • the terminal sends a probe request message to the access point, where the probe request message includes the encrypted capability information of the terminal.
  • the terminal sends a probe request message to the access point, and may create an IE in the probe request message, and carry the capability information of the encrypted terminal in the IE, and of course, may also be existing in the probe request message.
  • the IE carries the capability information of the encrypted terminal.
  • the MAC address used by the terminal to send the association request message to the access point is different from the MAC address used by the message before the terminal sends the association request message to the access point.
  • the terminal in the process of associating with the AP, the terminal is in the scanning phase, that is, the MAC address and the terminal and the AP used by the terminal to perform signaling interaction with the AP before the terminal sends the association request to the AP.
  • the MAC address used for the association may be different. Therefore, in the embodiment of the present invention, the AP may identify the capability of the terminal and/or the terminal when the terminal is actually associated with the AP by using the generated pre-association index information.
  • the MAC address of the AP is changed when the terminal sends the association request to the AP.
  • the AP can also determine which terminal the previous request corresponds to by the pre-association index information, and determine the corresponding capability information.
  • the access point decrypts the capability information of the encrypted terminal.
  • the access point After receiving the encrypted capability information of the terminal sent by the terminal, the access point decrypts the capability information of the encrypted terminal, thereby acquiring the capability information of the terminal.
  • the capability information of the access point in the S350 for decrypting the encrypted terminal may be before the terminal sends the association request message in S340, but in the first After a message.
  • the pre-association index information generated by the access point may also be after S350, that is, the access point may generate pre-association index information according to the capability information of the terminal after acquiring the encrypted capability information of the terminal.
  • the access point generating association index information may also be before S350, which is not limited in this embodiment of the present invention.
  • the access point sends an association response message to the terminal according to the capability information of the terminal and the pre-association index information, so as to complete association with the terminal.
  • step S360 may send an association response message to the terminal according to the pre-association index information, and complete association with the terminal.
  • the access point and the terminal establish a secure connection.
  • the terminal when the terminal receives the association response message that is sent by the AP and carries the indication information indicating that the association is successful, that is, the terminal completes the association with the AP, and then the two may further establish a connection to transmit data; and the terminal sends an association request message. It may also include the security authentication between the terminal and the AP before, or the terminal completes the connection after receiving the association response message. Before the establishment of the two to carry out security certification.
  • the size of the sequence number of the foregoing processes does not mean that the sequence of the execution sequence is performed.
  • the information about the pre-association index sent by the access point to the terminal in S330 is not necessarily after S310, and S330 may also be used.
  • Executed before S310 The order of execution of the various processes should be determined by their function and intrinsic logic, and should not be construed as limiting the implementation of the embodiments of the present invention.
  • the capability information of the terminal is sent to the access point in an encrypted manner, so that the eavesdropper can not acquire the capability information of the terminal even if it is listening to the capability information in the air interface before the association or in the association process, thereby preventing the eavesdropper from acquiring the capability information of the terminal.
  • the eavesdropper determines information such as the location and time of the terminal according to the capability information of the terminal, thereby avoiding leakage of user privacy.
  • the access point identifies the terminal by assigning the pre-association index information to the terminal by using the pre-association index information, such that the terminal uses the MAC address used before sending the association request message to the access point and the association request message is sent.
  • the MAC address is different, and the access point can still identify the terminal by associating the pre-index information, and determine the decryption key of the encrypted device capability information of the terminal to decrypt the device capability information of the terminal, thereby obtaining the device capability information of the terminal.
  • the method before the terminal sends the capability information of the encrypted terminal to the access point, the method further includes:
  • the terminal sends a probe request message to the access point
  • the terminal receives a probe response message sent by the access point according to the probe request message.
  • the terminal when the terminal transmits the capability information of the encrypted terminal by using a newly defined frame, for example, a management frame, and the access point sends the association request message to the terminal by using the newly defined frame,
  • the terminal may only carry the general capability information of the terminal in the probe request message, and the universal capability information may be used by the AP to determine whether to further perform subsequent association with the terminal.
  • the AP may also carry the general capability information of the AP in the probe response message. If the AP does not need to be kept secret, the AP may also carry the AP in the probe response message. Personalized ability information.
  • the method before the terminal sends the capability information of the encrypted terminal to the access point, the method further includes:
  • the terminal generates an encryption key of the terminal according to the public key of the access point, and the encryption key of the terminal is used to encrypt the capability information of the terminal.
  • the terminal and the AP send each other's public key to implement public key exchange
  • the public key of the terminal corresponds to the private key of the terminal, and the public key of the access point and the private point of the access point.
  • the key corresponds.
  • the two actions of the terminal sending the public key to the access point and the access point sending the public key to the terminal may not distinguish the order, as long as the exchange of the public keys with each other is realized through signaling interaction.
  • the public key of the terminal may also be referred to as the public key information of the terminal
  • the public key of the AP may also be referred to as the public key information of the AP.
  • the key exchange between the terminal and the access point through signaling may be implemented in various ways.
  • the following describes the key exchange between the terminal and the access point. It should be understood that the following description is only the present. Several alternative manners of the embodiments of the invention, but the embodiments of the invention are not limited thereto.
  • the terminal may generate an encryption key according to the private key information of the terminal and the public key of the access point, and the encryption key is used to encrypt the device of the terminal. Capability information to generate encrypted device capability information.
  • Capability information to generate encrypted device capability information.
  • other information may be used, for example, the location information of the access point, or one. Random values Nonce.
  • the generated encrypted terminal capability information may be simultaneously carried in the message that sends the public key to the access point.
  • the access point may generate a decryption key according to the public key information of the terminal and the private key information of the access point, thereby decrypting the capability information of the encrypted terminal of the device. , thereby obtaining capability information of the device of the terminal.
  • the terminal sends the public key of the terminal to the access point, including:
  • the terminal sends a probe request message to the access point, where the probe request message includes a public key of the terminal;
  • the terminal sends a second message to the access point, where the second message includes the public key of the terminal, and the second message is a management message.
  • the terminal sends a probe request message to the access point, where the probe request message includes a public key of the terminal, and the probe request message sent by the terminal to the access point may include a newly defined IE in the IE.
  • the public key of the terminal is carried in the public key of the terminal, and the public key of the terminal may be carried by the existing IE in the probe request message.
  • the terminal herein may carry the public key of the terminal through a unicast and/or multicast probe request message and/or a second message, where the multicast may include a broadcast.
  • the terminal sends a second message to the access point, where the second message includes the public key of the terminal, and the second message is a management message.
  • the second message may be a newly defined frame, for example, an Action frame or a Public Action frame, in which the key of the terminal is carried.
  • the terminal receives the public key of the access point sent by the access point, including:
  • the access point after receiving the probe request message sent by the terminal, the access point sends a probe response message to the terminal according to the probe request message, and may newly define an IE to bear in the probe response message.
  • the public key of the access point may, of course, also carry the public key of the access point through an existing IE in the probe response message.
  • the terminal receives the public key of the access point sent by the access point, including:
  • the terminal receives the third message sent by the access point, where the third message includes the public key of the access point, and the third message is a management message.
  • the third message may be a newly defined frame, such as an Action frame or a Public action frame, in which the public key of the access point is carried.
  • the access point may carry the access point's public key for the unicast and/or multicast probe response message and/or the third message, where the multicast may include a broadcast.
  • the terminal receives the public key of the access point sent by the access point, including:
  • the terminal receives a beacon frame sent by the access point, and the beacon frame includes a public key of the access point.
  • the access point may define an IE in the beacon frame sent by the terminal, and the newly defined IE may be used to carry the public key of the access point, and may also pass the beacon.
  • the existing IE in the frame carries the public key of the access point.
  • the AP may send the public key of the AP to the terminal, and the AP may indicate to the terminal that the security association mode is synchronized.
  • the AP may carry the public key of the AP and indicate the access point in the probe response message.
  • the indication information of the security association mode is supported.
  • the AP may also implicitly indicate that the AP supports the security association mode by sending the public key to the terminal.
  • the process of exchanging keys between the AP and the terminal may be preceded by the terminal to discover the AP capability process, or after the terminal discovers the AP capability, and the embodiment of the present invention is not limited.
  • the AP supports the security association mode.
  • the terminal and the AP may calculate and generate respective encryption keys using a Diffie-Hellman (DH) key exchange algorithm.
  • DH Diffie-Hellman
  • the terminal can calculate the terminal's encryption key STA-dhk through the DH algorithm and its own private key STA-pk.
  • the DH algorithm and its own private key AP-pk may also be used.
  • the terminal can also decrypt the capability information of the AP through AP-dhk encryption through STA-dhk.
  • the terminal and the AP may also generate respective encryption keys based on other key exchange algorithms.
  • the terminal and the AP may also pass Elliptic Curve Cryptosystems Diffie Hellman (ECDH).
  • ECDH Elliptic Curve Cryptosystems Diffie Hellman
  • a key exchange algorithm to generate respective encryption keys.
  • a field value and/or a random number may be simultaneously sent to the access point.
  • the terminal may carry a field value and/or a nonce in the second message carrying the public key of the terminal, so that the AP-dhk generated by the access point may have a change effect. Therefore, the encryption key generated by the terminal and/or the access point can better protect the capability information of the terminal and/or the access point, and improve the privacy protection capability of the user.
  • the field value and/or random number may be sent to the terminal at the same time.
  • the access point may carry a field value and/or a nonce in the third message carrying the public key of the access point, so that the AP-dhk generated by the terminal may have a change effect. Therefore, the encryption key generated by the terminal and/or the access point can better protect the capability information of the terminal and/or the access point, and improve the privacy protection capability of the user.
  • the access point and/or terminal may periodically change their respective public and private key pairs.
  • the encryption key generated by the access point and the terminal after the public key exchange will also be periodically changed, so that the encryption key generated by the terminal and/or the access point can better protect the terminal and/or the connection.
  • the method further includes: receiving, by the terminal, indication information sent by the access point, where the indication information is used to indicate that the access point supports capability information transmission of the terminal that is encrypted with the terminal.
  • the transmission of the capability information of the terminal that supports the terminal to perform encryption may also be referred to as an access point supporting a security association mode, or an anti-tracking working mode, and may also be referred to as another mode, which is implemented by the present invention.
  • the example is not limited.
  • the terminal needs to determine the feature of the AP supporting the transmission of the capability information of the terminal encrypted by the terminal.
  • the AP may also support the transmission of the capability information of the terminal encrypted by the terminal by default.
  • the AP may not need to separately send the indication information to the terminal to indicate that the AP supports the transmission of the capability information of the terminal encrypted by the terminal, and the terminal defaults to the AP to support the transmission of the capability information of the terminal encrypted by the terminal.
  • the sending of the indication information to the terminal by the access point may also be referred to as a capability discovery process, that is, the terminal receives the indication information sent by the access point to discover that the access point supports the security association mode. .
  • the terminal receives the indication information sent by the access point, where the terminal receives the probe response message sent by the access point, where the probe response message includes the indication information.
  • the access point may carry the indication information in the probe response message sent to the terminal.
  • an IE may be newly defined in the probe response message sent to the terminal, where the IE may be used to carry the foregoing indication information, which is used to indicate that the AP supports the security association mode, and of course, the access point may also detect the response message.
  • Some IEs carry the above indication information.
  • the terminal may also carry the indication information indicating that the terminal supports the security association mode in the probe request message.
  • the AP may also implicitly indicate the response information only by replying to the terminal.
  • the AP supports the security association mode. That is, the AP does not need to include the indication information indicating that the AP supports the security association mode in the probe response message.
  • the terminal receives the indication information sent by the access point, including:
  • the terminal receives the fourth message sent by the access point, where the fourth message includes indication information, and the fourth message is a management message.
  • the fourth message may be a newly defined frame, for example, an action frame, where the action frame may carry capability information of the terminal that indicates that the access point supports the terminal for encryption.
  • the indication information of the transmission that is, the access point may carry the indication information through a newly defined frame to indicate that the access point supports the security association mode.
  • the AP carries the AP to support the security association mode by using the newly defined Action frame.
  • the AP first receives the newly defined Action frame sent by the terminal, and may be in the Action frame of the terminal.
  • the portable terminal also supports the security association mode.
  • the terminal does not carry the indication information that the terminal supports the security association mode in the action frame sent to the AP, and the default terminal supports the security association mode.
  • the AP may implicitly indicate that the AP supports the security by not including the indication information of the AP supporting the security association mode in the action frame sent to the terminal. Association mode.
  • the terminal receives the indication information sent by the access point, where the terminal receives a beacon frame sent by the access point, where the beacon frame includes the indication information.
  • an IE may be newly defined in the beacon frame, where the IE is used to carry the foregoing indication information, and is used to indicate that the AP indicates a security association mode, and may also be used in the beacon frame.
  • the IE is to carry the above indication information.
  • the indication information indicating that the AP supports the security association mode may also be in other manners.
  • the AP may send a broadcast message and/or other synchronization message to the terminal in a broadcast manner, in the broadcast message and/or other synchronization messages.
  • the indication information may be carried, and after the terminal hears the broadcast message, the terminal may learn that the AP supports the security association mode.
  • the AP may also send indication information to other devices.
  • the terminal that needs to be associated with the AP hears the indication information, the AP may learn that the AP supports the security association mode.
  • those skilled in the art may obtain other indication information indicating that the access point supports the security association mode according to the actual application scenario, which is not limited in this embodiment of the present invention.
  • the technical solution of the embodiment of the present invention can also be used as a proprietary technical solution by the manufacturer, that is, the device of the same manufacturer can adopt the technical solution of the embodiment of the present invention, which can extend the manufacturer in the existing message.
  • Specific information element (Vender Specific IE) is implemented.
  • a method for establishing association in a wireless local area network will be described in detail below by taking a STA (or terminal) as a wearable device and an AP as a smart phone as an example.
  • a STA or terminal
  • AP or terminal
  • AP or smart phone
  • the use of the AP as the smart phone and the STA as the wearable device is merely for convenience of description, and should not be limited to the scope of protection of the embodiments of the present invention.
  • the smartphone when used as an AP, it can also have the same privacy protection requirements as the STA.
  • the STA may also become a terminal.
  • FIG. 4 is a flow chart showing a method for establishing association in a wireless local area network according to an embodiment of the present invention. The method includes:
  • the terminal receives a beacon frame sent by the AP.
  • the beacon frame may carry indication information indicating that the AP supports the terminal security association mode.
  • the beacon frame may include a newly defined IE, and the indication information may be carried in the newly defined IE.
  • the security association mode may be that the AP supports and the terminal performs device capability information encryption transmission. That is, the AP supports the technical solution of the embodiment of the present invention.
  • the beacon frame may carry the public key of the AP.
  • a newly defined IE may be included in the beacon frame, and the public key of the AP may be carried in the IE.
  • the public key of the AP corresponds to the private key of the AP, and the public key may enable the STA to generate an encryption key of the STA.
  • the process of generating an encryption key by the terminal includes the terminal according to at least the public key of the AP and the private key of the terminal itself. Of course, the terminal may also be combined. Other information is used to generate an encryption key, for example, location information of the terminal, etc., to generate an encryption key of the STA, thereby causing a change effect of the generated encryption key.
  • the beacon frame may also carry general capability information of the AP.
  • the access point sends a beacon frame to the terminal, where the beacon frame can carry the general capability information of the terminal, and is used by the terminal to determine, according to the general capability information of the access point, whether further association is needed.
  • the beacon frame may also carry personalized capability information of the AP.
  • the terminal sends a probe request message to the AP.
  • the probe request message may carry general capability information of the terminal. That is to say, the probe request message may no longer contain the capability information of the terminal that we wish to hide or protect, or the capability information of only the terminal that does not have a distinct personalized feature. In this way, even if the attacker only listens to the Probe Request message, the "fingerprint" information that can identify the terminal cannot be obtained, so that the terminal cannot be tracked.
  • the terminal may use one or more types of general capability information to indicate its capabilities to the AP, so that the AP determines whether it satisfies the conditions of the STA's query (it may also be understood as letting the AP determine whether it can meet the requirements of the terminal.
  • the AP determines whether the STA satisfies the communication condition of the AP, so that the AP can determine whether to reply the probe response message. It should be understood that, since the terminal sends one or more of the general device capability information, since many other terminals can use these or a plurality of capability information at the same time, even if the eavesdropper obtains the universal capability information, it cannot be recognized. The terminal, thereby reducing the possibility that the terminal is being tracked.
  • the probe request message may carry indication information indicating that the terminal supports the security association mode.
  • the probe request message may carry a public key of the terminal, where the public key is used by the AP to generate a decryption key for decrypting the capability information of the encrypted terminal.
  • the terminal and the AP may calculate and generate respective encryption keys by using a Diffie Hellman (DH) key exchange algorithm.
  • DH Diffie Hellman
  • the terminal can calculate the terminal's encryption key STA-dhk through the DH algorithm and its own private key STA-pk.
  • the AP obtains the terminal's public key STA-PK.
  • the AP's encryption key AP-dhk can also be calculated according to the DH algorithm and its own private key AP-pk, where STA-dhk and AP-dhk are the same symmetric encryption key, that is, the AP can utilize the AP.
  • -dhk to decrypt the capability information of the terminal through STA-dhk encryption
  • the terminal can also decrypt the capability information of the AP through AP-dhk encryption through STA-dhk.
  • the AP and the terminal use the DH key exchange algorithm to generate the respective encryption keys, which is only one implementation manner. Those skilled in the art may also generate respective encryption keys through other key exchange algorithms. The embodiment is not limited.
  • the access point sends a probe response message to the terminal.
  • the probe response message may carry general capability information of the AP.
  • the probe response message may further include personalization capability information of the AP.
  • the embodiment of the invention is not limited thereto.
  • the probe response message may carry an AP's public key.
  • the probe response message may carry indication information indicating that the access point supports the security association mode.
  • the terminal sends a first request frame to the access point, where the first request frame is a newly defined management frame.
  • the first request frame may be an Action frame, but the present invention is not limited thereto.
  • the first request frame may also be other types of frames.
  • the first request frame may carry a public key of the terminal.
  • the access point may calculate the decryption key AP-dhk of the access multipoint according to the DH algorithm, and the AP-dhk is used to decrypt the terminal.
  • Information can also be used to encrypt the capability information of the access point.
  • the first request frame may carry general capability information of the terminal.
  • the terminal may indicate the capability information of the access point by using one or more types of general capability information (which may be understood as one or more of the general device capability information) in the first request frame. Therefore, the access point determines whether it satisfies the query condition of the terminal, or whether the terminal satisfies the communication capability condition of the AP, and facilitates the access point to determine whether to reply the response frame.
  • general capability information which may be understood as one or more of the general device capability information
  • the first request frame may carry indication information indicating that the terminal supports a security association mode.
  • the access point sends a first response frame to the terminal, where the first response frame is a newly defined management frame.
  • the first response frame may be an Action frame, but the embodiment of the present invention is not limited thereto.
  • the first response frame may also be other types of frames.
  • the first response frame may carry general capability information of the access point.
  • the first response frame may further carry an access point public key.
  • the terminal may calculate the encryption key secret STA-dhk of the terminal according to the DH algorithm, and the STA-dhk is used to decrypt the capability information of the terminal, and Can be used to encrypt the capability information of the access point.
  • the AP may carry the personalized capability information of the access point in the first response frame; if the access point also needs privacy protection, when the access point has obtained the publicity of the terminal
  • the AP-dhk can be generated according to the public key of the terminal, the private key of the access point, etc., and the personalized capability information of the access point is encrypted, and the access point is sent to the terminal at the access point.
  • the capability information of the encrypted access point may be sent in the same message.
  • the terminal may calculate STA-dhk to decrypt the access point.
  • the general capability information of the access point can be used by the terminal to determine whether it satisfies its own Seeking to determine whether to perform transmission or further information associated with the ability of the present invention is not limited to this embodiment.
  • the first response frame may carry indication information indicating that the access point supports a security association mode.
  • the access point when the terminal sends the first request frame to the access point to carry the indication information of the terminal supporting the security association mode, the access point may also implicitly indicate the The access point supports the security association mode, that is, the access point does not carry the display information indicating that the access point supports the security association mode in the first response frame.
  • the first response frame herein may correspond to the third message and/or the fourth message in the claims.
  • the first response frame may correspond to the third message in the claim; when the first response frame carries the access point to support the encryption with the terminal
  • the first response frame may correspond to the fourth message in the claims.
  • the first response frame may also be the third message and the fourth message at the same time, that is, the third message and the fourth message may be the same message, and the same message may be the first response frame here.
  • the terminal generates capability information of the encrypted terminal.
  • the terminal may generate an encryption key for encrypting the terminal capability information by using the DH algorithm and its own private key, and then encrypt the terminal by using the encryption key.
  • Ability information for encrypting the terminal capability information by using the DH algorithm and its own private key, and then encrypt the terminal by using the encryption key.
  • the label S406 does not limit the execution order of the step, and the terminal once acquires the access point.
  • the capability information of the encrypted terminal is generated according to the generated encryption key, which is not limited in this embodiment of the present invention.
  • the access point and the terminal may join the location information and/or the Nonce when calculating the respective encryption key according to the DH algorithm.
  • the encrypted content can be made to have a varying effect.
  • the STA or the AP changes its own public key private key pair at intervals.
  • the terminal sends a second request frame to the access point, where the second request frame carries capability information of the encrypted terminal, where the second request frame is a newly defined management frame.
  • the capability information of the encrypted terminal is sent to the access point through the newly defined management frame, thereby preventing the capability information of the terminal from being directly sent on the air interface, thereby preventing the attacker from obtaining the capability information of the terminal by listening to the air interface message, thereby according to the capability information.
  • the information generates "fingerprint" feature information of the terminal, thereby tracking the terminal.
  • the second request frame may be a Public Action frame.
  • the second request frame may also be other types of frames, which is not limited in this embodiment of the present invention.
  • the access point generates pre-association index information according to the capability information of the terminal, where the pre-association index information is used to identify the terminal.
  • the AP may generate a decryption key for decrypting the capability information of the encrypted terminal according to the private key and the DH algorithm.
  • the access point After receiving the capability information of the terminal sent by the terminal, the access point decrypts the capability information of the encrypted terminal by using the decryption key generated by the terminal, thereby obtaining the capability information of the terminal.
  • the access point After obtaining the capability information of the terminal, the access point may determine whether it meets the requirements of the AP that the terminal is looking for, or determine whether the terminal meets the requirements associated with the terminal to determine whether to continue the subsequent communication with the terminal.
  • the pre-association index information may be unique for a period of time, that is, different terminals may be distinguished. Certainly, the pre-association index information may also be set to be long enough to be unique for a long time, so that the access point may determine the capability information corresponding to the terminal when subsequently receiving the association request of the terminal, and use in the subsequent association process. Corresponding capabilities to establish associations.
  • the pre-association index information may correspond to one device capability information.
  • the terminal having the capability information 1 corresponds to the pre-association index 1
  • the terminal having the capability information 2 corresponds to the pre-association index 2.
  • the terminal having the capability information 1 corresponds to the pre-association index 1
  • the terminal having the capability information 2 corresponds to the pre-association index 2.
  • the access point sends a second response frame to the terminal, where the second response frame carries pre-association index information generated by the access point, where the second request frame is a newly defined management frame.
  • the pre-association index information carried in the second response frame may be encrypted pre-association index information.
  • the access point may encrypt the pre-association index information by using an encryption key generated after the public key exchange with the terminal.
  • the terminal can decrypt the encrypted pre-association index information by using a decryption key generated after exchange with the access point public key.
  • the pre-association index information is used when the terminal initiates association with the access point, so that the access point knows what kind of capability is used to communicate with the terminal, that is, the access point passes the pre-association index information.
  • the terminal corresponding to the associated index information can be determined by the associated index information in the communication, so that the access point can determine the terminal even if the MAC address used by the terminal when sending the association request is different.
  • the association request of the new MAC address corresponds to which terminal before, or the capability information of the terminal.
  • the second response frame may be a newly defined management frame, such as a Publ ic Act ion frame.
  • the second response frame may also be other types of frames, which is not limited in this embodiment of the present invention.
  • S410 The terminal sends an association request message to the access point, where the association request message carries the pre-association index information.
  • the terminal sends an association request message to the access point, where the association request message may not carry the personalized capability information of the terminal. It is conceivable that in the embodiment of the present invention, device capability information of all terminals that may leak the terminal privacy information may be sent to the access point in an encrypted manner before the terminal sends an association request to the access point.
  • the terminal further carries the device capability information of the encrypted terminal in the association request message, and the access point may decrypt the encrypted capability information of the terminal according to the AP-dhk generated by the information exchanged in the previous step;
  • the decryption key can be determined by the pre-association index.
  • the pre-association index information is used to identify the corresponding terminal, or is further corresponding to the encryption key used by the terminal; the index information is used by the AP to determine the decryption terminal.
  • the decryption key used by the encrypted capability information is used to identify the corresponding terminal, or is further corresponding to the encryption key used by the terminal.
  • the terminal sends an association request to the access point, where the association request may carry the encrypted pre-association index information.
  • the terminal may encrypt the pre-association index information by using an encryption key generated after exchanging the public key with the access point, and use the MAC address used before the terminal sends the association request message to the access point to send an association request message to the terminal.
  • the access point may determine the corresponding decryption key by using the MAC address of the association request message to decrypt the pre-association index information, thereby The pre-association index information determines the device capability information of the terminal.
  • the access point sends an association response message to the terminal, so as to establish association with the terminal.
  • the access point After receiving the association request sent by the terminal, the access point determines the capability information of the terminal according to the pre-association index information in the association request, or when the association request message directly carries the capability information of the encrypted device, After the decryption key determined by the pre-association index information is used and the encryption capability information of the device is decrypted, an association response message is sent to the terminal, thereby establishing an association with the terminal.
  • the access point and the terminal establish a secure connection.
  • the size of the sequence numbers of the foregoing processes in the embodiment of the present invention does not mean the order of execution sequence.
  • the foregoing process does not have to be performed.
  • the terminal in the process of exchanging the public key between the terminal and the access point, the terminal may carry the terminal through the probe request message.
  • the public key the access point may carry the public key of the access point by using the probe response message, and step S401 may be used as an optional step.
  • Steps S402 and S403 may be replaced by steps S404 and S405, that is, steps S402-S405 may be selected to execute only S402 and S403, or only S404 and S405.
  • the first request frame, the second request frame, the first response frame, and the second response frame may be a newly defined frame, which may also be referred to as a message frame or a message, and the specific sequence number. It is called first or second, etc., depending on the actual situation.
  • the serial numbers are first and second, for convenience of description, and can be used to distinguish different objects.
  • the first request frame and the second request frame here may also be the same message (ie, the same object), and the first response frame.
  • the second response frame may also be the same message, that is, the same message may carry a variety of information, for example, the public key of the terminal and the capability information of the encrypted terminal in the embodiment of the present invention may be carried in the first request frame.
  • the public key of the terminal and the capability information of the encrypted terminal in the embodiment of the present invention may be carried in the first request frame.
  • the process may also be referred to as an AP capability discovery process; if the AP and the terminal perform key exchange in S401-S405, the process may also be called The process of generating the encryption key.
  • S406-S409 may also be referred to as an encrypted terminal capability information transmission process.
  • S410-S411 may also be referred to as an AP association process with a terminal. The process division herein should not be construed as limiting the embodiments of the present invention.
  • the core idea of the association method in the WLAN shown in FIG. 4 is that the capability information of the encrypted terminal can be transmitted through a newly defined frame, such as a public action frame, thereby protecting the personalized information of the terminal. Attacked by an eavesdropper to protect the user's private information.
  • FIG. 5 is a flow chart showing a method of establishing a secure connection in a wireless local area network according to another embodiment of the present invention. The method includes:
  • the terminal receives a beacon frame sent by the access point.
  • the beacon frame may carry an indication that the AP supports the terminal security association mode.
  • the security association mode may be that the AP supports and the terminal performs device capability information encryption transmission. That is, the AP supports the technical solution of the embodiment of the present invention.
  • the beacon frame may carry the public key of the AP.
  • the public key of the AP may be different each time, or modified over a period of time, or remain unchanged, that is, the AP may change its own public and private key pairs according to its own performance or parameters, thereby When the terminal generates an encryption key according to the public key of the access point, a change effect can be generated.
  • the public key of the AP corresponds to the private key of the AP
  • the access point sends the public key of the access point to the terminal for the STA to generate the encryption key of the STA.
  • the beacon frame may also carry general capability information of the AP.
  • the beacon frame may also carry personalized information of the AP when the AP does not need to protect privacy.
  • the terminal sends a probe request message to the access point.
  • the probe request message may carry general capability information of the terminal. That is to say, the probe request message no longer contains the capability information of the terminal that we wish to hide or protect, or the capability information of only the terminal that does not have a distinct personalized feature. That is, the attacker cannot obtain the "fingerprint" information that can distinguish the terminal by listening to the Probe Request message, and is used for subsequent terminal tracking.
  • the terminal may use one or more types of general capability information to indicate its capabilities to the AP, so that the AP determines whether the STA's query condition is met, or whether the STA satisfies the AP's communication condition, so that the AP can determine whether to respond to the probe. Response message. It should be understood that since the terminal transmits one or more of the general device capability information, since many terminals use these types at the same time, the possibility of being tracked is reduced. Of course, in the probe request message, the capability information of the terminal may not be carried.
  • the probe request message may carry indication information indicating that the terminal supports the security association mode.
  • the probe request message may carry a public key of the terminal, where the public key is used by the AP to generate a decryption key for decrypting the capability information of the encrypted terminal.
  • the terminal when the beacon frame in S501 includes the public key information of the access point, the terminal may already use the public key information of the access point and the terminal before sending the S502 probe request message.
  • the private key information generates the encryption key information, thereby generating the capability information of the encrypted terminal (corresponding to step S503); thus, in the probe request message of step S502, the terminal may carry the capability information of the encrypted terminal.
  • the terminal and the AP may calculate and generate respective encryption keys by using a Diffie Hellman (DH) key exchange algorithm.
  • DH Diffie Hellman
  • the terminal can pass The DH algorithm and its own private key STA-pk calculate the encryption key STA-dhk of the terminal.
  • the AP can also calculate the AP according to the DH algorithm and its own private key AP-pk.
  • the encryption key AP-dhk where STA-dhk and AP-dhk are the same symmetric encryption key, that is, the AP can use AP-dhk to decrypt the capability information of the terminal through STA-dhk encryption, and the terminal can also The STA-dhk is used to decrypt the capability information of the AP through AP-dhk encryption.
  • the AP and the terminal use the DH key exchange algorithm to generate the respective encryption keys, which is only one implementation manner. Those skilled in the art may also generate respective encryption keys through other key exchange algorithms. The embodiment is not limited.
  • the access point generates pre-association index information, where the pre-association index information is used to identify the terminal.
  • the access point may generate a decryption key for decrypting the capability information of the encrypted terminal according to the private key and the DH algorithm.
  • the encryption key STA-dhk of the terminal and the AP generated by the DH key exchange algorithm and the decryption key AP-dhk of the access point may be the same, that is, the encryption of the terminal.
  • the key STA-dhk can also decrypt the device capability information of the access point encrypted by the access point using the decryption key AP-dhk.
  • the access point generates an association pre-index message, and the pre-association index information is used by the terminal when the association is subsequently initiated, that is, in the subsequent association, the access point may determine according to the pre-association index information.
  • the terminal further determines an encryption key corresponding to the terminal.
  • the pre-association index information may be unique for a period of time, that is, different terminals may be distinguished. Certainly, the pre-association index information may also be set to be long enough to be unique for a long time, so that the access point may determine the capability information corresponding to the terminal when subsequently receiving the association request of the terminal, and use in the subsequent association process. Corresponding capabilities to establish associations.
  • the AP when the probe request message sent in the step S502 includes the capability information of the encrypted terminal, after the step S502, that is, when the AP receives the probe request message, the AP already includes the capability information of the encrypted terminal and the public key information of the terminal. At this time, the AP can combine its own private key and the public key information of the terminal, and other information (if other information is needed here, the AP and the terminal need to confirm during the interaction, or are previously indicated by the message) to generate and decrypt. The key decrypts the capability information of the encrypted device to obtain the capability information of the terminal.
  • the access point sends a probe response message to the terminal, where the probe response message carries the pre-association index information.
  • the pre-association index information carried in the probe request message may be encrypted, that is, the access point may encrypt the association by using an encryption key generated after the terminal exchanges the public key. Index information.
  • the pre-association index information carried in the probe request message may also be unencrypted.
  • the probe response message may carry general capability information of the AP.
  • the capability information of the encrypted access point may also be carried in the probe response message.
  • the probe response message may further include personalization capability information of the AP.
  • the embodiment of the invention is not limited thereto.
  • the probe response message may carry an AP's public key.
  • the probe response message may carry indication information indicating that the terminal supports a security association mode.
  • the terminal generates capability information of the encrypted terminal.
  • the terminal may generate an encryption key for encrypting the terminal capability information by using the DH algorithm and its own private key, and then encrypt the terminal by using the encryption key.
  • Ability information for encrypting the terminal capability information by using the DH algorithm and its own private key, and then encrypt the terminal by using the encryption key.
  • the label S505 does not limit the execution order of the step, and the terminal can generate the capability information of the encrypted terminal after acquiring the public key of the access point, which is not performed in this embodiment of the present invention. limited.
  • the access point and the terminal may join the location information and/or the Nonce when calculating the respective encryption key according to the DH algorithm. It should be understood that if the field value or other information is used here, it needs to be carried in the message that the terminal sends the public key to the AP, or is carried in the public key message sent by the AP to the terminal, or carried in other messages.
  • the encrypted content can be made to have a varying effect.
  • the STA or the AP changes its own public key private key pair at intervals.
  • the terminal sends an association request message to the access point, where the association request message includes the capability information of the encrypted terminal and the pre-association index information.
  • the capability information of the encrypted terminal is transmitted through the existing signaling, which saves signaling overhead.
  • the terminal capability information and the pre-association index information are sent to the access point in an encrypted manner, thereby avoiding the capability information of the terminal and directly transmitting on the air interface, thereby preventing the attacker from obtaining the capability information of the terminal by listening to the air interface message, thereby according to the capability information.
  • the information generates the "fingerprint" feature information of the terminal, thereby tracking the terminal.
  • the encrypted terminal capability information is sent to the access point by using the association request message.
  • the access point may determine the pre-association index information carried in the association request message. The terminal, so that even if the MAC address of the terminal transmitting the association request is changed, the access point can still determine the terminal that changes the MAC address by associating the pre-index information, thereby decrypting the capability information of the encrypted terminal by using the decryption key corresponding to the terminal. .
  • the access point sends an association response message to the terminal, so as to establish association with the terminal.
  • the access point After receiving the capability information of the encrypted terminal and the pre-association index information sent by the terminal through the association request message, the access point determines, according to the pre-association index information, a decryption key for decrypting the capability information of the terminal encryption, according to the decryption. Decrypting the capability information of the encrypted terminal to obtain the capability information of the terminal, and the access point determines whether to send the association response message to the terminal according to the capability information of the terminal, and establishes an association after sending the association response message to the terminal. .
  • the access point and the terminal establish a secure connection.
  • the size of the sequence numbers of the foregoing processes in the embodiment of the present invention does not mean the order of execution sequence.
  • the foregoing process does not have to be performed.
  • the terminal may carry the terminal in the probe request message.
  • the key the access point may carry the public key of the access point by using the probe response message.
  • steps S504 and S505 may be used as an optional step only as a public key exchange step. It should be understood that the order of execution and the necessity of execution of the various processes should be determined by their function and the intrinsic logic, and should not be construed as limiting the implementation of the embodiments of the present invention.
  • the core idea is to implement the technical solution of the embodiment of the present invention by adding an information element or an existing information element by using a message in the prior art, without adding a newly defined message.
  • the embodiment of the present invention is not limited to this.
  • the capability information of the encrypted terminal may also be carried by the probe request message. .
  • FIG. 6 is a schematic diagram of a method for establishing association in a wireless local area network according to an embodiment of the present invention. The method includes:
  • the terminal sends a probe request message (Probe Request) to the access point, the probe request message includes indication information indicating that the terminal supports the security association mode, and the public key STA-PK of the terminal;
  • Probe Request a probe request message
  • the probe request message includes indication information indicating that the terminal supports the security association mode, and the public key STA-PK of the terminal;
  • the access point sends a probe response message (Probe Response) to the terminal, the probe response message includes indication information indicating that the access point supports the security association mode, and the public key AP-PK of the access point;
  • Probe Response a probe response message
  • the terminal generates an encryption key STA-dhk according to the private key STA-pk of the user and the public key AP-PK of the received access point.
  • the encryption key is used to encrypt capability information of the terminal;
  • the access point generates a decryption key AP-dhk according to the private key AP-pk of the terminal and the public key STA-PK of the received terminal, where the decryption key is used to decrypt the encrypted capability information of the terminal.
  • the terminal encrypts capability information of the terminal according to the generated encryption key.
  • the access point generates pre-association index information, where the pre-association index information is used by the access point to identify the terminal when the terminal has not established association with the access point;
  • the terminal sends an action frame to the access point, where the action frame may be a newly defined management frame, where the action frame may carry the capability information of the encrypted terminal generated by the terminal;
  • the access point receives the capability information of the encrypted terminal sent by the terminal, and decrypts with the decryption key to obtain capability information of the terminal.
  • the access point sends an action frame to the terminal, where the action frame can be a newly defined management frame, and the action frame can carry the pre-association index information generated by the access point;
  • the terminal sends an association request message (Association Request) to the access point, where the association request message includes the pre-association index information;
  • the access point sends an association response message (Association Response) to the terminal according to the pre-association index information sent by the terminal, so that the access point and the terminal complete the establishment of the association.
  • Association Response an association response message
  • the access point and the terminal establish a secure connection.
  • S603 and S604 may not define a sequence relationship, and S604 and S606 may not limit the relationship, and S604 and S607 may not limit the relationship.
  • FIG. 7 is a schematic diagram of a method for establishing association in a wireless local area network according to an embodiment of the present invention. The method includes:
  • the terminal sends a probe request message (Probe Request) to the access point, where the probe request message includes the public key STA-PK of the terminal and the indication information of the terminal supporting the security association mode.
  • Probe Request a probe request message
  • the probe request message includes the public key STA-PK of the terminal and the indication information of the terminal supporting the security association mode.
  • the access point generates a decryption key AP-dhk according to the public key STA-PK of the terminal and the private key AP-pk of the terminal, where the decryption key is used to decrypt the capability information of the encrypted terminal.
  • the access point generates pre-association index information, where the pre-association index information is used by the access point to identify the terminal when the terminal has not established association with the access point;
  • the access point sends a probe response message (Probe Response) to the terminal, where the probe response message includes indication information that the access point supports the security association mode, the public key AP-PK of the access point, and pre-association index information.
  • Probe Response a probe response message
  • the probe response message includes indication information that the access point supports the security association mode, the public key AP-PK of the access point, and pre-association index information.
  • the terminal generates an encryption key STA-dhk according to the public key AP-PK of the access point and the private key STA-pk of the access point, where the encryption key is used to encrypt the capability information of the terminal.
  • the terminal encrypts capability information of the terminal according to the generated encryption key.
  • the terminal sends an association request message (Association Request) to the access point, where the association request message includes pre-association index information and capability information of the encrypted terminal.
  • Association Request an association request message
  • the association request message includes pre-association index information and capability information of the encrypted terminal.
  • the access point After receiving the association request message sent by the terminal, the access point acquires the pre-association index information in the association request message, determines the decryption key of the terminal according to the pre-association index information, and decrypts the encrypted terminal.
  • Ability information After receiving the association request message sent by the terminal, the access point acquires the pre-association index information in the association request message, determines the decryption key of the terminal according to the pre-association index information, and decrypts the encrypted terminal.
  • the access point After receiving the association request message sent by the terminal, the access point acquires the pre-association index information in the association request message, determines the decryption key of the terminal according to the pre-association index information, and decrypts the encrypted terminal.
  • Ability information After receiving the association request message sent by the terminal, the access point acquires the pre-association index information in the association request message, determines the decryption key of the terminal according to the pre-association index information, and decrypts the encrypted terminal.
  • the access point receives the pre-association index information sent by the terminal and the capability information of the encrypted terminal, and decrypts with the decryption key to obtain capability information of the terminal.
  • the access point sends an association response message (Association Response) to the terminal according to the pre-association index information sent by the terminal, so that the access point and the terminal complete the establishment of the association.
  • Association Response an association response message
  • the terminal establishes a secure connection with the access point.
  • sequence relationship between S702 and S704 is not limited, and S702 and S707 may not limit the relationship.
  • FIG. 8 is a schematic diagram of a method for establishing association in a wireless local area network according to an embodiment of the present invention. The method includes:
  • the terminal sends a probe request message (Probe Request) to the access point, where the probe request message includes indication information indicating that the terminal supports the security association mode.
  • Probe Request a probe request message
  • the access point sends a probe response message (Probe Response) to the terminal, where the probe response message includes indication information indicating that the access point supports the security association mode.
  • Probe Response a probe response message
  • the terminal sends a Public Action frame to the access point
  • the Public Action frame may be a new management frame
  • the Public Action frame may include the public key STA-PK of the terminal
  • the access point generates a decryption key AP-dhk according to the public key STA-PK of the terminal and the private key AP-PK of the terminal, where the decryption key is used to decrypt the capability information of the encrypted terminal.
  • the access point generates pre-association index information, where the pre-association index information is used by the access point to identify the terminal when the terminal has not established association with the access point;
  • the access point sends a Public Action frame to the terminal, where the Public Action frame can be a new management frame, where the Public Action frame can include the public key AP-PK of the access point and the pre-association index information;
  • the terminal generates an encryption key STA-dhk according to the public key AP-PK of the access point and the private key STA-pk of the access point, where the encryption key is used to encrypt capability information of the terminal;
  • the terminal encrypts capability information of the terminal according to the generated encryption key.
  • the terminal sends an association request message (Association Request) to the access point, where the association request message includes pre-association index information and capability information of the encrypted terminal.
  • Association Request an association request message
  • the association request message includes pre-association index information and capability information of the encrypted terminal.
  • the access point After receiving the association request message sent by the terminal, the access point acquires the pre-association index information in the association request message, determines the decryption key of the terminal according to the pre-association index information, and decrypts the encrypted terminal.
  • Ability information After receiving the association request message sent by the terminal, the access point acquires the pre-association index information in the association request message, determines the decryption key of the terminal according to the pre-association index information, and decrypts the encrypted terminal.
  • the access point After receiving the association request message sent by the terminal, the access point acquires the pre-association index information in the association request message, determines the decryption key of the terminal according to the pre-association index information, and decrypts the encrypted terminal.
  • Ability information After receiving the association request message sent by the terminal, the access point acquires the pre-association index information in the association request message, determines the decryption key of the terminal according to the pre-association index information, and decrypts the encrypted terminal.
  • the access point receives the pre-association index information sent by the terminal and the capability information of the encrypted terminal, and decrypts with the decryption key to obtain capability information of the terminal.
  • the access point sends an association response message (Association Response) to the terminal according to the pre-association index information sent by the terminal, so that the access point and the terminal complete the establishment of the association.
  • Association Response an association response message
  • the terminal establishes a secure connection with the access point.
  • S804 and S806 may not define a sequence relationship; S804 and S809 may also not define a sequence relationship.
  • FIG. 9 is a schematic block diagram of a terminal according to an embodiment of the present invention.
  • the terminal may be the smart phone shown in FIG. 2, and the terminal 900 includes:
  • the generating module 910 is configured to generate the encrypted capability information of the terminal.
  • the receiving module 920 is configured to receive pre-association index information related to the terminal that is sent by the access point, where the pre-association index information is used by the access point when the terminal and the access point have not been associated with each other. Identifying the terminal;
  • the sending module 930 is configured to send, to the access point, the encrypted capability information of the terminal and an association request message, where the association request message includes the pre-association index information;
  • the receiving module 920 is further configured to receive an association response message sent by the access point according to the capability information of the terminal and the pre-association index information, so that the terminal establishes association with the access point.
  • the terminal of the embodiment of the present invention sends the capability information of the terminal to the access point in an encrypted manner, and identifies the terminal by using the pre-association index information, so that the eavesdropper is in the air interface before the association or in the association process. Even if the capability information is monitored, the capability information of the terminal cannot be obtained, thereby preventing the eavesdropper from determining the location, time, and the like of the terminal according to the capability information of the terminal, thereby avoiding leakage of user privacy.
  • the sending module is specifically configured to: send an association request message to the access point, where the association request message includes the encrypted capability information of the terminal.
  • the sending module is specifically configured to: send, to the access point, a first message, where the first message includes the encrypted capability information of the terminal, where the first The message is a management message;
  • the sending module is further configured to: before the sending module sends the encrypted capability information of the terminal, send the public key of the terminal to the access point, where The public key of the terminal is used by the access point to generate a decryption key for decrypting capability information of the terminal;
  • the receiving module is further configured to receive a public key of the access point sent by the access point;
  • the generating module is further configured to generate an encryption key of the terminal according to a public key of the access point, where an encryption key of the terminal is used to encrypt capability information of the terminal.
  • the sending module is specifically configured to: send a probe request message to the access point, where the probe request message includes a public key of the terminal;
  • the receiving module is specifically configured to: receive a probe response message sent by the access point, where the probe response message includes a public key of the access point;
  • the third message includes a public key of the access point, and the third message is a management message
  • beacon frame sent by the access point, where the beacon frame includes a public key of the access point.
  • the receiving module is further configured to: receive indication information sent by the access point, where the indication information is used to indicate that the access point supports an encryption with the terminal.
  • the device capability information transmission of the terminal is further configured to: receive indication information sent by the access point, where the indication information is used to indicate that the access point supports an encryption with the terminal.
  • the receiving module is specifically configured to: receive a probe response message sent by the access point, where the probe response message includes the indication information;
  • beacon frame sent by the access point, where the beacon frame includes the indication information.
  • the receiving module is specifically configured to: receive a fifth message sent by the access point, where the fifth message includes the pre-association index information, and the fifth message is a management message;
  • the MAC address used by the terminal to send the association request message to the access point is used before the terminal sends the association request message to the access point.
  • the MAC address is different.
  • the terminals herein are embodied in the form of functional modules.
  • the function modules herein may correspond to the physical modules of the smart phone shown in FIG. 2 .
  • the generating module herein may correspond to the processor of the smart phone in FIG. 2
  • the sending module and the receiving module may correspond to the radio frequency of the smart phone. Circuits, etc.
  • the term "module” as used herein may refer to a processor (e.g., shared processor, proprietary processor, or group processing) for use with a particular integrated circuit, electronic circuitry, or program for executing one or more software or firmware. And memory, merge level circuits, and/or exotic components that support the functions described.
  • the terminal may be used to perform various processes and/or steps corresponding to the terminal in the foregoing method embodiments. To avoid repetition, details are not described herein again.
  • FIG. 10 is a schematic block diagram of an access point according to an embodiment of the present invention.
  • the access point may also correspond to the smart phone in FIG. 2, and the smart phone as an access point may also have the need to protect privacy.
  • the access point 1000 includes:
  • the generating module 1010 is configured to generate pre-association index information related to the terminal, where the pre-association index information is used by the access point to identify the terminal when the terminal has not established association with the access point;
  • the sending module 1020 is configured to send the pre-association index information to the terminal;
  • the receiving module 1030 is configured to receive the encrypted capability information of the terminal and the association request message sent by the terminal, where the association request message includes the pre-association index information;
  • the decryption module 1040 is configured to decrypt capability information of the encrypted terminal.
  • the sending module 1020 is further configured to send an association response message to the terminal according to the capability information of the terminal and the pre-association index information, so that the access point establishes an association with the terminal.
  • the access point of the embodiment of the present invention supports the capability information transmission of the terminal encrypted by the terminal, and identifies the terminal by associating the pre-index information, so that the eavesdropper is in the air interface even before the association or in the association process. After the capability information is monitored, the capability information of the terminal cannot be obtained, so that the eavesdropper can be prevented from determining the location, time, and the like of the terminal according to the capability information of the terminal, thereby avoiding leakage of user privacy.
  • the receiving module is specifically configured to:
  • the receiving module is further configured to: receive a first message sent by the terminal, where the first message includes the encrypted capability information of the terminal, the first message For managing a message; receiving an association request message sent by the terminal.
  • the receiver is further configured to: receive, by the receiving module, a public key of the terminal sent by the terminal;
  • the generating module is further configured to: generate a decryption key according to the public key of the terminal, where the decryption key is used to decrypt the encrypted capability information of the terminal;
  • the sending module is further configured to: send a public key of the access point to the terminal, where a public key of the access point is used by the terminal to generate an encryption key for encrypting capability information of the terminal.
  • the receiving module is specifically configured to: receive a probe request message sent by the terminal, where the probe request message includes a public key of the terminal;
  • the sending module is specifically configured to: send a probe response message to the terminal, where the probe response message includes a public key of the access point;
  • the beacon frame including a public key of the access point.
  • the sending module is further configured to: send, to the terminal, indication information, where the indication information is used to indicate that the access point supports a device of the terminal that is encrypted with the terminal.
  • Ability information transmission is further configured to: send, to the terminal, indication information, where the indication information is used to indicate that the access point supports a device of the terminal that is encrypted with the terminal.
  • the sending module is specifically configured to: send a probe response message to the terminal, where the probe response message includes the indication information;
  • the beacon frame including the indication information.
  • the sending module is specifically configured to: send a fifth message to the terminal, where the fifth message includes the pre-association index information, and the fifth message is a management message;
  • the generating module is further configured to: generate, by the access point, capability information of the encrypted access point;
  • the sending module is further configured to send capability information of the encrypted access point to the terminal.
  • module may refer to a dedicated integrated circuit, an electronic circuit, a processor (eg, a shared processor, a proprietary processor, or a group processor) and a memory for executing one or more software or firmware programs. Combine the level circuit and/or other suitable components that support the described functionality.
  • the access point may be used to perform the various processes and/or steps corresponding to the access point in the foregoing method embodiment. To avoid repetition, details are not described herein.
  • FIG. 11 is a schematic block diagram of a terminal according to another embodiment of the present invention.
  • the terminal includes a processor 1101, a memory 1102, a transmitter 1103, and a receiver 1105.
  • the components in the terminal are coupled together by a coupling, the receiver 1105 receives data through the antenna 1104, and the transmitter 1103 transmits data through the antenna 1104.
  • the receiver and the transmitter may share an antenna having the capability of receiving and transmitting signals, and may also use different antennas, which is not limited by the embodiment of the present invention. Only the former case is an example.
  • the method for establishing association in the wireless local area network disclosed in the foregoing embodiment of the present invention may be applied to the processor 1101 or implemented by the processor 1101.
  • the processor 1101 may be an integrated circuit chip with signal processing capabilities. In the implementation process, each step of the foregoing method may be completed by an integrated logic circuit of hardware in the processor 1101 or an instruction in a form of software.
  • the processor 1101 described above may be a general-purpose processor, or a system-on-a-chip (SOC chip), a baseband processor, a digital signal processor (DSP), and an application specific integrated circuit (Application). Specific Integrated Circuit (ASIC), Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware component.
  • the methods, steps, and logical block diagrams disclosed in the embodiments of the present invention may be implemented or carried out.
  • the general purpose processor may be a microprocessor or the processor may also be Any conventional processor, etc.
  • the steps of the method disclosed in the embodiments of the present invention may be directly implemented by the hardware decoding processor, or may be performed by a combination of hardware and software modules in the decoding processor.
  • the software module can be located in a random access memory (RAM), a flash memory, a read-only memory (ROM), a programmable read only memory or an electrically erasable programmable memory, a register, etc.
  • RAM random access memory
  • ROM read-only memory
  • programmable read only memory or an electrically erasable programmable memory
  • register etc.
  • the storage medium is located in the memory 1102, and the processor 1101 reads the instructions in the memory 1102 and completes the steps of the above method in combination with its hardware.
  • the processor 1101 is configured to generate encrypted capability information of the terminal.
  • the receiver 1104 is configured to receive pre-association index information related to the terminal that is sent by the access point, where the pre-association index information is used by the access point when the terminal and the access point have not been associated with each other. Identifying the terminal;
  • the sender 1103 is configured to send, to the access point, the encrypted capability information of the terminal and an association request message, where the association request message includes the pre-association index information;
  • the receiver 1104 is further configured to receive an association response message that is sent by the access point according to the capability information of the terminal and the pre-association index information, so that the terminal establishes association with the access point.
  • the terminal of the embodiment of the present invention sends the capability information of the terminal to the access point in an encrypted manner, and identifies the terminal by using the pre-association index information, so that the eavesdropper is in the air interface before the association or in the association process. Even if the capability information is monitored, the capability information of the terminal cannot be obtained, thereby preventing the eavesdropper from determining the location, time, and the like of the terminal according to the capability information of the terminal, thereby avoiding leakage of user privacy.
  • the sender is further configured to: send an association request message to the access point, where the association request message includes the encrypted capability information of the terminal.
  • the sender is further configured to: send a first message to the access point, where the first message includes the encrypted capability information of the terminal, the first The message is a management message;
  • the sender is further configured to: before the sending module sends the encrypted capability information of the terminal, send the public key of the terminal to the access point, where The public key of the terminal is used by the access point to generate a decryption key for decrypting capability information of the terminal;
  • the receiving module is further configured to receive a public key of the access point sent by the access point;
  • the generating module is further configured to generate an encryption key of the terminal according to a public key of the access point, where an encryption key of the terminal is used to encrypt capability information of the terminal.
  • the sender is specifically configured to: send a probe request message to the access point, where the probe request message includes a public key of the terminal;
  • the receiver is specifically configured to: receive a probe response message sent by the access point, where the probe response message includes a public key of the access point;
  • the third message includes a public key of the access point, and the third message is a management message
  • beacon frame sent by the access point, where the beacon frame includes a public key of the access point.
  • the receiver is specifically configured to: receive indication information sent by the access point, where the indication information is used to indicate that the access point supports an encryption with the terminal.
  • the device capability information transmission of the terminal is specifically configured to: receive indication information sent by the access point, where the indication information is used to indicate that the access point supports an encryption with the terminal.
  • the receiver is further configured to: receive a probe response message sent by the access point, where The probe response message includes the indication information;
  • beacon frame sent by the access point, where the beacon frame includes the indication information.
  • the receiver is specifically configured to: receive a fifth message sent by the access point, where the fifth message includes the pre-association index information, and the fifth message is a management message;
  • the MAC address used by the terminal to send the association request message to the access point is used before the terminal sends the association request message to the access point.
  • the MAC address is different.
  • terminal may be used to perform various processes and/or steps corresponding to the terminal in the foregoing method embodiments. To avoid repetition, details are not described herein again.
  • FIG. 12 is a schematic block diagram of an access point according to another embodiment of the present invention.
  • the access point includes: a processor 1201, a memory 1202, a transmitter 1203, and a receiver 1205.
  • the components in the terminal are coupled together by a coupling manner, the receiver 1205 receives data through the antenna 1204, and the transmitter 1203 transmits through the antenna 1204. data.
  • the receiver and the transmitter may share an antenna having the capability of receiving and transmitting signals, and may also use different antennas, which is not limited by the embodiment of the present invention. Only the former case is an example.
  • the method for establishing association in the wireless local area network disclosed in the foregoing embodiment of the present invention may be applied to the processor 1201 or implemented by the processor 1201.
  • the processor 1201 may be an integrated circuit chip with signal processing capabilities. In the implementation process, each step of the foregoing method may be completed by an integrated logic circuit of hardware in the processor 1201 or an instruction in a form of software.
  • the processor 1201 may be a general-purpose processor, or a system-on-a-chip (SOC chip), a baseband processor, a digital signal processor (DSP), and an application specific integrated circuit (Application). Specific Integrated Circuit (ASIC), Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware component.
  • the general purpose processor may be a microprocessor or the processor or any conventional processor or the like.
  • the steps of the method disclosed in the embodiments of the present invention may be directly implemented by the hardware decoding processor, or may be performed by a combination of hardware and software modules in the decoding processor.
  • the software module can be located in a random access memory (RAM), a flash memory, a read-only memory (ROM), a programmable read only memory or an electrically erasable programmable memory, a register, etc.
  • RAM random access memory
  • ROM read-only memory
  • programmable read only memory or an electrically erasable programmable memory
  • register etc.
  • the storage medium is located in the memory 1202, and the processor 1201 reads the instructions in the memory 1202 and completes the steps of the above method in combination with its hardware.
  • the processor 1201 is configured to generate pre-association index information related to the terminal, where the pre-association index information is used by the access point to identify the terminal when the terminal has not established association with the access point;
  • the sender 1203 is configured to send the pre-association index information to the terminal;
  • the receiver 1205 is configured to receive the encrypted capability information of the terminal and the association request message sent by the terminal, where the association request message includes the pre-association index information;
  • the processor 1201 is configured to decrypt capability information of the encrypted terminal.
  • the sending module 1203 is further configured to send an association response message to the terminal according to the capability information of the terminal and the pre-association index information, so that the access point establishes an association with the terminal.
  • the access point of the embodiment of the present invention supports the capability information transmission of the terminal encrypted by the terminal, and identifies the terminal by associating the pre-index information, so that the eavesdropper is in the air interface even before the association or in the association process. Listen to this ability The information of the terminal cannot be obtained, so that the eavesdropper can be prevented from determining the location, time, and other information of the terminal according to the capability information of the terminal, thereby avoiding leakage of user privacy.
  • the receiver is specifically configured to: receive an association request message sent by the terminal, where the association request message includes the encrypted capability information of the terminal.
  • the receiver is further configured to: receive a first message sent by the terminal, where the first message includes the encrypted capability information of the terminal, the first message For managing a message; receiving an association request message sent by the terminal
  • the receiver is further configured to: receive a public key of the terminal sent by the terminal;
  • the processor is further configured to: generate a decryption key according to the public key of the terminal, where the decryption key is used to decrypt the encrypted capability information of the terminal;
  • the transmitter is further configured to: send a public key of the access point to the terminal, where a public key of the access point is used by the terminal to generate an encryption key for encrypting capability information of the terminal.
  • the receiver is specifically configured to: receive a probe request message sent by the terminal, where the probe request message includes a public key of the terminal;
  • the sender is specifically configured to: send a probe response message to the terminal, where the probe response message includes a public key of the access point;
  • the beacon frame including a public key of the access point.
  • the transmitter is specifically configured to: send, to the terminal, indication information, where the indication information is used to indicate that the access point supports a device of the terminal that is encrypted with the terminal.
  • Ability information transmission is specifically configured to: send, to the terminal, indication information, where the indication information is used to indicate that the access point supports a device of the terminal that is encrypted with the terminal.
  • the transmitter is further configured to: send a probe response message to the terminal, where the probe response message includes the indication information;
  • the beacon frame including the indication information.
  • the sender is specifically configured to: send, to the terminal, a fifth message, where the fifth message includes the pre-association index information, and the fifth message is a management message;
  • the processor is further configured to: generate, by the access point, capability information of the encrypted access point;
  • the sending module is further configured to send capability information of the encrypted access point to the terminal.
  • the access point may be used to perform various processes and/or steps corresponding to the access point in the foregoing method embodiments. To avoid repetition, details are not described herein again.
  • FIG. 13 is a schematic block diagram of a terminal according to still another embodiment of the present invention.
  • the terminal includes:
  • the processing module 1301 is configured to control the actions of each module in the terminal.
  • the discovery module 1302 is configured to perform discovery of an access point.
  • the discovery module is configured to discover an access point that supports a security association mode, and/or generate a probe request message.
  • the encryption and decryption module 1303 is configured to generate a public key and a private key pair for protecting capability information of the terminal.
  • the encryption and decryption module may further generate an encryption key and perform encryption and decryption processing on the capability information of the terminal.
  • the encryption and decryption module may further calculate an encryption key of the capability information of the terminal after obtaining the public key of the access point.
  • the encryption and decryption module may further encrypt the capability information of the terminal to generate capability information of the encrypted terminal.
  • the encryption and decryption module may further decrypt the capability information of the access point after receiving the capability information of the access point encrypted by the access point. Xu.
  • the association module 1304 is configured to perform authentication and association between the terminal and the access point, including completing authentication and association of the terminal according to the pre-security association index information.
  • terminal may be used to perform various processes and/or steps corresponding to the terminal in the foregoing method embodiments. To avoid repetition, details are not described herein again.
  • FIG. 14 is a schematic block diagram of an access point according to still another embodiment of the present invention, the access point includes:
  • the processing module 1401 is configured to control actions of internal modules in the access point.
  • the discovery response module 1402 is configured to perform generation and reply of the response of the discovery of the terminal.
  • the discovery response module is further configured to generate a probe response message.
  • the access point can also be instructed to support the anti-tracking mode.
  • the encryption and decryption module 1403 is configured to generate a public key and a private key pair that protect the access point capability information.
  • the encryption and decryption module may also generate an encryption key.
  • the encryption and decryption module may further perform encryption and decryption processing on the capability information of the access point.
  • the encryption and decryption module is further capable of calculating an encryption key of the capability information of the access point.
  • the encryption and decryption module may further decrypt the capability information of the encrypted terminal to obtain capability information of the terminal.
  • the encryption and decryption module may further encrypt the device capability information to generate capability information of the encrypted access point.
  • the encryption and decryption module may also generate pre-association index information.
  • the association module 1404 is configured to perform authentication and association of the terminal, including completing authentication and association with the terminal according to the pre-association index information.
  • the access point may be used to perform the various processes and/or steps corresponding to the access point in the foregoing method embodiment. To avoid repetition, details are not described herein.
  • the device configuration diagrams given in the various device embodiments of the present invention show only a simplified design of the corresponding device.
  • the device may include any number of transmitters, receivers, transceivers, processors, memories, etc., to implement the functions or operations performed by the device in various embodiments of the present invention, and all of which may be implemented.
  • the device to be applied is within the scope of this application.
  • the names of the message/frame/instruction information, modules, units, and the like provided in the embodiments of the present invention are merely examples, and other names may be used as long as the functions of the message/frame/instruction information, the module or the unit, and the like are the same.
  • the disclosed systems, devices, and methods may be implemented in other manners.
  • the device embodiments described above are merely illustrative.
  • the division of the unit is only a logical function division.
  • there may be another division manner for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be in an electrical, mechanical or other form.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
  • each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
  • the functions may be stored in a computer readable storage medium if implemented in the form of a software functional unit and sold or used as a standalone product. Based on such understanding, the technical solution of the embodiments of the present invention, or the part contributing to the prior art or the part of the technical solution, may be embodied in the form of a software product stored in a storage medium.
  • a number of instructions are included to cause a computer device (which may be a personal computer, server, or network device, etc.) or a processor to perform all or part of the steps of the methods described in various embodiments of the present invention.
  • the foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like. .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

L'invention concerne un procédé d'établissement d'une association dans un réseau local sans fil, un terminal et un point d'accès. Le procédé comprend les étapes suivantes : un terminal génère des informations de capacité chiffrées concernant le terminal ; le terminal reçoit des informations d'indice de pré-association envoyées par un point d'accès, les informations d'indice de pré-association servant au point d'accès pour identifier le terminal ; le terminal envoie, au point d'accès, les informations de capacité chiffrées concernant le terminal, et un message de requête d'association, le message de requête d'association comprenant les informations d'indice de pré-association ; et le terminal reçoit un message de réponse d'association envoyé par le point d'accès en fonction des informations de capacité concernant le terminal, établissant ainsi une association entre le terminal et le point d'accès. Des informations de capacité concernant un terminal sont envoyées à un point d'accès d'une manière chiffrée, et le terminal est identifié au moyen d'informations d'indice de pré-association. De cette manière, même si des informations de capacité concernant le terminal sont surveillées sur une interface radio, un dispositif d'écoute clandestine ne peut pas acquérir les informations de capacité concernant le terminal, améliorant ainsi la capacité de protection de la confidentialité de l'utilisateur.
PCT/CN2017/094374 2016-08-31 2017-07-25 Procédé d'établissement d'une association dans un réseau local sans fil, terminal et point d'accès Ceased WO2018040805A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
EP17845107.6A EP3499936B1 (fr) 2016-08-31 2017-07-25 Procédé d'établissement d'une association dans un réseau local sans fil, terminal et point d'accès
US16/328,842 US10674353B2 (en) 2016-08-31 2017-07-25 Association establishment method in wireless local area network, terminal, and access point

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
CN201610799549 2016-08-31
CN201610799549.0 2016-08-31
CN201610995436.8 2016-11-11
CN201610995436.8A CN107786972B (zh) 2016-08-31 2016-11-11 无线局域网中建立关联的方法、终端和接入点

Publications (1)

Publication Number Publication Date
WO2018040805A1 true WO2018040805A1 (fr) 2018-03-08

Family

ID=61300157

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/094374 Ceased WO2018040805A1 (fr) 2016-08-31 2017-07-25 Procédé d'établissement d'une association dans un réseau local sans fil, terminal et point d'accès

Country Status (1)

Country Link
WO (1) WO2018040805A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112383915A (zh) * 2020-12-02 2021-02-19 中国联合网络通信集团有限公司 无线网络接入方法、无线接入装置和终端
WO2022267723A1 (fr) * 2021-06-22 2022-12-29 华为技术有限公司 Procédé et appareil de génération de clé de session

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103476030A (zh) * 2013-08-29 2013-12-25 小米科技有限责任公司 移动终端连接网络的方法、移动终端与终端设备
CN103596179A (zh) * 2013-11-29 2014-02-19 西安电子科技大学昆山创新研究院 基于射频标签的无线局域网接入认证抗拒绝服务攻击方法
WO2014190243A1 (fr) * 2013-05-24 2014-11-27 Qualcomm Incorporated Systèmes et procédés pour les messages wlan en diffusion élargie avec authentification des messages
CN105577365A (zh) * 2014-11-11 2016-05-11 中国移动通信集团公司 一种用户接入wlan的密钥协商方法及装置

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014190243A1 (fr) * 2013-05-24 2014-11-27 Qualcomm Incorporated Systèmes et procédés pour les messages wlan en diffusion élargie avec authentification des messages
CN103476030A (zh) * 2013-08-29 2013-12-25 小米科技有限责任公司 移动终端连接网络的方法、移动终端与终端设备
CN103596179A (zh) * 2013-11-29 2014-02-19 西安电子科技大学昆山创新研究院 基于射频标签的无线局域网接入认证抗拒绝服务攻击方法
CN105577365A (zh) * 2014-11-11 2016-05-11 中国移动通信集团公司 一种用户接入wlan的密钥协商方法及装置

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP3499936A4 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112383915A (zh) * 2020-12-02 2021-02-19 中国联合网络通信集团有限公司 无线网络接入方法、无线接入装置和终端
CN112383915B (zh) * 2020-12-02 2023-11-21 中国联合网络通信集团有限公司 无线网络接入方法、无线接入装置和终端
WO2022267723A1 (fr) * 2021-06-22 2022-12-29 华为技术有限公司 Procédé et appareil de génération de clé de session

Similar Documents

Publication Publication Date Title
EP3499936B1 (fr) Procédé d'établissement d'une association dans un réseau local sans fil, terminal et point d'accès
US12010519B2 (en) Information sharing method, terminal device, storage medium, and computer program product
US11765577B2 (en) Identity obscuration for a wireless station
JP6834058B2 (ja) Wi−fiホットスポット接続方法および端末
CN108702623B (zh) 一种无线局域网的配置方法及设备
CN112866981B (zh) 一种签约数据的管理方法、装置
WO2017198161A1 (fr) Procédé de connexion au réseau, appareil, support de stockage et terminal
CN107070909A (zh) 信息发送方法、信息接收方法、装置及系统
WO2018120247A1 (fr) Procédé et dispositif de mise en correspondance de terminal
US20230318916A1 (en) Network Configuration Method and Apparatus for Intelligent Device
WO2023202631A1 (fr) Procédé et appareil d'abonnement, dispositif de communication, dispositif de l'internet des objets et élément de réseau
CN111770588B (zh) 一种与无线路由器快速建立无线连接的方法及系统
US10673611B2 (en) Data transmission method, device, and system
WO2018040805A1 (fr) Procédé d'établissement d'une association dans un réseau local sans fil, terminal et point d'accès
CN105530631A (zh) 一种通信方法、装置及系统
CN112135253B (zh) 网络连接方法及装置
WO2017117775A1 (fr) Procédé et système de gestion de la sécurité de communications, et dispositif associé
WO2023213205A1 (fr) Procédé et appareil de communication

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17845107

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

ENP Entry into the national phase

Ref document number: 2017845107

Country of ref document: EP

Effective date: 20190315