Seamless roaming for clients between access points with WPA-2 encryption

US 10,341,908 B1
Filed: 03/01/2018
Issued: 07/02/2019
Est. Priority Date: 03/01/2018
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

storing, at a first access point of a plurality of access points, an encryption key for encrypted communication with a client device;

using the encryption key to perform encrypted communication between the first access point and the client device;

generating, at each particular access point of the plurality of access points, a particular connection score of a plurality of connection scores wherein each particular connection score is generated by the particular access point based on connection criteria and wherein the connection criteria is data that describes performance of the particular access point or communication between the particular access point and the client device;

receiving, at the first access point, the plurality of connection scores from the plurality of access points,determining, at the first access point, that a connection score associated with a second access point of the plurality of access points exceeds the connection score associated with the first access point; and

in response to determining that the connection score associated with the second access point of the plurality of access points exceeds the connection score associated with the first access point;

halting encrypted communication between the first access point and the client device;

sending the encryption key from the first access point to the second access point; and

using the encryption key to perform encrypted communication between the second access point and the client device, wherein the method is performed using one or more processors.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A wireless network system that provides for seamless roaming of client devices is described. The wireless network system includes a plurality of access points. One access point is designated as the primary access point that is responsible for handling encrypted communication with the client device. The primary access point has access to the necessary encryption key(s) for encrypted communication. The primary access point receives broadcast updates from the other access points that includes connection scores. When a connection score for a second access point exceeds the connection score of the current primary access point, the current primary access point designates the second access point as the new primary access point and sends the new primary access point the encryption key(s) for encrypted communication. The handoff is seamless and does not require a new handshake between the new primary access point and the client device.

Citations

20 Claims

1. A method, comprising:
- storing, at a first access point of a plurality of access points, an encryption key for encrypted communication with a client device;
  
  using the encryption key to perform encrypted communication between the first access point and the client device;
  
  generating, at each particular access point of the plurality of access points, a particular connection score of a plurality of connection scores wherein each particular connection score is generated by the particular access point based on connection criteria and wherein the connection criteria is data that describes performance of the particular access point or communication between the particular access point and the client device;
  
  receiving, at the first access point, the plurality of connection scores from the plurality of access points,determining, at the first access point, that a connection score associated with a second access point of the plurality of access points exceeds the connection score associated with the first access point; and
  
  in response to determining that the connection score associated with the second access point of the plurality of access points exceeds the connection score associated with the first access point;
  
  halting encrypted communication between the first access point and the client device;
  
  sending the encryption key from the first access point to the second access point; and
  
  using the encryption key to perform encrypted communication between the second access point and the client device, wherein the method is performed using one or more processors.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the connection criteria comprises data that measures a performance load of the access point.
  - 3. The method of claim 1, wherein the connection criteria comprises data that measures latency of communication between the client device and the access point.
  - 4. The method of claim 1, wherein the connection criteria comprises data that measures a received signal strength indicator (RSSI) of a signal between the client device and the access point.
  - 5. The method of claim 1, further comprising:
    - performing a 4-way handshake between the first access point and the client device to generate the encryption key.
  - 6. The method of claim 1, wherein the encryption key comprises a Pairwise Transient Key (PTK).
  - 7. The method of claim 6, wherein the PTK comprises an initialization vector (IV), wherein the IV is a monotonically increasing counter for data packet communication.
  - 8. The method of claim 7, wherein halting encrypted communication between the first access point and the client device comprises halting incrementation of the IV.
  - 9. The method of claim 1, wherein using the encryption key to perform encrypted communication between the second access point and the client device comprising performing encrypted communication between the second access point and the client device without performing a 4-way handshake between the second access point and the client device.
  - 10. The method of claim 1, further comprising:
    - broadcasting, by each access point of the plurality of access points, a Basic Service Set Identifier (BSSID), wherein the BSSID is the same for each access point of the plurality of access points.

11. One or more non-transitory computer-readable media storing instructions, wherein the instructions include instructions which, when executed by one or more processors, cause:
- storing, at a first access point of a plurality of access points, an encryption key for encrypted communication with a client device;
  
  using the encryption key to perform encrypted communication between the first access point and the client device;
  
  generating, at each particular access point of the plurality of access points, a particular connection score of a plurality of connection scores wherein each particular connection score is generated by the particular access point based on connection criteria and wherein the connection criteria is data that describes performance of the particular access point or communication between the particular access point and the client device;
  
  receiving, at the first access point, the plurality of connection scores from the plurality of access points,determining, at the first access point, that a connection score associated with a second access point of the plurality of access points exceeds the connection score associated with the first access point; and
  
  in response to determining that the connection score associated with the second access point of the plurality of access points exceeds the connection score associated with the first access point;
  
  halting encrypted communication between the first access point and the client device;
  
  sending the encryption key from the first access point to the second access point; and
  
  using the encryption key to perform encrypted communication between the second access point and the client device.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The one or more non-transitory computer-readable media of claim 11, wherein the connection criteria comprises data that measures a performance load of the access point.
  - 13. The one or more non-transitory computer-readable media of claim 11, wherein the connection criteria comprises data that measures latency of communication between the client device and the access point.
  - 14. The one or more non-transitory computer-readable media of claim 11, wherein the connection criteria comprises data that measures a received signal strength indicator (RSSI) of a signal between the client device and the access point.
  - 15. The one or more non-transitory computer-readable media of claim 11, further comprising instructions which, when executed by one or more processors, cause:
    - performing a 4-way handshake between the first access point and the client device to generate the encryption key.
  - 16. The one or more non-transitory computer-readable media of claim 11, wherein the encryption key comprises a Pairwise Transient Key (PTK).
  - 17. The one or more non-transitory computer-readable media of claim 16, wherein the PTK comprises an initialization vector (IV), wherein the IV is a monotonically increasing counter for data packet communication.
  - 18. The one or more non-transitory computer-readable media of claim 17, wherein halting encrypted communication between the first access point and the client device comprises halting incrementation of the IV.
  - 19. The one or more non-transitory computer-readable media of claim 11, wherein using the encryption key to perform encrypted communication between the second access point and the client device comprising performing encrypted communication between the second access point and the client device without performing a 4-way handshake between the second access point and the client device.
  - 20. The one or more non-transitory computer-readable media of claim 11, further comprising instructions which, when executed by one or more processors, cause:
    - broadcasting, by each access point of the plurality of access points, a Basic Service Set Identifier (BSSID), wherein the BSSID is the same for each access point of the plurality of access points.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Bhartia, Apurv, Lin, Lizhen
Primary Examiner(s)
Siddiqui, Kashif

Application Number

US15/909,823
Time in Patent Office

488 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 9/5088   involving task migration

H04L 63/0428   wherein the data content is...

H04L 63/061   for key exchange, e.g. in p...

H04L 67/10   in which an application is ...

H04W 12/02   Protecting privacy or anony...

H04W 12/04   Key management, e.g. using ...

H04W 36/0038   of security context informa...

H04W 36/023   Buffering or recovering inf...

H04W 36/08   Reselecting an access point

H04W 36/18   for allowing seamless resel...

H04W 36/304   due to measured or perceive...

H04W 84/12   WLAN [Wireless Local Area N...

Seamless roaming for clients between access points with WPA-2 encryption

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Seamless roaming for clients between access points with WPA-2 encryption

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links