SECURING MULTIPLE LINKS AND PATHS IN A WIRELESS MESH NETWORK INCLUDING RAPID ROAMING
First Claim
1. A method in a mesh point, the method comprising:
- the mesh point associating with a first parent mesh point of a wireless mesh network as a child mesh point to the first parent mesh point, the first parent mesh point being coupled to an authenticator and a member of a mesh domain of the mesh network;
the child mesh point undergoing an authentication with the authenticator via the first parent mesh point of the mesh domain, the authentication resulting in a root pairwise master key of a multiple-identities-key hierarchy; and
undergoing a 4-way handshake initiated by the child mesh point using the multiple-identities-key hierarchy to determine a transient key for the child mesh point to securely communicate with the first parent mesh point in the mesh network.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and logic encoded in tangible media and apparatus for securing links between a mesh point and one or more identities of one or more parent mesh points of a wireless mesh network in order to secure the links. A first association is carried out to one of the identities of one of the parent mesh points. The first mesh point undergoes a mutual authentication with an authenticator and announces the possibility of multiple links and/or multiple paths. The authentication generates a first master key from which the root master key of the key hierarchy is derived so that other master keys for different identities are derivable using a hierarchy. The mesh point undergoes a 4-way handshake to derive a first transient key. Other transient keys are obtained by a fast roaming method without having to re-undergo a backend authentication, the other transient keys being for other links and/or paths and derived using the hierarchy.
-
Citations
45 Claims
-
1. A method in a mesh point, the method comprising:
-
the mesh point associating with a first parent mesh point of a wireless mesh network as a child mesh point to the first parent mesh point, the first parent mesh point being coupled to an authenticator and a member of a mesh domain of the mesh network;
the child mesh point undergoing an authentication with the authenticator via the first parent mesh point of the mesh domain, the authentication resulting in a root pairwise master key of a multiple-identities-key hierarchy; and
undergoing a 4-way handshake initiated by the child mesh point using the multiple-identities-key hierarchy to determine a transient key for the child mesh point to securely communicate with the first parent mesh point in the mesh network. - View Dependent Claims (2, 3, 4)
-
-
5. A method in a mesh point comprising:
-
the mesh point associating with a first parent mesh point of a wireless mesh network as a child mesh point, the first parent mesh point being coupled to an authenticator in a mesh domain of the network;
the first child mesh point undergoing an authentication to the mesh domain using the authenticator via the first parent mesh point of the mesh network, the authentication resulting in a first pairwise master key that is a root of a multiple-identities-key hierarchy, the hierarchy being usable to define how to determine derived master keys based on the first pairwise master key that is the result of the authentication; and
undergoing a 4-way handshake to determine a transient key for the child mesh point to securely communicate with the first parent mesh point in the mesh network, such that a new link between the child mesh point and a new different parent mesh point is securable by a new pairwise transient key determined according to the multiple-identities-key hierarchy without the child mesh point needing to re-undergo a full authentication. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A method in a child mesh point, the child mesh point having a plurality of identities, the method comprising:
-
receiving a neighbor advertisement from a first parent mesh point of a wireless mesh network, the first parent mesh point part of a mesh domain and coupled to an authenticator of the mesh domain;
sending an association request to the first parent mesh point, the association request including a multiple identities information element listing the multiple identities of the child mesh point;
undergoing an authentication with the authenticator via the first parent mesh point, the authentication resulting in a first pairwise master key usable to generate a multiple-identities-key hierarchy, wherein the authentication including authenticating the multiple identities listed in the multiple identities information element and resulting in an authorization to use the multiple-identities-key hierarchy to derive keys for securing links between any of the multiple identities and the parent mesh point;
using the multiple-identities-key hierarchy of derived keys to determine one or more derived master keys based on the first pairwise master key that is the result of the authentication and authorization; and
undergoing a 4-way handshake initiated by the child mesh point as supplicant to determine a transient key for a selected identity of the child mesh point to secure communication between the selected identity and the first parent mesh point in the mesh network, such that a new link between a different identity of the child mesh point and the first parent mesh point is securable by a new pairwise transient key determined according to the key hierarchy without the child mesh point needing to re-undergo a full authentication. - View Dependent Claims (17, 18, 19, 20, 21, 22)
-
-
23. A method in a child mesh point comprising:
-
receiving one or more advertisements from one or more parent mesh points of a wireless mesh network, each parent mesh point being in a mesh domain, an advertisement from a parent mesh point that has a plurality of identities including a multiple identities information element listing the multiple identities of the parent mesh point, the one or more advertisements including a multipath indication to indicate that the respective parent mesh point allows association from a child mesh point on a path of a plurality of paths;
sending an association request to a first parent mesh point, the first parent mesh point being one whose advertisement was received and whose advertisement includes a multipath indication, the first parent mesh point being coupled to an authenticator of the mesh domain, the association request including a multiple identities information element listing the multiple identities of the plurality of parents of the multiple paths that the child mesh point desires to have;
undergoing an authentication with the authenticator via the first parent mesh point, the authentication resulting in a first pairwise master key usable to generate a multiple-identities-key hierarchy, wherein the authentication including authenticating the multiple paths between the child mesh point and the parent mesh point identities listed in the multiple identities information element and resulting in an authorization to use the multiple-identities-key hierarchy to derive keys for securing links between the child mesh point and any of the parent mesh point identities;
using the multiple-identities-key hierarchy of derived keys to determine one or more derived master keys based on the first pairwise master key that is the result of the authentication and authorization;
undergoing a 4-way handshake initiated by the child mesh point as supplicant to determine a transient key to secure communication between the selected identity and the first parent mesh point in the mesh network, such that a new path between a the child mesh point and a different parent mesh point identity is securable by a new pairwise transient key determined according to the key hierarchy without the child mesh point needing to re-undergo a full authentication. - View Dependent Claims (24, 25, 26, 27, 28, 29)
-
-
30. A method in a child mesh point comprising:
-
(a) the child mesh point associating with a first parent mesh point of a wireless mesh network, the first parent mesh point being coupled to an authenticator of a mesh domain, wherein one or both of the child mesh point or the first parent mesh point has multiple identities, wherein the first parent mesh point is one of a set of one or more parent mesh points to which the first mesh point requests to form one or more paths, wherein one or more of the following is true;
the first parent mesh point has one or multiple identities, the first parent mesh point allows association from a child on a path of a plurality of paths, and the child mesh point desires to authenticate multiple paths including a path to the first parent mesh point, the child mesh point has multiple identities, and the child mesh point desires to authenticate multiple links via its multiple identities, including associating one of its links with the first parent mesh point or with an identity of the first parent mesh point in the case the parent mesh point has multiple identities, wherein, in the case that the first parent mesh point has multiple identities, the associating including the child mesh point responding to receiving a neighbor advertisement from the first parent mesh point that included a multiple identities information element listing the multiple identities of the first parent mesh point, wherein, in the case that the first parent mesh point allows association from a child on a path of a plurality of paths and the child mesh point desires to associate with the first parent mesh point or with an identity of the first parent mesh point to form one of multiple paths to a respective plurality of parent mesh points or mesh point identities, the associating including the child mesh point responding to receiving a neighbor advertisement from the first parent mesh point that included an indication that the first parent mesh point accepts multiple path associations, and the associating including an association request to the first parent mesh point that includes a multiple identities information element listing the multiple identities of the plurality of parent mesh points or parent identities of the multiple paths;
wherein in the case the child mesh point has multiple identities, the associating including an association request to the first parent mesh point that includes a multiple identities information element listing the multiple identities of the child mesh point, and (b) the child mesh point undergoing an authentication with the authenticator via the first parent mesh point, the authentication resulting in a first pairwise master key usable to generate a multiple-identities-key hierarchy, wherein the authentication including authenticating the multiple identities listed in the multiple identities information element or elements and resulting in an authorization to use the multiple-identities-key hierarchy to derive keys for securing links that include any of the multiple identities;
(c) using the multiple-identities-key hierarchy of derived keys to determine one or more derived master keys based on the first pairwise master key that is the result of the authentication and authorization;
(d) undergoing a 4-way handshake initiated by the child mesh point as supplicant to determine a transient key to secure communication between the child mesh point or an identity thereof in the case of a multiple identity child mesh point and the first parent mesh point in the mesh network, such that a new link between the child mesh point or a different identity of the child mesh point in the case of a multiple identities child mesh point, and the first parent mesh point, or a different parent mesh point of parent mesh point identity in the case of multiple path to multiple parent mesh points or identities is securable by a new pairwise transient key determined according to the key hierarchy without the child mesh point needing to re-undergo a full authentication. - View Dependent Claims (31)
-
-
32. Logic encoded in one or more tangible media for execution by one or more processors of a processing system in a mesh point and when executed causing the mesh point to carry out a method comprising:
-
the mesh point associating with a first parent mesh point of a wireless mesh network as a child mesh point, the first parent mesh point being coupled to an authenticator in a mesh domain of the network;
the first child mesh point undergoing an authentication to the mesh domain using the authenticator via the first parent mesh point of the mesh network, the authentication resulting in a first pairwise master key that is a root of a multiple-identities-key hierarchy, the hierarchy being usable to define how to determine derived master keys based on the first pairwise master key that is the result of the authentication; and
undergoing a 4-way handshake to determine a transient key for the child mesh point to securely communicate with the first parent mesh point in the mesh network, such that a new link between the child mesh point and a new different parent mesh point is securable by a new pairwise transient key determined according to the multiple-identities-key hierarchy without the child mesh point needing to re-undergo a full authentication. - View Dependent Claims (33, 34, 35, 36)
-
-
37. Logic encoded in one or more tangible media for execution by one or more processors of a processing system in a child mesh point, the child mesh point having a plurality of identities, the logic when executed causing the mesh point to carry out a method comprising:
-
receiving a neighbor advertisement from a first parent mesh point of a wireless mesh network, the first parent mesh point part of a mesh domain and coupled to an authenticator of the mesh domain;
sending an association request to the first parent mesh point, the association request including a multiple identities information element listing the multiple identities of the child mesh point;
undergoing an authentication with the authenticator via the first parent mesh point, the authentication resulting in a first pairwise master key usable to generate a multiple-identities-key hierarchy, wherein the authentication including authenticating the multiple identities listed in the multiple identities information element and resulting in an authorization to use the multiple-identities-key hierarchy to derive keys for securing links between any of the multiple identities and the parent mesh point;
using the multiple-identities-key hierarchy of derived keys to determine one or more derived master keys based on the first pairwise master key that is the result of the authentication and authorization; and
undergoing a 4-way handshake initiated by the child mesh point as supplicant to determine a transient key for a selected identity of the child mesh point to secure communication between the selected identity and the first parent mesh point in the mesh network, such that a new link between a different identity of the child mesh point and the first parent mesh point is securable by a new pairwise transient key determined according to the key hierarchy without the child mesh point needing to re-undergo a full authentication.
-
-
38. Logic encoded in one or more tangible media for execution by one or more processors of a processing system in a mesh point and when executed causing the mesh point to carry out a method comprising:
-
receiving one or more advertisements from one or more parent mesh points of a wireless mesh network, each parent mesh point being in a mesh domain, an advertisement from a parent mesh point that has a plurality of identities including a multiple identities information element listing the multiple identities of the parent mesh point, the one or more advertisements including a multipath indication to indicate that the respective parent mesh point allows association from a child mesh point on a path of a plurality of paths;
sending an association request to a first parent mesh point, the first parent mesh point being one whose advertisement was received and whose advertisement includes a multipath indication, the first parent mesh point being coupled to an authenticator of the mesh domain, the association request including a multiple identities information element listing the multiple identities of the plurality of parents of the multiple paths that the child mesh point desires to have;
undergoing an authentication with the authenticator via the first parent mesh point, the authentication resulting in a first pairwise master key usable to generate a multiple-identities-key hierarchy, wherein the authentication including authenticating the multiple paths between the child mesh point and the parent mesh point identities listed in the multiple identities information element and resulting in an authorization to use the multiple-identities-key hierarchy to derive keys for securing links between the child mesh point and any of the parent mesh point identities;
using the multiple-identities-key hierarchy of derived keys to determine one or more derived master keys based on the first pairwise master key that is the result of the authentication and authorization;
undergoing a 4-way handshake initiated by the child mesh point as supplicant to determine a transient key to secure communication between the selected identity and the first parent mesh point in the mesh network, such that a new path between a the child mesh point and a different parent mesh point identity is securable by a new pairwise transient key determined according to the key hierarchy without the child mesh point needing to re-undergo a full authentication.
-
-
39. Logic encoded in one or more tangible media for execution by one or more processors of a processing system in a child mesh point and when executed causing the mesh point to carry out a method comprising:
-
(a) the child mesh point associating with a first parent mesh point of a wireless mesh network, the first parent mesh point being coupled to an authenticator of a mesh domain, wherein one or both of the child mesh point or the first parent mesh point has multiple identities, wherein the first parent mesh point is one of a set of one or more parent mesh points to which the first mesh point requests to form one or more paths, wherein one or more of the following is true;
the first parent mesh point has one or multiple identities, the first parent mesh point allows association from a child on a path of a plurality of paths, and the child mesh point desires to authenticate multiple paths including a path to the first parent mesh point, the child mesh point has multiple identities, and the child mesh point desires to authenticate multiple links via its multiple identities, including associating one of its links with the first parent mesh point or with an identity of the first parent mesh point in the case the parent mesh point has multiple identities, wherein, in the case that the first parent mesh point has multiple identities, the associating including the child mesh point responding to receiving a neighbor advertisement from the first parent mesh point that included a multiple identities information element listing the multiple identities of the first parent mesh point, wherein, in the case that the first parent mesh point allows association from a child on a path of a plurality of paths and the child mesh point desires to associate with the first parent mesh point or with an identity of the first parent mesh point to form one of multiple paths to a respective plurality of parent mesh points or mesh point identities, the associating including the child mesh point responding to receiving a neighbor advertisement from the first parent mesh point that included an indication that the first parent mesh point accepts multiple path associations, and the associating including an association request to the first parent mesh point that includes a multiple identities information element listing the multiple identities of the plurality of parent mesh points or parent identities of the multiple paths;
wherein in the case the child mesh point has multiple identities, the associating including an association request to the first parent mesh point that includes a multiple identities information element listing the multiple identities of the child mesh point, and (b) the child mesh point undergoing an authentication with the authenticator via the first parent mesh point, the authentication resulting in a first pairwise master key usable to generate a multiple-identities-key hierarchy, wherein the authentication including authenticating the multiple identities listed in the multiple identities information element or elements and resulting in an authorization to use the multiple-identities-key hierarchy to derive keys for securing links that include any of the multiple identities;
(c) using the multiple-identities-key hierarchy of derived keys to determine one or more derived master keys based on the first pairwise master key that is the result of the authentication and authorization;
(d) undergoing a 4-way handshake initiated by the child mesh point as supplicant to determine a transient key to secure communication between the child mesh point or an identity thereof in the case of a multiple identity child mesh point and the first parent mesh point in the mesh network, such that a new link between the child mesh point or a different identity of the child mesh point in the case of a multiple identities child mesh point, and the first parent mesh point, or a different parent mesh point of parent mesh point identity in the case of multiple path to multiple parent mesh points or identities is securable by a new pairwise transient key determined according to the key hierarchy without the child mesh point needing to re-undergo a full authentication.
-
-
40. An apparatus in a mesh point comprising:
logic configured to cause the mesh point to;
associate with a first parent mesh point of a wireless mesh network as a child mesh point, the first parent mesh point being coupled to an authenticator in a mesh domain of the network;
undergo an authentication to the mesh domain using the authenticator via the first parent mesh point of the mesh network, the authentication resulting in a first pairwise master key that is a root of a multiple-identities-key hierarchy, the hierarchy being usable to define how to determine derived master keys based on the first pairwise master key that is the result of the authentication; and
undergo a 4-way handshake to determine a transient key for the child mesh point to securely communicate with the first parent mesh point in the mesh network, such that a new link between the child mesh point and a new different parent mesh point is securable by a new pairwise transient key determined according to the multiple-identities-key hierarchy without the child mesh point needing to re-undergo a full authentication. - View Dependent Claims (41, 42, 43)
-
44. An apparatus in a child mesh point having a plurality of identities, the apparatus comprising:
-
logic configured to cause the mesh point to;
receive a neighbor advertisement from a first parent mesh point of a wireless mesh network, the first parent mesh point part of a mesh domain and coupled to an authenticator of the mesh domain;
send an association request to the first parent mesh point, the association request including a multiple identities information element listing the multiple identities of the child mesh point;
undergo an authentication with the authenticator via the first parent mesh point, the authentication resulting in a first pairwise master key usable to generate a multiple-identities-key hierarchy, wherein the authentication including authenticating the multiple identities listed in the multiple identities information element and resulting in an authorization to use the multiple-identities-key hierarchy to derive keys for securing links between any of the multiple identities and the parent mesh point;
use the multiple-identities-key hierarchy of derived keys to determine one or more derived master keys based on the first pairwise master key that is the result of the authentication and authorization; and
undergo a 4-way handshake initiated by the child mesh point as supplicant to determine a transient key for a selected identity of the child mesh point to secure communication between the selected identity and the first parent mesh point in the mesh network, such that a new link between a different identity of the child mesh point and the first parent mesh point is securable by a new pairwise transient key determined according to the key hierarchy without the child mesh point needing to re-undergo a full authentication.
-
-
45. An apparatus in a mesh point comprising:
-
logic configured to cause the mesh point to;
receive one or more advertisements from one or more parent mesh points of a wireless mesh network, each parent mesh point being in a mesh domain, an advertisement from a parent mesh point that has a plurality of identities including a multiple identities information element listing the multiple identities of the parent mesh point, the one or more advertisements including a multipath indication to indicate that the respective parent mesh point allows association from a child mesh point on a path of a plurality of paths;
send an association request to a first parent mesh point, the first parent mesh point being one whose advertisement was received and whose advertisement includes a multipath indication, the first parent mesh point being coupled to an authenticator of the mesh domain, the association request including a multiple identities information element listing the multiple identities of the plurality of parents of the multiple paths that the child mesh point desires to have;
undergo an authentication with the authenticator via the first parent mesh point, the authentication resulting in a first pairwise master key usable to generate a multiple-identities-key hierarchy, wherein the authentication including authenticating the multiple paths between the child mesh point and the parent mesh point identities listed in the multiple identities information element and resulting in an authorization to use the multiple-identities-key hierarchy to derive keys for securing links between the child mesh point and any of the parent mesh point identities;
use the multiple-identities-key hierarchy of derived keys to determine one or more derived master keys based on the first pairwise master key that is the result of the authentication and authorization;
undergo a 4-way handshake initiated by the child mesh point as supplicant to determine a transient key to secure communication between the selected identity and the first parent mesh point in the mesh network, such that a new path between a the child mesh point and a different parent mesh point identity is securable by a new pairwise transient key determined according to the key hierarchy without the child mesh point needing to re-undergo a full authentication.
-
Specification