Configuration Guide Configuring WAPI
authentication mode. If the certificate issuing system and certificate authentication system are the same entity, this mode is
called WAPI two-certificate authentication mode.
 Pre-shared Key Authentication
Pre-shared key authentication refers to authentication based on the keys of an STA and an AE. Before authentication, the
STA and AE must be configured with the same key, namely, a pre-shared key. During authentication, the pre-shard key is
directly converted into a BK, and then unicast key negotiation and multicast key are announced.
5.3.2 WAPI Key Management
The unicast data between the STA and AE are protected by unicast encryption key and unicast integrity check key obtained
through negotiation during the unicast key negotiation. The AE protects sent broadcast/multicast data by using the multicast
encryption key and multicast integrity check key announced by itself and exported from the multicast primary key. On the
other hand, the STA decrypts received broadcast/multicast data by using the multicast encryption key and multicast integrity
check key announced by the AE and exported from the multicast primary key.
Working Principle
 Unicast Key Negotiation
Unicast key negotiation is performed first.
After the certificate authentication succeeds, the AE sends a key negotiation request to the ASUE, containing the key
negotiation request data.
After receiving the unicast key negotiation request and verifying the validity of the request, the ASUE generates key
negotiation response data, constructs a unicast key negotiation response and sends the response to the AE. The ASUE and
AE generate a unicast session key by using the key negotiation data.
After receiving the unicast key negotiation response and verifying the validity of the response, the AE sends a unicast key
negotiation ACK message to the ASUE. In this way, the ASUE and AE establish a unicast key security association.
 Multicast Key Announcement
After unicast key negotiation is completed, the key obtained through the unicast key negotiation is used to announce a
multicast key.
After the unicast key negotiation succeeds, that is, a unicast key security association is established, the AE sends a multicast
key announcement to the ASUE to notify the ASUE of the key used by the AE for sending multicast data.
After verifying the validity of the multicast key announcement sent by the AE, the ASUE sends a multicast key response to
the AE. In this way, the ASUE and AE establish a multicast key security association.
In both WAPI certificate authentication and pre-shared key authentication approaches, the key interaction is performed
for an STA to access a WLAN.
To Next Page
Loading...
Need help?
General
