Pre-authentication of mobile clients by sharing a master key among secured authenticators

US 20050254653A1
Filed: 08/20/2004
Published: 11/17/2005
Est. Priority Date: 05/14/2004
Status: Abandoned Application

First Claim

Patent Images

1. A wireless network, comprising an authentication server disposed in a secured environment;

a plurality of authenticators coupled to the authentication server and disposed in the secured environment, at least two of said plurality of authenticators configured to share a master key; and

a plurality of access points coupled to the plurality of authenticators, one or more of the access points configured to store a session specific key.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for pre-authenticating a mobile client in a wireless network. Authenticators in a secured section of the wireless network share a master key generated during an authentication session between a mobile client and an authentication server. The shared master key is not allowed to reside on any devices located outside the secured section of the network. Accordingly, the likelihood that the master key may be hijacked is essentially eliminated. A first session encryption key is derived from the master key and used by the mobile client and a first access point during a first communications session. When the mobile client roams to a second access point, a fast authentication process is performed. The fast authentication process retrieves the shared master key and generates a second session encryption key. A full authentication process between the authentication server and the mobile client is not required. The second session encryption key is used by the mobile client and a second access point during a second communications session.

100 Citations

View as Search Results

30 Claims

1. A wireless network, comprising an authentication server disposed in a secured environment;
- a plurality of authenticators coupled to the authentication server and disposed in the secured environment, at least two of said plurality of authenticators configured to share a master key; and
  
  a plurality of access points coupled to the plurality of authenticators, one or more of the access points configured to store a session specific key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The wireless network according to claim 1 wherein the shared master key comprises a pairwise master key (PMK).
  - 3. The wireless network according to claim 1 wherein the session specific key comprises a pairwise transient key (PTK).
  - 4. The wireless network according to claim 3 wherein a session related access point uses an associated PTK to decrypt data packets received from a mobile client and is used to encrypt data packets sent to the mobile client.
  - 5. The wireless network according to claim 1 wherein the master key shared by said at least two of said plurality of authenticators is used to generate a second session specific key for use in a new session between a mobile client and a second access point.
  - 6. The wireless network according to claim 5 wherein the second session specific key is generated after termination of the original session.
  - 7. The wireless network according to claim 1 wherein one or more of said plurality of authenticators comprises one or more network access controllers.
  - 8. The wireless network according to claim 7 wherein said one or more network access controllers comprises one or more multi-port switches.

9. A method of establishing a communications session in a wireless network, comprising:
- performing an authentication session between an authentication server disposed within a secured section of the wireless network and a mobile client located outside the secured section;
  
  storing a master key on an authenticator disposed within the secured section; and
  
  generating a first temporary encryption key for use by the mobile client and a first access point during a first communications session.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 27, 28, 29, 30)
- - 10. The method of claim 9, further comprising using said master key to generate a second temporary encryption key for use by the mobile client and a second access point during a second communications session.
  - 11. The method of claim 10 wherein the second temporary encryption key is generated after commencement of the second communications session.
  - 12. The method of claim 9 wherein the authenticator comprises a network access controller.
  - 13. The method of claim 12 wherein said network access controller comprises a multi-port switch.
  - 14. The method of claim 9, further comprising performing a fast authentication process upon the mobile client roaming to a second access point.
  - 15. The method of claim 14 wherein the fast authentication process comprises:
    - retrieving the master key; and
      
      using the retrieved master key, generating a second temporary encryption key for use by the mobile client and the second access point during a second communications session.
  - 27. The system of claim 15, further comprising a second authenticator coupled to the first authenticator.
  - 28. The system of claim 27, further comprising a mobility controller coupled to the first and second authenticators.
  - 29. The system of claim 28 wherein said first and second authenticators comprise one or more network access controllers.
  - 30. The system of claim 29 wherein said one or more network access controller comprises one or more multi-port switches.

16. A system, comprising:
- an authentication server disposed within a secured section of a wireless network;
  
  one or more authenticators within the secured section coupled to the authentication server; and
  
  one or more wireless access points located outside the secured section and coupled to said one or more authenticators, wherein said one or more authenticators and a properly authenticated mobile client are configured to store a master key, and the mobile client and an access point of the plurality of access points are configured to store a temporary encryption key for use in a current communications session.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23)
- - 17. The system of claim 16 wherein the master key comprises a pairwise master key (PMK).
  - 18. The system of claim 16 wherein the temporary encryption key comprises a pairwise transient key (PTK).
  - 19. The system of claim 16 wherein said one or more authenticators comprises one or more network access controllers.
  - 20. The system of claim 19 wherein said one or more network access controllers comprises one or more multi-port switches.
  - 21. The system of claim 16 wherein the master key is used to generate a second temporary encryption key for use in a second communications session.
  - 22. The system of claim 21 wherein the second communications session occurs following termination of the current communications session.
  - 23. The system of claim 22 wherein the second temporary encryption key is generated after commencement of the second communications session.

24. A system, comprising:
- an authentication server disposed in a secured section of a network; and
  
  an authenticator disposed in the secured section of the network, said authenticator configured to store a master key resulting from an authentication process, wherein said master key is used to generate a first session specific key for use by an authenticated mobile client and an access point coupled to the authenticator during a first communications session.
- View Dependent Claims (25, 26)
- - 25. The system of claim 24 wherein the master key is used to generate a second session specific key for use in a new communications session between the mobile client and a second access point.
  - 26. The system of claim 25 wherein the second session specific key is generated after termination of the first communications session.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Motorola, Inc. (Motorola Solutions, Inc.)
Original Assignee
Proxim Corp.
Inventors
Wong, Daniel Y., Wilson, Timothy J., Sadot, Emek, Potashnik, Alexei, Shukla, Gajendra

Application Number

US10/923,208
Publication Number

US 20050254653A1
Time in Patent Office

Days
Field of Search
US Class Current

380/270
CPC Class Codes

H04L 2209/80   Wireless network architectu...

H04L 63/062   for key distribution, e.g. ...

H04L 63/08   for authentication of entit...

H04L 9/0844   with user authentication or...

H04L 9/321   involving a third party or ...

H04W 12/062   Pre-authentication

H04W 12/069   using certificates or pre-s...

H04W 84/12   WLAN [Wireless Local Area N...

Pre-authentication of mobile clients by sharing a master key among secured authenticators

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

100 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Pre-authentication of mobile clients by sharing a master key among secured authenticators

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

100 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links