802.11 Using a compressed reassociation exchange to facilitate fast handoff
First Claim
1. A method for establishing a secure association for a mobile node with a network, the steps comprising:
- associating with an access point;
authenticating the mobile node using an extensible authentication protocol by the access point;
establishing a network session key; and
registering the mobile node into the network infrastructure wherein the network session key is used to establish a key request key and a base transient key;
wherein the base transient key is used as a counter mode key generator to provide fresh Pairwise transient keys;
wherein the key request key is used by the mobile node to prove it has proper authorization for a session wherein the roaming involves a compressed set of message exchanges to prove possession of a fresh transient key as well as delivery of the group transient key
1 Assignment
0 Petitions
Accused Products
Abstract
A method and system for handling roaming mobile nodes in a wireless network. The system uses a Subnet Context Manager to store current Network session keys, security policy and duration of the session (e.g. session timeout) for mobile nodes, which is established when the mobile node is initially authenticated. Pairwise transit keys are derived from the network session key. The Subnet Context Manager handles subsequent reassociation requests. When a mobile node roams to a new access point, the access point obtains the network session key from the Subnet Context Manager and validates the mobile node by computing a new pairwise transient key from the network session key.
-
Citations
79 Claims
-
1. A method for establishing a secure association for a mobile node with a network, the steps comprising:
-
associating with an access point;
authenticating the mobile node using an extensible authentication protocol by the access point;
establishing a network session key; and
registering the mobile node into the network infrastructure wherein the network session key is used to establish a key request key and a base transient key;
wherein the base transient key is used as a counter mode key generator to provide fresh Pairwise transient keys;
wherein the key request key is used by the mobile node to prove it has proper authorization for a session wherein the roaming involves a compressed set of message exchanges to prove possession of a fresh transient key as well as delivery of the group transient key - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A mobile node, comprising:
-
means for associating with an access point;
means for authenticating the mobile node using an extensible authentication protocol by the access point;
means for establishing a network session key; and
means for registering the mobile node into the network infrastructure wherein the network session key is used to establish a key request key and a base transient key;
wherein the base transient key is used as a counter mode key generator to provide fresh Pairwise transient keys;
wherein the key request key is used by the mobile node to prove it has proper authorization for a session wherein the roaming involves a compressed set of message exchanges to prove possession of a fresh transient key as well as delivery of the group transient key - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
-
27. A computer program product having a computer readable medium having computer program logic recorded thereon for establishing a secure association for a mobile node with a network, comprising
means for associating with an access point; -
means for authenticating the computer readable instructions using an extensible authentication protocol by the access point;
means for establishing a network session key; and
means for registering the computer readable instructions into the network infrastructure wherein the network session key is used to establish a key request key and a base transient key;
wherein the base transient key is used as a counter mode key generator to provide fresh Pairwise transient keys;
wherein the key request key is used by the computer readable instructions to prove it has proper authorization for a session wherein the roaming involves a compressed set of message exchanges to prove possession of a fresh transient key as well as delivery of the group transient key - View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39)
-
-
40. A method of re-association by a mobile node, the steps comprising:
-
sending a re-association request from a mobile node to an access point, the re-association request comprising a mobile node identification, a rekey request number, and an authentication element;
validating the current security association to the network by use of the key request key;
ensuring a fresh transient key is used to secure the 802.11 link by using an incremental rekey request number;
sending a response, the response comprising an authentication element, to the mobile node, the authentication element comprising delivery of the group transient key, and proof of possession of a Pairwise transient key by using the key to authenticate the element;
using an extensible authentication protocol over local area network key; and
confirming the response by verifying the new pairwise transit key to a second computed pairwise transit key. - View Dependent Claims (41, 42, 43, 44, 45, 46, 47, 48, 49)
-
-
50. A rekey sequence, the steps comprising:
-
computing an authentication element, the authentication element comprising a rekey request number and a new pair transient key transmitting to a responder a call for a new pairwise transient key and alerting the responder that the requestor is ready to receive and transmit using the new Pairwise transient key;
receiving an response authentication element from the responder; and
verifying the response authentication element, the response authentication element comprising the new pair transient key and receipt of the group transient key - View Dependent Claims (51)
-
-
52. The rekey sequence of claim 52 further comprising incrementing the rekey request number prior to computing the authentication element.
-
53. An apparatus for initiating and performing a rekey sequence, comprising:
-
means for computing an authentication element, the authentication element comprising a rekey request number and a new pair transient key means for transmitting to a responder a call for a new pairwise transient key and alerting the responder that the requestor is ready to receive and transmit using the new Pairwise transient key;
means for receiving an response authentication element from the responder; and
means for verifying the response authentication element, the response authentication element comprising the new pair transient key and receipt of the group transient key - View Dependent Claims (54, 55)
-
-
56. A computer program product having a computer readable medium having computer program logic recorded thereon for initiating and performing a rekey sequence, comprising:
-
means for computing an authentication element, the authentication element comprising a rekey request number and a new pair transient key means for transmitting to a responder a call for a new pairwise transient key and alerting the responder that the requestor is ready to receive and transmit using the new Pairwise transient key;
means for receiving an response authentication element from the responder; and
means for verifying the response authentication element, the response authentication element comprising the new pair transient key and receipt of the group transient key - View Dependent Claims (57, 58)
-
-
59. A rekey sequence, the steps comprising:
-
receiving a rekey request, the rekey request comprising a rekey request number and an authentication element that includes delivery of the group transient key;
computing a new pair transient key; and
sending a ready to transmit and receive with the new pair transient key message. - View Dependent Claims (60, 61, 62, 63, 64, 65)
-
-
66. An apparatus for responding to a rekey sequence, comprising:
-
means for receiving a rekey request, rekey request comprising a rekey request number and an authentication element that includes delivery of the group transient key;
means for computing a new pair transient key; and
means for sending a ready to transmit and receive with the new pair transient key message. - View Dependent Claims (67, 68, 69, 70, 71, 72)
-
-
73. A computer program product having a computer readable medium having computer program logic recorded thereon for responding to a rekey sequence, comprising:
-
means for receiving a rekey request, rekey request comprising a rekey request number and an authentication element that includes delivery of the group transient key;
means for computing a new pair transient key; and
means for sending a ready to transmit and receive with the new pair transient key message. - View Dependent Claims (74, 75, 76, 77, 78, 79)
-
Specification