System and method for secure roaming in wireless local area networks
First Claim
1. A wireless data network process, comprising the steps of:
- providing a wireless local area network (WLAN) with a wireless access node, an internet connection and a mobile node (MN) with a wireless transceiver;
providing a serving GPRS support node with a radio network connection to a Gateway GPRS support packet gateway node (PGN) having a connection to the internet;
performing a key exchange between the MN and the PGN via radio waves, the GPRS support node and the connection to establish a shared secret key and to establish an IPsec Security Association (SA) between the MN and the PGN;
performing a hash of the key obtained at the PGN to obtain an authentication value for use in a Mobile IP protocol and using a security parameters index obtained from the SA as the Mobile IP for identifying the MN for authentication purposes;
performing a hash of the key obtained at the MN to obtain an authentication value for use in a Mobile IP protocol;
sending a Mobile IP registration request from the MN to a Home Agent (HA) hosted in the PGN using the authentication value established;
receiving the Mobile IP registration request at the PGN and authenticating the message using the authentication value and sending a Mobile IP registration reply to the MN.
0 Assignments
0 Petitions
Accused Products
Abstract
A wireless data network process and system is provided including a mobile node with a wireless transceiver, a serving GPRS support node (SGPRS) a radio access network and a gateway GPRS including a packet gateway node (PGN) with an internet connection. The PGN acts as a mobile IP home agent (HA) with authentication of a MN handled by the GPRS/UMTS network before the PGN ever sees data traffic to establish a Mobile IP authentication key. An unauthenticated key exchange method such as Diffie-Hellman, the MVQ protocol or its one-pass variant (without certificates), or the Key Exchange Algorithm can be used to establish the shared key. The process may include performing a key exchange between the MN and the PGN via radio waves, the GPRS support node and the connection to establish a shared secret key and to establish an IPsec Security Association (SA) between the MN and the PGN. A hash of the key is performed at the PGN to obtain an authentication value for use in a Mobile IP protocol and using a security parameters index obtained from the SA as the Mobile IP for identifying the MN for authentication purposes. A Mobile IP registration request is sent from the MN to a Home Agent (HA) hosted in the PGN using the authentication value established. The Mobile IP registration request is received at the PGN. The message is authenticated using the authentication value and sending a Mobile IP registration reply to the MN.
-
Citations
19 Claims
-
1. A wireless data network process, comprising the steps of:
-
providing a wireless local area network (WLAN) with a wireless access node, an internet connection and a mobile node (MN) with a wireless transceiver;
providing a serving GPRS support node with a radio network connection to a Gateway GPRS support packet gateway node (PGN) having a connection to the internet;
performing a key exchange between the MN and the PGN via radio waves, the GPRS support node and the connection to establish a shared secret key and to establish an IPsec Security Association (SA) between the MN and the PGN;
performing a hash of the key obtained at the PGN to obtain an authentication value for use in a Mobile IP protocol and using a security parameters index obtained from the SA as the Mobile IP for identifying the MN for authentication purposes;
performing a hash of the key obtained at the MN to obtain an authentication value for use in a Mobile IP protocol;
sending a Mobile IP registration request from the MN to a Home Agent (HA) hosted in the PGN using the authentication value established;
receiving the Mobile IP registration request at the PGN and authenticating the message using the authentication value and sending a Mobile IP registration reply to the MN. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A wireless network system, comprising:
-
a mobile node with a wireless transceiver;
a serving GPRS support node (SGPRS);
a radio access network;
a gateway GPRS including a packet gateway node (PGN) with an internet connection, the PGN being capable of acting as a mobile IP home agent (HA);
a wireless local area network (WLAN) with a wireless access node and an internet connection;
at least one or both of a connection from the MN to the SGPRS and a connection between the MN and the WLAN;
keying established between the PGN and the MN using the MN to the SGPRS connection to form an IPSec Security Association between the MN and the PGN with a security parameters index obtained from the SA for identifying the MN;
a Mobile IP care-of-address obtained from a DHCP server through the connection between the MN and the WLAN;
an authentication value at the PGN for use in the IP mobile protocol formed by a MD-5 hash of the keying established between the PGN and the MN;
an authentication value at the MN for use in the IP mobile protocol formed by a MD-5 hash of the keying established between the PGN and the MN;
a Mobile IP registration based on a request message from the MN to the PGN with the HA hosted in the PGN using the authentication value established and with the PGN authenticating the message using the authentication value with a Mobile IP registration reply sent from the PGN to the MN. - View Dependent Claims (11, 12, 14, 15, 16, 17, 18, 19)
-
-
13. A wireless network system, comprising:
-
a mobile node with a wireless transceiver;
a serving GPRS support node (SGPRS);
a radio access network;
a gateway GPRS including a packet gateway node (PGN) with an internet connection, the PGN being capable of acting as a mobile IP home agent (HA) with authentication of a MN handled by the GPRS/UMTS network before the PGN ever sees data traffic to establish a Mobile IP authentication key, wherein an unauthenticated key exchange method such as Diffie-Hellman, the MVQ protocol or its one-pass variant (without certificates), or the Key Exchange Algorithm can be used to establish the shared key.
-
Specification