802.11 Using a compressed reassociation exchange to facilitate fast handoff

US 20040103282A1
Filed: 04/17/2003
Published: 05/27/2004
Est. Priority Date: 11/26/2002
Status: Active Grant

First Claim

Patent Images

1. A method for establishing a secure association for a mobile node with a network, the steps comprising:

associating with an access point;

authenticating the mobile node using an extensible authentication protocol by the access point;

establishing a network session key; and

registering the mobile node into the network infrastructure wherein the network session key is used to establish a key request key and a base transient key;

wherein the base transient key is used as a counter mode key generator to provide fresh Pairwise transient keys;

wherein the key request key is used by the mobile node to prove it has proper authorization for a session wherein the roaming involves a compressed set of message exchanges to prove possession of a fresh transient key as well as delivery of the group transient key

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for handling roaming mobile nodes in a wireless network. The system uses a Subnet Context Manager to store current Network session keys, security policy and duration of the session (e.g. session timeout) for mobile nodes, which is established when the mobile node is initially authenticated. Pairwise transit keys are derived from the network session key. The Subnet Context Manager handles subsequent reassociation requests. When a mobile node roams to a new access point, the access point obtains the network session key from the Subnet Context Manager and validates the mobile node by computing a new pairwise transient key from the network session key.

Citations

79 Claims

1. A method for establishing a secure association for a mobile node with a network, the steps comprising:
- associating with an access point;
  
  authenticating the mobile node using an extensible authentication protocol by the access point;
  
  establishing a network session key; and
  
  registering the mobile node into the network infrastructure wherein the network session key is used to establish a key request key and a base transient key;
  
  wherein the base transient key is used as a counter mode key generator to provide fresh Pairwise transient keys;
  
  wherein the key request key is used by the mobile node to prove it has proper authorization for a session wherein the roaming involves a compressed set of message exchanges to prove possession of a fresh transient key as well as delivery of the group transient key
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1 further comprising sending the network session key to a Subnet Context Manager.
  - 3. The method of claim 1 wherein the extensible authentication protocol is 802.1X compliant.
  - 4. The method of claim 1 further comprising authenticating key refreshes using the key request key.
  - 5. The method of claim 4 further comprising deriving a pairwise transient keys using the base transient key.
  - 6. The method of claim 1 further comprising delivering the group transient key in the re-association request to compress and optimize messages.
  - 7. The method of claim 1 further comprising computing a Key Request Key and a Base Transient Key from the network session key using a pseudo random function.
  - 8. The method of claim 1 further comprising sending a re-association request, the re-association request comprising a rekey request number and an authenticated element.
  - 9. The method of claim 8 further comprising verifying the rekey request number of the re-association request is greater than a previous rekey request number.
  - 10. The method of claim 8 wherein the re-association request further comprises replay protection.
  - 11. The method of claim 10 wherein the replay protection comprises a timestamp.
  - 12. The method of claim 10 wherein the replay protection comprises a random challenge.
  - 13. The method of claim 8 wherein the authenticated element authenticates the security policy defined by the mobile node

14. A mobile node, comprising:
- means for associating with an access point;
  
  means for authenticating the mobile node using an extensible authentication protocol by the access point;
  
  means for establishing a network session key; and
  
  means for registering the mobile node into the network infrastructure wherein the network session key is used to establish a key request key and a base transient key;
  
  wherein the base transient key is used as a counter mode key generator to provide fresh Pairwise transient keys;
  
  wherein the key request key is used by the mobile node to prove it has proper authorization for a session wherein the roaming involves a compressed set of message exchanges to prove possession of a fresh transient key as well as delivery of the group transient key
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 15. The mobile node of claim 14 further comprising means for sending the network session key to a Subnet Context Manager.
  - 16. The mobile node of claim 14 wherein the extensible authentication protocol is 802.1X compliant.
  - 17. The mobile node of claim 14 further comprising means for authenticating key refreshes using the key request key.
  - 18. The mobile node of claim 17 further comprising means for deriving a pairwise transient keys using the base transient key.
  - 19. The mobile node of claim 14 further comprising means for delivering the group transient key in the re-association request to compress and optimize messages.
  - 20. The mobile node of claim 14 further comprising means for computing a Key Request Key and a Base Transient Key from the network session key using a pseudo random function.
  - 21. The mobile node of claim 14 further comprising means for sending a reassociation request, the re-association request comprising a rekey request number and an authenticated element.
  - 22. The mobile node of claim 21 further means for comprising verifying the rekey request number of the re-association request is greater than a previous rekey request number.
  - 23. The mobile node of claim 21 wherein the means for re-association request further comprises means for replay protection.
  - 24. The mobile node of claim 23 wherein the means for replay protection comprises means for using a timestamp.
  - 25. The mobile node of claim 23 wherein the means for replay protection comprises means for a random challenge.
  - 26. The mobile node of claim 21 wherein the authenticated element authenticates the security policy defined by the mobile node

27. A computer program product having a computer readable medium having computer program logic recorded thereon for establishing a secure association for a mobile node with a network, comprising means for associating with an access point;
- means for authenticating the computer readable instructions using an extensible authentication protocol by the access point;
  
  means for establishing a network session key; and
  
  means for registering the computer readable instructions into the network infrastructure wherein the network session key is used to establish a key request key and a base transient key;
  
  wherein the base transient key is used as a counter mode key generator to provide fresh Pairwise transient keys;
  
  wherein the key request key is used by the computer readable instructions to prove it has proper authorization for a session wherein the roaming involves a compressed set of message exchanges to prove possession of a fresh transient key as well as delivery of the group transient key
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39)
- - 28. The computer program product of claim 27 further comprising means for sending the network session key to a Subnet Context Manager.
  - 29. The computer program product of claim 27 wherein the extensible authentication protocol is 802.1X compliant.
  - 30. The computer program product of claim 27 further comprising means for authenticating key refreshes using the key request key.
  - 31. The computer program product of claim 30 further comprising means for deriving a pairwise transient keys using the base transient key.
  - 32. The computer program product of claim 27 further comprising means for delivering the group transient key in the re-association request to compress and optimize messages.
  - 33. The computer program product of claim 27 further comprising means for computing a Key Request Key and a Base Transient Key from the network session key using a pseudo random function.
  - 34. The computer program product of claim 27 further comprising means for sending a re-association request, the re-association request comprising a rekey request number and an authenticated element.
  - 35. The computer program product of claim 34 further means for comprising verifying the rekey request number of the re-association request is greater than a previous rekey request number.
  - 36. The computer program product of claim 34 wherein the means for reassociation request further comprises means for replay protection.
  - 37. The computer program product of claim 36 wherein the means for replay protection comprises means for using a timestamp.
  - 38. The computer program product of claim 36 wherein the means for replay protection comprises means for a random challenge.
  - 39. The computer program product of claim 34 wherein the authenticated element authenticates the security policy defined by the computer program product

40. A method of re-association by a mobile node, the steps comprising:
- sending a re-association request from a mobile node to an access point, the re-association request comprising a mobile node identification, a rekey request number, and an authentication element;
  
  validating the current security association to the network by use of the key request key;
  
  ensuring a fresh transient key is used to secure the 802.11 link by using an incremental rekey request number;
  
  sending a response, the response comprising an authentication element, to the mobile node, the authentication element comprising delivery of the group transient key, and proof of possession of a Pairwise transient key by using the key to authenticate the element;
  
  using an extensible authentication protocol over local area network key; and
  
  confirming the response by verifying the new pairwise transit key to a second computed pairwise transit key.
- View Dependent Claims (41, 42, 43, 44, 45, 46, 47, 48, 49)
- - 41. The method of claim 40 further comprising validating the response by verifying the new pairwise transient key.
  - 42. The method of claim 41, the validating the response step further comprises verifying a timestamp included in the response.
  - 43. The method of claim 40 wherein the authentication element uses a current fresh pairwise transient key.
  - 44. The method of claim 40 wherein the validating step is performed by one of the group consisting of a subnet context manager, and the access server.
  - 45. The method of claim 40 wherein the validation request comprises verifying a timestamp of the re-association request is within a configurable value.
  - 46. The method of claim 40, the validation step further comprises verifying the sequence number is greater than a previous value.
  - 47. The method of claim 40, the validating step comprises sending to a query to a subnet context manager to validate the re-association request.
  - 48. The method of claim 47 further comprising receiving a the mobile node session timeout and a base transient key from the subnet context manager.
  - 49. The method of claim 48 further comprising generating pairwise transient key, the sending step further comprising:
    - authenticating the rekey number and the base transient key, forming an authenticated reply; and
      
      sending the encrypted reply.

50. A rekey sequence, the steps comprising:
- computing an authentication element, the authentication element comprising a rekey request number and a new pair transient key transmitting to a responder a call for a new pairwise transient key and alerting the responder that the requestor is ready to receive and transmit using the new Pairwise transient key;
  
  receiving an response authentication element from the responder; and
  
  verifying the response authentication element, the response authentication element comprising the new pair transient key and receipt of the group transient key
- View Dependent Claims (51)
- - 51. The rekey sequence of claim 50 further comprising sending an extensible authentication protocol over local area network key confirm message.

52. The rekey sequence of claim 52 further comprising incrementing the rekey request number prior to computing the authentication element.

53. An apparatus for initiating and performing a rekey sequence, comprising:
- means for computing an authentication element, the authentication element comprising a rekey request number and a new pair transient key means for transmitting to a responder a call for a new pairwise transient key and alerting the responder that the requestor is ready to receive and transmit using the new Pairwise transient key;
  
  means for receiving an response authentication element from the responder; and
  
  means for verifying the response authentication element, the response authentication element comprising the new pair transient key and receipt of the group transient key
- View Dependent Claims (54, 55)
- - 54. The apparatus of claim 53 further comprising means for sending an extensible authentication protocol over local area network key confirm message.
  - 55. The apparatus of claim 54 further comprising means for incrementing the rekey request number prior to computing the authentication element.

56. A computer program product having a computer readable medium having computer program logic recorded thereon for initiating and performing a rekey sequence, comprising:
- means for computing an authentication element, the authentication element comprising a rekey request number and a new pair transient key means for transmitting to a responder a call for a new pairwise transient key and alerting the responder that the requestor is ready to receive and transmit using the new Pairwise transient key;
  
  means for receiving an response authentication element from the responder; and
  
  means for verifying the response authentication element, the response authentication element comprising the new pair transient key and receipt of the group transient key
- View Dependent Claims (57, 58)
- - 57. The computer program product of claim 56 further comprising means for sending an extensible authentication protocol over local area network key confirm message.
  - 58. The computer program product of claim 57 further comprising means for incrementing the rekey request number prior to computing the authentication element.

59. A rekey sequence, the steps comprising:
- receiving a rekey request, the rekey request comprising a rekey request number and an authentication element that includes delivery of the group transient key;
  
  computing a new pair transient key; and
  
  sending a ready to transmit and receive with the new pair transient key message.
- View Dependent Claims (60, 61, 62, 63, 64, 65)
- - 60. The rekey sequence of claim 59 further comprising receiving an extensible authentication protocol over local area network key confirm message.
  - 61. The rekey sequence of claim 59 further comprising verifying the rekey request number is greater than a cached rekey request number.
  - 62. The rekey sequence of claim 59 further comprising verifying all attributes of an extensible authentication protocol over local area network key request.
  - 63. The rekey sequence of claim 59 further comprising updating a cached rekey request number.
  - 64. The rekey sequence of claim 59 wherein the authentication element comprises a new initiator pair transient key, the steps further comprising comparing the new pair transient key with the new initiator pair transient key.
  - 65. The rekey sequence of claim 59 wherein the authentication element comprises a key wrapped group transient key.

66. An apparatus for responding to a rekey sequence, comprising:
- means for receiving a rekey request, rekey request comprising a rekey request number and an authentication element that includes delivery of the group transient key;
  
  means for computing a new pair transient key; and
  
  means for sending a ready to transmit and receive with the new pair transient key message.
- View Dependent Claims (67, 68, 69, 70, 71, 72)
- - 67. The apparatus of claim 66 further comprising means for receiving an extensible authentication protocol over local area network key confirm message.
  - 68. The apparatus of claim 66 further comprising means for verifying the rekey request number is greater than a cached rekey request number.
  - 69. The apparatus sequence of claim 66 further comprising means for verifying all attributes of an extensible authentication protocol over local area network key request.
  - 70. The apparatus of claim 66 further comprising means for updating a cached rekey request number.
  - 71. The apparatus of claim 66 wherein the authentication element comprises a new initiator pair transient key, the steps further comprising comparing the new pair transient key with the new initiator pair transient key.
  - 72. The apparatus of claim 66 wherein the authentication element comprises a key wrapped group transient key.

73. A computer program product having a computer readable medium having computer program logic recorded thereon for responding to a rekey sequence, comprising:
- means for receiving a rekey request, rekey request comprising a rekey request number and an authentication element that includes delivery of the group transient key;
  
  means for computing a new pair transient key; and
  
  means for sending a ready to transmit and receive with the new pair transient key message.
- View Dependent Claims (74, 75, 76, 77, 78, 79)
- - 74. The computer program product of claim 73 further comprising means for receiving an extensible authentication protocol over local area network key confirm message.
  - 75. The computer program product of claim 73 further comprising means for verifying the rekey request number is greater than a cached rekey request number.
  - 76. The computer program product sequence of claim 73 further comprising means for verifying all attributes of an extensible authentication protocol over local area network key request.
  - 77. The computer program product of claim 73 further comprising means for updating a cached rekey request number.
  - 78. The computer program product of claim 73 wherein the authentication element comprises a new initiator pair transient key, the steps further comprising comparing the new pair transient key with the new initiator pair transient key.
  - 79. The computer program product of claim 73 wherein the authentication element comprises a key wrapped group transient key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Meier, Robert, Smith, Douglas, Rebo, Richard D., Winget, Nancy Cam, Griswold, Victor J.

Granted Patent

US 7,350,077 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/171
CPC Class Codes

G06Q 20/3674   involving authentication

H04L 2209/80   Wireless

H04L 2463/061   applying further key deriva...

H04L 63/06   for supporting key manageme...

H04L 63/08   for authentication of entit...

H04L 9/0836   using tree structure or hie...

H04L 9/0891   Revocation or update of sec...

H04W 12/04   Key management, e.g. using ...

H04W 12/062   Pre-authentication

H04W 84/12   WLAN [Wireless Local Area N...

Y10S 707/99945   Object-oriented database st...

Y10S 707/99948   Application of database or ...

802.11 Using a compressed reassociation exchange to facilitate fast handoff

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

79 Claims

Specification

Solutions

Use Cases

Quick Links

802.11 Using a compressed reassociation exchange to facilitate fast handoff

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

79 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links