Administration of wireless local area networks

US 20060251256A1
Filed: 06/29/2005
Published: 11/09/2006
Est. Priority Date: 04/04/2005
Status: Active Grant

First Claim

Patent Images

1. A method for managing access to a wireless network by a terminal device, comprising steps of:

a) the terminal device receiving a first key from a trusted device of the wireless network via a first communication channel;

b) executing a key agreement protocol between the terminal device and the wireless network via a second communication channel to determine a second key corresponding to the terminal device authenticated using the first key;

c) authenticating the terminal device by the wireless network using the second key; and

d) authorizing the terminal to access the wireless network using the second communication channel upon successful completion of step c).

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for managing access to a wireless local area network are provided. A wireless access point (AP) may use a unified approach that utilizes an out-of-band channel to communicate authentication key and network address information to a guest device, and utilizes an in-band channel to establish communications with the guest device, and also provides support for in-band setup on all devices. The ability to use out-of-band where possible provides for an increase to security and usability, and the possibility of delegating access from one device to another. The unified approach thereby also provides easy management of guest access to the WLAN.

260 Citations

68 Claims

1. A method for managing access to a wireless network by a terminal device, comprising steps of:
- a) the terminal device receiving a first key from a trusted device of the wireless network via a first communication channel;
  
  b) executing a key agreement protocol between the terminal device and the wireless network via a second communication channel to determine a second key corresponding to the terminal device authenticated using the first key;
  
  c) authenticating the terminal device by the wireless network using the second key; and
  
  d) authorizing the terminal to access the wireless network using the second communication channel upon successful completion of step c).
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 2. The method of claim 1, wherein step a) comprises generating the first key based on a function of a third key and at least one other variable.
  - 3. The method of claim 2, wherein the at least one other variable comprises one of a timestamp, a sequence number, a device name, a device type, a device category, a device address, and a device entry lifetime.
  - 4. The method of claim 2, wherein the first key comprises an authentication key (AK), the second key comprises a pre-shared key (PSK), and the third key comprises an original authentication key (OAK).
  - 5. The method of claim 2, wherein step b) comprises transferring the at least one other variable as part of the key agreement protocol.
  - 6. The method of claim 2, further comprising determining the third key via a key agreement protocol between the trusted device and the wireless network.
  - 7. The method of claim 6, further comprising the trusted device determining the third key and transmitting the third key to the wireless network.
  - 8. The method of claim 6, further comprising the wireless network determining the third key and transmitting the third key to the trusted device.
  - 9. The method of claim 6, further comprising a third party determining the third key and transmitting the third key for communication to the wireless network and trusted device.
  - 10. The method of claim 1, further comprising:
    - e) storing an entry corresponding to the terminal device in an access database of the wireless network.
  - 11. The method of claim 10, wherein the entry comprises information received from the terminal device.
  - 12. The method of claim 10, wherein step c) comprises querying the access database for the entry corresponding to the terminal device to determine authentication and access rights of the terminal device.
  - 13. The method of claim 10, further comprising:
    - f) revoking the terminal device'"'"'s access to the wireless network based on information stored in the entry in the access database.
  - 14. The method of claim 1, wherein the first communication channel comprises a near field communication (NFC) channel.
  - 15. The method of claim 1, wherein the first communication channel comprises a telecommunications messaging service.
  - 16. The method of claim 1, wherein the second communication channel comprises a wireless local area network (WLAN).
  - 17. The method of claim 1, wherein the wireless network comprises a wireless local area network (WLAN).
  - 18. The method of claim 1, further comprising providing an access controller through which the terminal device accesses the wireless network in step d).
  - 19. The method of claim 10, further comprising providing an access controller through which the terminal device accesses the wireless network in step d), and storing the access database in the access controller.
  - 20. The method of claim 1, wherein in step a) the trusted device comprises a wireless communications device.
  - 21. The method of claim 18, wherein the trusted device comprises the access controller.
  - 22. The method of claim 13, wherein step f) comprises revoking the terminal device'"'"'s access to the wireless network without revoking a second terminal device'"'"'s access to the wireless network.
  - 23. The method of claim 13, wherein step f) comprises revoking all access database entries matching one or more specified criteria.
  - 24. The method of claim 23, wherein the one or more specified criteria comprises a predefined device group type.
  - 25. The method of claim 24, wherein the predefined device group type identifies a device group corresponding to guest devices to the wireless network.
  - 26. The method of claim 23, wherein the one or more specified criteria comprises a device name.

27. A system, comprising:
- a first device trusted by a wireless network, said first device storing executable instructions to transmit a first key to a second device via a first communication channel;
  
  the second device untrusted by the wireless network, said second device storing executable instructions to execute via a second communication channel a key agreement protocol with an access controller of the wireless network to determine a second key corresponding to the second device, wherein the key agreement protocol authenticates the second key using the first key;
  
  the access controller storing executable instructions to authenticate the second device using the second key, and to authorize the second device to access the wireless network upon successful authentication.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49)
- - 28. The system of claim 27, wherein the first key is generated as a function of a third key and at least one other variable.
  - 29. The system of claim 28, wherein the at least one other variable comprises one of a timestamp, a sequence number, a device name, a device type, a device category, a device address, and a device entry lifetime.
  - 30. The system of claim 28, wherein the first key comprises an authentication key (AK), the second key comprises a pre-shared key (PSK), and the third key comprises an original authentication key (OAK).
  - 31. The system of claim 28, wherein the at least one other variable is transferred as part of the key agreement protocol.
  - 32. The system of claim 28, wherein the first device and the access controller determine the third key via a key agreement protocol.
  - 33. The system of claim 32, wherein the first device determines the third key and transmits the third key to the access controller.
  - 34. The system of claim 32, wherein the access controller determines the third key and transmits the third key to the first device.
  - 35. The system of claim 27, wherein the access controller further stores executable instructions to store an entry corresponding to the second device in an access database of the wireless network.
  - 36. The system of claim 35, wherein the entry comprises information received from the second device.
  - 37. The system of claim 35, wherein the access controller stores executable instructions to query the access database for the entry corresponding to the second device to determine authentication and access rights of the second device.
  - 38. The system of claim 35, wherein the access controller stores executable instructions to revoke the second device'"'"'s access to the wireless network based on information stored in the entry in the access database.
  - 39. The system of claim 27, wherein the first communication channel comprises a near field communication (NFC) channel.
  - 40. The system of claim 27, wherein the first communication channel comprises a telecommunications messaging service.
  - 41. The system of claim 27, wherein the second communication channel comprises a wireless local area network (WLAN).
  - 42. The system of claim 27, wherein the wireless network comprises a wireless local area network (WLAN).
  - 43. The system of claim 27, wherein the first device comprises a wireless communications device.
  - 44. The system of claim 27, wherein the first device comprises the access controller.
  - 45. The system of claim 38, wherein the access controller revokes the second device'"'"'s access to the wireless network without revoking a third terminal device'"'"'s access to the wireless network.
  - 46. The system of claim 38, wherein the access controller revokes all access database entries matching one or more specified criteria.
  - 47. The system of claim 46, wherein the one or more specified criteria comprises a predefined device group type.
  - 48. The system of claim 47, wherein the predefined device group type identifies a device group corresponding to guest devices to the wireless network.
  - 49. The system of claim 46, wherein the one or more specified criteria comprises a device name.

50. A method for managing access to a wireless network by a terminal device, wherein the wireless network includes an in-band communication channel, comprising steps of:
- a) executing a key agreement protocol between the terminal device and the wireless network via the in-band communication channel to determine a first key corresponding to the terminal device and authenticated by comparing at least one part of a checksum corresponding to the first key;
  
  b) authenticating the terminal device by the wireless network using the first key; and
  
  c) authorizing the terminal to access the wireless network upon successful completion of step b).
- View Dependent Claims (51, 52, 53, 54, 55, 56)
- - 51. The method of claim 50, wherein step a) comprises displaying successive parts of the checksum contemporaneously in the terminal device and in the wireless network.
  - 52. The method of claim 50, further comprising revoking the terminal device'"'"'s access to the wireless network based on information corresponding to the terminal stored in an access database.
  - 53. The method of claim 52, wherein the revoking step comprises removing the access rights of a terminal whose entry is the most recent in the access controller database according to a single user action.
  - 54. The method of claim 53, wherein the revoking step is initiated by receiving user input at the access controller of the wireless network.
  - 55. The method of claim 54, wherein the user input comprises detecting that a user has pressed a predefined button in a predefined manner on an access controller.
  - 56. One or more computer readable media storing computer executable instructions for performing the method of claim 50.

57. A method for managing access to a wireless network by a terminal device, comprising steps of:
- a) the terminal device receiving a first key from a trusted device of the wireless network via a first communication channel;
  
  b) sending a request for a key agreement protocol to the wireless network;
  
  c) executing the key agreement protocol to determine a second key corresponding to the wireless network authenticated using the first key;
  
  e) transmitting a request for joining the wireless network wherein the request comprises authentication information based on the second key; and
  
  f) receiving confirmation for the joining request.
- View Dependent Claims (58)
- - 58. One or more computer readable media storing computer executable instructions for performing the method of claim 57.

59. A mobile terminal, comprising:
- a memory storing computer executable instructions for performing a method of accessing a wireless network, said method comprising steps of;
  
  a) the terminal device receiving a first key from a trusted device of the wireless network via a first communication channel;
  
  d) sending a request for a key agreement protocol to the wireless network;
  
  e) executing the key agreement protocol to determine a second key corresponding to the wireless network authenticated using the first key;
  
  g) transmitting a request for joining the wireless network wherein the request comprises authentication information based on the second key; and
  
  h) receiving confirmation for the joining request.

60. A method for managing access to a wireless network by an access controller, comprising steps of:
- a) transmitting a first authentication key to a terminal device via a first communication channel;
  
  b) receiving a request for a key agreement protocol from the terminal device;
  
  c) executing the key agreement protocol to determine a second key corresponding to the terminal device and authenticated using the first key;
  
  d) receiving a request from the terminal device to join the wireless network;
  
  e) authenticating the request using the second key; and
  
  f) authorizing the terminal to access the wireless network using a second communication channel upon successful completion of step e).
- View Dependent Claims (61)
- - 61. One or more computer readable media storing computer executable instructions for performing the method of claim 60.

62. An access control device, comprising:
- a memory storing computer executable instructions for performing a method of managing access to a wireless network by the access controller, said method comprising steps of;
  
  a) transmitting a first authentication key to a terminal device via a first communication channel;
  
  b) receiving a request for a key agreement protocol from the terminal device;
  
  c) executing the key agreement protocol to determine a second key corresponding to the terminal device and authenticated using the first key;
  
  d) receiving a request from the terminal device to join the wireless network;
  
  e) authenticating the request using the second key; and
  
  f) authorizing the terminal to access the wireless network using a second communication channel upon successful completion of step e).

63. A method for a trusted device to manage access to a wireless network by an untrusted terminal device, comprising steps of:
- a) sharing a first key with a wireless network having an access controller;
  
  b) choosing a value for at least one variable;
  
  c) generating a second key based on a function of the first key and at least one variable; and
  
  d) transmitting the second key to the untrusted terminal device via a first communication channel.
- View Dependent Claims (64)
- - 64. One or more computer readable media storing computer executable instructions for performing the method of claim 63.

65. A mobile terminal, comprising:
- a memory storing computer executable instructions for performing a method to manage access to a wireless network by an untrusted terminal device, said method comprising steps of;
  
  a) sharing a first key with a wireless network having an access controller;
  
  b) choosing a value for at least one variable;
  
  c) generating a second key based on a function of the first key and at least one variable; and
  
  d) transmitting the second key to the untrusted terminal device via a first communication channel.

66. A method for managing access to a wireless network by an access controller, comprising steps of:
- a) sharing a first key with a trusted device;
  
  b) receiving a request for a key agreement protocol from an untrusted terminal device;
  
  c) executing the key agreement protocol to determine a second key corresponding to the terminal device, said key agreement protocol comprising i. receiving one or more variables from the terminal device, ii. generating the second key based on a function of the first key and at the one or more variables, and iii. authenticating the determined second key using the first key;
  
  d) receiving a request from the terminal device to join the wireless network;
  
  e) authenticating the request of step d) using the second key;
  
  f) authorizing the terminal device to access the wireless network upon successful completion of step e).
- View Dependent Claims (67)
- - 67. One or more computer readable media storing computer executable instructions for performing the method of claim 66.

68. An access control device, comprising:
- a memory storing computer executable instructions for performing a method of managing access to a wireless network, said method comprising steps of;
  
  a) sharing a first key with a trusted device;
  
  b) receiving a request for a key agreement protocol from an untrusted terminal device;
  
  c) executing the key agreement protocol to determine a second key corresponding to the terminal device, said key agreement protocol comprising i. receiving one or more variables from the terminal device, ii. generating the second key based on a function of the first key and at the one or more variables, and iii. authenticating the determined second key using the first key;
  
  d) receiving a request from the terminal device to join the wireless network;
  
  e) authenticating the request of step d) using the second key;
  
  f) authorizing the terminal device to access the wireless network upon successful completion of step e).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nokia Technologies Oy (Nokia Corporation)
Original Assignee
Nokia Corporation
Inventors
Kostiainen, Kari Ti, Asokan, Nadarajah, Ginzboorg, Philip, Ekberg, Jan-Erik, Sovio, Sampo, Moloney, Seamus, Takala, Jari

Granted Patent

US 8,532,304 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/270
CPC Class Codes

H04L 2209/80   Wireless network architectu...

H04L 63/065   for group communications cr...

H04L 63/18   using different networks or...

H04L 9/0838   Key agreement, i.e. key est...

H04L 9/3215   using a plurality of channe...

H04W 12/04   Key management, e.g. using ...

H04W 12/06   Authentication

H04W 12/50   Secure pairing of devices

H04W 48/20   Selecting an access point

H04W 84/12   WLAN [Wireless Local Area N...

H04W 88/08   Access point devices

Administration of wireless local area networks

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

260 Citations

68 Claims

Specification

Solutions

Use Cases

Quick Links

Administration of wireless local area networks

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

260 Citations

68 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links