Method for performing authenticated handover in a wireless local area network
First Claim
1. A method for performing authenticated handover in a wireless local area network (WLAN) by a mobile station, comprising:
- while associated with a first access point;
obtaining a fast handoff master key from an authentication server associated with the WLAN;
calculating a pairwise master key and a pairwise master key identifier from the master key;
obtaining a list of ANonce values and neighbor access point identifiers from the first access point, where each ANonce value is unique and associated with one neighbor access point;
deciding to handover to a second access point, the second access point being a neighbor access point of the first access point;
upon deciding to handover to the second access point, transmitting a reassociation request to the second access point, the reassociation request including the pairwise master key identifier and an SNonce value;
receiving from the second access point a reassociation response including an indication that the second access point has acquired the pairwise master key;
calculating a pairwise temporary key based on the pairwise master key, SNonce value, and ANonce value associated with the second access point on the list of ANonce values obtained from the first access point;
installing the pairwise temporary key; and
commencing service with the second access point using the pairwise temporary key.
4 Assignments
0 Petitions
Accused Products
Abstract
A wireless local area network system (100) supporting mobile radio telephony reduces the time to complete an authenticated handover from one access point (104) to another (108) by a mobile station (102) by performing some of the steps normally performed upon leaving one access point while still associated with that access point. More particularly, the mobile station causes a cryptographic key (204) to be preestablished (212) for use when handing over to a new access point. The cryptographic key is derived at the mobile station, and is also derived in the WLAN infrastructure and stored until the mobile station initiates a handover.
85 Citations
22 Claims
-
1. A method for performing authenticated handover in a wireless local area network (WLAN) by a mobile station, comprising:
-
while associated with a first access point;
obtaining a fast handoff master key from an authentication server associated with the WLAN;
calculating a pairwise master key and a pairwise master key identifier from the master key;
obtaining a list of ANonce values and neighbor access point identifiers from the first access point, where each ANonce value is unique and associated with one neighbor access point;
deciding to handover to a second access point, the second access point being a neighbor access point of the first access point;
upon deciding to handover to the second access point, transmitting a reassociation request to the second access point, the reassociation request including the pairwise master key identifier and an SNonce value;
receiving from the second access point a reassociation response including an indication that the second access point has acquired the pairwise master key;
calculating a pairwise temporary key based on the pairwise master key, SNonce value, and ANonce value associated with the second access point on the list of ANonce values obtained from the first access point;
installing the pairwise temporary key; and
commencing service with the second access point using the pairwise temporary key. - View Dependent Claims (2)
-
-
3. A method of performing authenticated handover from a first access point to a second access point by a mobile station in a wireless local area network, the second access point being a neighbor access point of the first access point, the method comprising:
-
preauthenticating a first cryptographic key with an authentication server in the WLAN;
receiving a list of neighbor access points and associated access point cryptographic values from the first access point;
deriving a second cryptographic key from the first cryptographic key according to a predefined computation;
deriving a second cryptographic key identifier from the second cryptographic key;
deciding to reassociate with the second access point;
transmitting a reassociation request to the second access point, including a key identifier associated with the master key and a station cryptographic value;
receiving a reassociation response from the second access point including an indication that the second access point has acquired the second cryptographic key;
deriving a session cryptographic key from the second cryptographic key, station cryptographic value, and access point cryptographic value associated with the second access point on the list of neighbor access points acquired from the first access point; and
installing the session cryptographic key for use while communicating with the second access point.
-
-
4. A method for performing authenticated handover in a wireless local area network (WLAN) by a mobile station from a first access point to a second access point, the second access point being a neighbor access point of the first access point, the method comprising:
-
while the mobile station is associated with the first access point;
generating a first cryptographic key at an authentication server in the WLAN in response to an authentication request by the mobile station;
distributing the first cryptographic key to the mobile station and an acting key depository coupled to the WLAN;
calculating a second cryptographic key based on the first cryptographic key at the mobile station and acting key depository;
receiving a reassociation request at the second access point including a second cryptographic key identifier;
acquiring the second cryptographic key from the key depository;
transmitting a confirmation to the mobile station indicating the second access point is in possession of the second cryptographic key;
deriving a session key at the mobile station and the second access point based on the second cryptographic key;
installing the session key at the mobile station and the second access point; and
commencing service between the second access point and the mobile station using the session key for secure communication. - View Dependent Claims (5, 6, 7, 8, 9)
-
-
10. A method for performing authenticated handover in a wireless local area network (WLAN) by a mobile station, comprising:
-
while associated with a first access point;
obtaining key material from an authentication server associated with the WLAN;
calculating a pairwise master key from the key material;
obtaining a list of ANonce values and neighbor access point identifiers from the first access point, where each ANonce value is unique and associated with one neighbor access point;
deciding to handover to a second access point, the second access point being a neighbor access point of the first access point;
upon deciding to handover to the second access point, transmitting a reassociation request to the second access point, the reassociation request including a pairwise master key identifier calculated from the pairwise master key and an SNonce value;
receiving from the second access point a reassociation response including an indication that the second access point has acquired the pairwise master key;
calculating a pairwise temporary key based on the pairwise master key, SNonce value, and ANonce value associated with the second access point on the list of ANonce values obtained from the first access point;
installing the pairwise temporary key; and
commencing service with the second access point using the pairwise temporary key. - View Dependent Claims (11)
-
-
12. A method of performing authenticated handover from a first access point to a second access point by a mobile station in a wireless local area network, the second access point being a neighbor access point of the first access point, the method comprising:
-
obtaining a cryptographic key receiving a list of neighbor access points and associated access point cryptographic values from the first access point;
deciding to reassociate with the second access point;
deriving a cryptographic key identifier from the cryptographic key;
transmitting a reassociation request to the second access point, including a key identifier associated with the cryptographic key and a station cryptographic value;
receiving a reassociation response from the second access point including an indication that the second access point has acquired the cryptographic key;
deriving a session cryptographic key from the cryptographic key, station cryptographic value, and access point cryptographic value associated with the second access point on the list of neighbor access points acquired from the first access point; and
installing the session cryptographic key for use while communicating with the second access point. - View Dependent Claims (13, 14)
-
-
15. A method for performing authenticated handover in a wireless local area network (WLAN) by a mobile station from a first access point to a second access point, the second access point being a neighbor access point of the first access point, the method comprising:
-
while the mobile station is associated with the first access point;
generating a cryptographic key at an authentication server in the WLAN in response to an authentication request by the mobile station;
distributing the cryptographic key to an acting key depository coupled to the WLAN;
receiving a reassociation request at the second access point including a cryptographic key identifier;
acquiring the cryptographic key from the key depository;
transmitting a confirmation to the mobile station indicating the second access point is in possession of the cryptographic key;
deriving a session key at the mobile station and the second access point based on the second cryptographic key;
installing the session key at the mobile station and the second access point; and
commencing service between the second access point and the mobile station using the session key for secure communication. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22)
-
Specification