Roaming secure authenticated network access method and apparatus

US 20080022354A1
Filed: 06/27/2006
Published: 01/24/2008
Est. Priority Date: 06/27/2006
Status: Active Grant

First Claim

Patent Images

1. An apparatus comprising:

an input/output interface adapted to be coupled to a networking interface of a host device on which the apparatus is designed to be installed, the host device, in addition to the networking interface, to further include a processor coupled with the networking interface, adapted to execute an operating system and one or more software components;

non-volatile storage having one or more platform management components adapted to present information associated with a prior network access grant of the host system to obtain a subsequent network access grant for the host device, through the input/output interface of the apparatus and the networking interface of the host device, the information associated with the prior network access grant of the host system to be stored on either the non-volatile storage or a storage of the host device; and

a processing core coupled to the input/output interface and the non-volatile storage to operate the one or more platform management components.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Secure re-authentication of host devices roaming between different connection and/or access points within a network controlled by the same administrative domain is described. Platform overhead associated with exchanging information for authentication and/or validation on each new connection during mobility is reduced by enabling prior authenticated network access to influence subsequent network access.

Citations

28 Claims

1. An apparatus comprising:
- an input/output interface adapted to be coupled to a networking interface of a host device on which the apparatus is designed to be installed, the host device, in addition to the networking interface, to further include a processor coupled with the networking interface, adapted to execute an operating system and one or more software components;
  
  non-volatile storage having one or more platform management components adapted to present information associated with a prior network access grant of the host system to obtain a subsequent network access grant for the host device, through the input/output interface of the apparatus and the networking interface of the host device, the information associated with the prior network access grant of the host system to be stored on either the non-volatile storage or a storage of the host device; and
  
  a processing core coupled to the input/output interface and the non-volatile storage to operate the one or more platform management components.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 18, 19, 20, 21)
- - 2. The apparatus of claim 1, wherein the one or more platform management components are configured to transmit the stored information to a remote device and to receive encrypted payload data sent in response by the remote device, in accordance with an accelerated authentication process.
  - 3. The apparatus of claim 1, wherein the remote device comprises a network access policy decision point (PDP).
  - 4. The apparatus of claim 1, wherein the stored information includes a tamper-resistant authentication token associated with the prior network access grant.
  - 5. The apparatus of claim 4, wherein the tamper-resistant authentication token includes at least one token parameter selected from the group consisting of a token identifier, a token version identifier, a token validity timestamp, a token context identifier, and an integrity check value (ICV).
  - 6. The apparatus of claim 4, wherein the subsequent network access grant to be obtained is associated with a connection type that is different from a connection type associated with the prior network access grant.
  - 7. The apparatus of claim 6, wherein the prior network access grant is associated with a wired connection type and the subsequent network access grant is associated with a wireless connection type, or vice-versa.
  - 8. The apparatus of claim 4, wherein the tamper-resistant authentication token is adapted to indicate host posture information and/or firmware posture information of the host device.
  - 9. The apparatus of claim 8, wherein the one or more platform management components are further adapted to generate a second token to indicate any intervening changes to host posture information and/or firmware posture information of the host device.
  - 10. The apparatus of claim 9, wherein the tamper-resistant authentication token and the second token are the same token.
  - 11. The apparatus of claim 8, wherein the host posture information of the host device includes at least one identification parameter selected from the group consisting of a platform identification of the host device, a platform revision identification of the host device, a Basic Input/Output System (BIOS) revision identification of the host device, an Extensible Firmware Interface (EFI) revision identification of the host device, a host operating system revision identification of the host device, software application version identification of the host device, software application integrity identification of the host device, and a Trusted Platform Module capability identification of the host device.
  - 12. The apparatus of claim 8, wherein the firmware posture information of the host device includes one or more parameters selected from the group consisting of an operational mode of the host device, a transport layer security (TLS) state of the host device, a Crypto enabled fuse state of the host device, a provisioning state of the host device, a network interface state of the host device, an IDER state of the host device, a Serial over LAN (SoL) state of the host device, a firmware (FW) update state of the host device, a posture version state of the host device, a module version state of the host device, and a link state of the host device.
  - 13. The apparatus of claim 1, wherein the one or more platform management components are configured to receive policy information as part of an authenticated and encrypted payload sent in response to the transmitted stored information.
  - 14. The apparatus of claim 13, wherein the policy information includes a pair-wise master key (PMK).
  - 15. The apparatus of claim 14, wherein the PMK of the policy information is derived from one or more existing key constraints related to one or more parameters selected from the group consisting of a freshness time indicator, a nonce value, a firmware version of the host device, and a firmware operational status of the host device.
  - 16. The apparatus of claim 13, wherein the one or more platform management components are adapted to facilitate and control network access of the host device based at least in part on the transmitted stored information and on the received policy information.
  - 18. The system of claim 14, wherein the remote device comprises a network access policy decision point (PDP) and the prior network connection has a connection type that is different than a connection type of the subsequent network connection.
  - 19. The system of claim 15, wherein the prior network connection was initiated from a first location via a first connection medium and the subsequent network connection is initiated from a second location via a second connection medium.
  - 20. The system of claim 16, wherein the first connection medium and the second connection medium are the same connection medium.
  - 21. The system of claim 14, wherein the stored information includes a tamper-resistant authentication token from the prior network connection.

17. A system comprising:
- a network interface;
  
  a mass storage device;
  
  a first processor coupled to the network interface and the mass storage device;
  
  a second processor coupled with the network interface;
  
  memory configured to store information associated with a prior network connection of the system;
  
  an operating system and one or more software components adapted to be executed by the first processor; and
  
  one or more platform management components adapted to be executed by the second processor to present the stored information associated with the prior network connection to obtain a subsequent network connection for the system.

22. A method comprising:
- receiving an access request to a network for an apparatus;
  
  receiving information associated with an access grant of a prior network connection of the apparatus;
  
  determining whether to grant the requested network access to the apparatus based at least in part on the received prior network connection access grant information of the apparatus and, if network access is to be granted to the apparatus, further retrieving policy information, if any, to govern the network access to be granted to the apparatus based also at least in part on the received prior network connection information of the apparatus; and
  
  transmitting the result of the network access grant determination to the apparatus.
- View Dependent Claims (23, 24, 25, 26)
- - 23. The method of claim 22, wherein the receiving of an access request to a network and information associated with an access grant of a prior network connection, the determining, and the transmitting are performed at a network access control server or a Policy Decision Point (PDP).
  - 24. The method of claim 22, wherein the receiving of information associated with an access grant of a prior network connection includes receiving a tamper-resistant authentication token associated with the access grant of the prior network connection.
  - 25. The method of claim 22, wherein the receiving of information associated with an access grant of a prior network connection of the apparatus includes receiving of an existing pair-wise master key (PMK) and/or a nonce value and the retrieving of policy information includes determining a PMK based in part on the received existing PMK and/or the nonce value.
  - 26. The method of claim 22, further comprising granting network access to the apparatus in accordance with the retrieved policy information, if any.

27. An article of manufacture comprising:
- a storage medium having stored therein a plurality of programming instructions that, when activated, cause a processor todetermine and maintain information associated with a prior network access grant of a host electronic device on which the processor is installed;
  
  transmit the information associated with the prior network access grant to a remote device via a network interface of the host electronic device;
  
  receive policy information from the remote device via the network interface, the policy information governing a new access to a network by the host electronic device; and
  
  enforce network access by the host electronic device based at least in part on the received policy information.
- View Dependent Claims (28)
- - 28. The article of manufacture of claim 27, wherein the remote device comprises a network access policy decision point (PDP). The article of manufacture of claim 27, wherein the information associated with the prior network access grant includes at least one parameter selected from the group of a connection medium of the prior network access grant, a connection location of the prior network access grant, a nonce associated with the prior network access grant, an existing pair-wise master key (PMK) associated with the prior network access grant, and a tamper-resistant authentication token associated with the prior network access grant.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Sood, Kapil, Khosravi, Hormuzd M., Schluessler, Travis, Grewal, Karanvir

Granted Patent

US 8,375,430 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

H04L 63/162   at the data link layer

H04L 9/3234   involving additional secure...

H04L 9/3271   using challenge-response

H04W 12/069   using certificates or pre-s...

Roaming secure authenticated network access method and apparatus

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Roaming secure authenticated network access method and apparatus

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links