Derivation method for cached keys in wireless communication system
First Claim
1. A system for communicating information over a wireless network, comprising:
- an authentication server operable to generate a first authentication key;
a controller operable to receive and store the first authentication key and to generate derived authentication keys therefrom;
a plurality of access points operable to advertise;
the cache depth (N) supported by a group of access points within said plurality of access points;
an ordered list of the identifiers for a derivation path for derived authentication keys;
wherein selected access points are operable to generate transient authentication keys; and
a station operable to associate with selected access points in said plurality of access points and to mutually derive said transient keys therefrom to establish an authenticated connection within said wireless network.
6 Assignments
0 Petitions
Accused Products
Abstract
A method and apparatus for providing improved security and improved roaming transition times in wireless networks. In the present invention, the same pairwise master key (PMK) from an authentication server can be used across multiple access points and a new pairwise transition key (PTK) is derived for each association of a station to any of the access points. A plurality of access points are organized in functional hierarchical levels and are operable to advertise an indicator of the PMK cache depth supported by a group of access points (N) and an ordered list of the identifiers for the derivation path. Access points in each level in the cache hierarchy compute the derived pairwise master keys (DPMKs) for devices in the next lower level in the hierarchy and then deliver the DPMKs to those devices. An access point calculates the PTK as part of the security exchange process when the station wishes to associate to the access point. The station also computes the PTK as part of the security exchange process. The station calculates all the DMPKs in the hierarchy as part of computing the PTK. The method and apparatus of the present invention allows the cache depth to vary per station, but it remains constant for a given station within a key circle.
-
Citations
24 Claims
-
1. A system for communicating information over a wireless network, comprising:
-
an authentication server operable to generate a first authentication key;
a controller operable to receive and store the first authentication key and to generate derived authentication keys therefrom;
a plurality of access points operable to advertise;
the cache depth (N) supported by a group of access points within said plurality of access points;
an ordered list of the identifiers for a derivation path for derived authentication keys;
wherein selected access points are operable to generate transient authentication keys; and
a station operable to associate with selected access points in said plurality of access points and to mutually derive said transient keys therefrom to establish an authenticated connection within said wireless network. - View Dependent Claims (2, 3, 4)
-
-
5. A method for communicating information over a wireless network, comprising:
-
initiating an association between a station and a first access point, thereby causing an authentication server to generate a first authentication key;
storing the first authentication key in a controller and generating derived authentication keys therefrom;
receiving said derived authentication keys in selected access points in a plurality of access points wherein said plurality of access points are operable to advertise;
the cache depth (N) supported by a group of access points within said plurality of access points;
an ordered list of the identifiers for a derivation path for derived authentication keys;
wherein selected access points are operable to generate transient authentication keys for use by a station; and
associating a station with selected access points in said plurality of access points and receiving transient keys therefrom to establish an authenticated connection within said wireless network. - View Dependent Claims (6, 7, 8)
-
-
9. A system for communicating information over a wireless network, comprising:
-
an authentication server operable to generate a first authentication key;
a plurality of access points operable to advertise;
the cache depth (N) supported by a group of access points within said plurality of access points; and
an ordered list of the identifiers for a derivation path for derived authentication keys;
wherein;
said access points are organized in hierarchal level(s);
selected access points in at least one of said hierarchal level(s) are operable to generate derived authentication keys; and
selected access points in said hierarchal level(s) are operable to generate transient authentication keys; and
a station operable to associate with selected access points in said plurality of access points and to mutually derive said transient keys therefrom to establish an authenticated connection within said wireless network. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A system for communicating information over a wireless network having a plurality of hierarchal functional levels, comprising:
-
an authentication server operable to generate a first authentication key;
a controller in a first hierarchal level, a said controller being operable to receive and store the first authentication key and to generate derived authentication keys therefrom;
a plurality of access points operable to advertise;
the cache depth (N) supported by a group of access points within said plurality of access points; and
an ordered list of the identifiers for a derivation path for derived authentication keys;
wherein;
said access points are organized in hierarchal level(s);
selected access points in at least one of said hierarchal level(s) are operable to generate derived authentication keys; and
selected access points in said hierarchal level(s) are operable to generate transient authentication keys;
a station operable to associate with selected access points in said plurality of access points and to mutually derive said transient keys therefrom to establish an authenticated connection within said wireless network. - View Dependent Claims (19, 20, 21, 22, 23, 24)
-
Specification