SCHEME FOR DEVICE AND USER AUTHENTICATION WITH KEY DISTRIBUTION IN A WIRELESS NETWORK

US 20080115199A1
Filed: 01/10/2008
Published: 05/15/2008
Est. Priority Date: 12/06/2001
Status: Abandoned Application

First Claim

Patent Images

1. In a network comprising a first electronic device and a second electronic device, a method for authenticating access to a controlled network, said method comprising:

a) authenticating said second electronic device to said first electronic device, said first electronic device communicatively coupled to said second electronic device;

b) authenticating said first electronic device to said second electronic device;

c) determining a key at said first electronic device and at said second electronic device; and

d) authenticating a user to a central authentication server.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In a computer network, a method of mutually authenticating a client device and a network interface, authenticating a user to the network and exchanging encryption keys. In one embodiment, the method comprises authenticating the client device at the local network device point, with which the client device exchanges an encryption key and then the user is authenticated by a central authentication server. In another embodiment, the method comprises authenticating the client device at the central authentication server, with which the client device exchanges a key which is passed to the network device with a secret shared between the central authentication server and the network device. In this embodiment, the user is also authenticated at the central authentication server.

23 Citations

View as Search Results

24 Claims

1. In a network comprising a first electronic device and a second electronic device, a method for authenticating access to a controlled network, said method comprising:
- a) authenticating said second electronic device to said first electronic device, said first electronic device communicatively coupled to said second electronic device;
  
  b) authenticating said first electronic device to said second electronic device;
  
  c) determining a key at said first electronic device and at said second electronic device; and
  
  d) authenticating a user to a central authentication server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 wherein said first electronic device is a client device and said second electronic device is a network device.
  - 3. The method of claim 2 wherein said step a) comprises:
    - receiving a first message from said client device at said network device, said first message comprising a device identifier and a first random number;
      
      receiving a second message from said network device at said client device, said second message comprising a second random number and a first digest, said first digest comprising a one-way hash function operating on said first random number, said device identifier, and a first secret shared between said network device and said client device;
      
      determining a second digest at said client device, said second digest comprising a one-way hash function operating on said first random number, said device identifier, and said first secret;
      
      comparing said first digest to said second digest at said client device; and
      
      provided said first digest matches said second digest, authenticating said network device to said client device.
  - 4. The method of claim 2 wherein said step b) comprises:
    - receiving a third message from said client device at said network device, said third message comprising a third digest, said third digest comprising a one-way hash function operating on said second random number, said device identifier, and said first secret;
      
      determining a fourth digest at said network device, said fourth digest comprising said second random number, said device identifier, and said first secret;
      
      comparing said third digest to said fourth digest at said client device; and
      
      provided said third digest matches said fourth digest, authenticating said client device to said network device.
  - 5. The method as recited in claim 2 wherein step c) comprises:
    - determining a fifth digest at said network device, said fifth digest comprising said device identifier received from said client device, said first secret, said first random number, and said second random number, said fifth digest from which said network device selects bits and determines said key; and
      
      calculating a sixth digest at said client device, said sixth digest comprising said device identifier, said first secret, said first random number and said second random number, said sixth digest from which said client device selects bits and determines said key.
  - 6. The method as recited in claim 2 wherein said step d) comprises:
    - transmitting a request for a user_name and a user_credentials to said client device. sending said user_name and said user_credentials to said network device from said client device;
      
      forwarding said user_name and said user_credentials to said central authentication server from said network device; and
      
      employing said user_name and said user_credentials for authenticating said user at said central authentication server.
  - 7. The method as recited in claim 6 further comprising:
    - provided said user is authenticated at said central authentication server;
      
      sending a success message to said network device at said central authentication server;
      
      forwarding said success message to said client device at said network device;
      
      allowing said client device to access said controlled network at said network device; and
      
      provided said user is not authenticated at said central authentication server;
      
      sending a failure message to said network device at said central authentication server;
      
      forwarding said failure message to said client device at said network device;
      
      disallowing said client device access to said controlled network at said network device.
  - 8. The method as recited in claim 2 wherein said network device is a wireless network access point.

9. A computer system network comprising:
- a central authentication server for authenticating a user to send or receive information over a computer system network;
  
  a first electronic device coupled to said network device; and
  
  a second electronic device coupled to said central authentication server;
  
  said central authentication server, said first electronic device and said second electronic device operating in conjunction to perform a method of authenticating access to a controlled network, said method comprising;
  
  a) authenticating said second electronic device to said first electronic device, said first electronic device communicatively coupled to said second electronic device;
  
  b) authenticating said first electronic device to said second electronic device;
  
  c) determining a key at said first electronic device and at said second electronic device; and
  
  d) authenticating a user to a central authentication server.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The method of claim 9 wherein said first electronic device is a client device and said second electronic device is a network device.
  - 11. The method of claim 10 wherein said step a) comprises:
    - receiving a first message from said client device at said network device, said first message comprising a device identifier and a first random number;
      
      receiving a second message from said network device at said client device, said second message comprising a second random number and a first digest, said first digest comprising a one-way hash function operating on said first random number, said device identifier, and a first secret shared between said network device and said client device;
      
      determining a second digest at said client device, said second digest comprising a one-way hash function operating on said first random number, said device identifier, and said first secret;
      
      comparing said first digest to said second digest at said client device; and
      
      provided said first digest matches said second digest, authenticating said network device to said client device.
  - 12. The method of claim 10 wherein said step b) comprises:
    - receiving a third message from said client device at said network device, said third message comprising a third digest, said third digest comprising a one-way hash function operating on said second random number, said device identifier, and said first secret;
      
      determining a fourth digest at said network device, said fourth digest comprising said second random number, said device identifier, and said first secret;
      
      comparing said third digest to said fourth digest at said client device; and
      
      provided said third digest matches said fourth digest, authenticating said client device to said network device.
  - 13. The method as recited in claim 10 wherein step c) comprises:
    - determining a fifth digest at said network device, said fifth digest comprising said device identifier received from said client device, said first secret, said first random number, and said second random number, said fifth digest from which said network device selects bits and determines said key; and
      
      calculating a sixth digest at said client device, said sixth digest comprising said device identifier, said first secret, said first random number and said second random number, said sixth digest from which said client device selects bits and determines said key.
  - 14. The method as recited in claim 10 wherein said step d) comprises:
    - transmitting a request for a user_name and a user_credentials to said client device. sending said user_name and said user_credentials to said network device from said client device;
      
      forwarding said user_name and said user_credentials to said central authentication server from said network device; and
      
      employing said user_name and said user_credentials for authenticating said user at said central authentication server.
  - 15. The method as recited in claim 14 further comprising:
    - provided said user is authenticated at said central authentication server;
      
      sending a success message to said network device at said central authentication server;
      
      forwarding said success message to said client device at said network device;
      
      allowing said client device to access said controlled network at said network device; and
      
      provided said user is not authenticated at said central authentication server;
      
      sending a failure message to said network device at said central authentication server;
      
      forwarding said failure message to said client device at said network device;
      
      disallowing said client device access to said controlled network at said network device.
  - 16. The method as recited in claim 10 wherein said network device is a wireless network access point.

17. In a computer-usable medium having computer-readable program code embodied therein, a computer-implemented method for authenticating a first electronic device and a second electronic device, said method comprising:
- a) authenticating said second electronic device to said first electronic device, said first electronic device communicatively coupled to said second electronic device;
  
  b) authenticating said first electronic device to said second electronic device;
  
  c) Determining a key at said first electronic device and at said second electronic device; and
  
  d) authenticating a user to a central authentication server.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The computer implemented method of claim 17 wherein said first electronic device is a client device and said second electronic device is a network device.
  - 19. The computer implemented method of claim 18 wherein said step a) comprises:
    - receiving a first message from said client device at said network device, said first message comprising a device identifier and a first random number;
      
      receiving a second message from said network device at said client device, said second message comprising a second random number and a first digest, said first digest comprising a one-way hash function operating on said first random number, said device identifier, and a first secret shared between said network device and said client device;
      
      determining a second digest at said client device, said second digest comprising a one-way hash function operating on said first random number, said device identifier, and said first secret;
      
      comparing said first digest to said second digest at said client device; and
      
      provided said first digest matches said second digest, authenticating said network device to said client device.
  - 20. The computer implemented method of claim 18 wherein said step b) comprises:
    - receiving a third message from said client device at said network device, said third message comprising a third digest, said third digest comprising a one-way hash function operating on said second random number, said device identifier, and said first secret;
      
      determining a fourth digest at said network device, said fourth digest comprising said second random number, said device identifier, and said first secret;
      
      comparing said third digest to said fourth digest at said client device; and
      
      provided said third digest matches said fourth digest, authenticating said client device to said network device.
  - 21. The computer implemented method as recited in claim 18 wherein step c) comprises:
    - determining a fifth digest at said network device, said fifth digest comprising said device identifier received from said client device, said first secret, said first random number, and said second random number, said fifth digest from which said network device selects bits and determines said key; and
      
      calculating a sixth digest at said client device, said sixth digest comprising said device identifier, said first secret, said first random number and said second random number, said sixth digest from which said client device selects bits and determines said key.
  - 22. The computer implemented method as recited in claim 18 wherein said step d) comprises:
    - transmitting a request for a user_name and a user_credentials to said client device. sending said user_name and said user_credentials to said network device from said client device;
      
      forwarding said user_name and said user_credentials to said central authentication server from said network device; and
      
      employing said user_name and said user_credentials for authenticating said user at said central authentication server.
  - 23. The computer implemented method as recited in claim 22 further comprising:
    - provided said user is authenticated at said central authentication server;
      
      sending a success message to said network device at said central authentication server;
      
      forwarding said success message to said client device at said network device;
      
      allowing said client device to access said controlled network at said network device; and
      
      provided said user is not authenticated at said central authentication server;
      
      sending a failure message to said network device at said central authentication server;
      
      forwarding said failure message to said client device at said network device;
      
      disallowing said client device access to said controlled network at said network device.
  - 24. The computer implemented method as recited in claim 18 wherein said network device is a wireless network access point.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett-Packard Company (HP Inc.)
Original Assignee
Hewlett-Packard Company (HP Inc.)
Inventors
Nessett, Danny, Chang, Victor, Young, Albert

Application Number

US11/971,953
Publication Number

US 20080115199A1
Time in Patent Office

Days
Field of Search
US Class Current

726/6
CPC Class Codes

H04L 2209/80   Wireless network architectu...

H04L 63/062   for key distribution, e.g. ...

H04L 63/0869   for achieving mutual authen...

H04L 9/0836   using tree structure or hie...

H04L 9/0844   with user authentication or...

H04L 9/3236   using cryptographic hash fu...

H04L 9/3273   for mutual authentication n...

H04W 12/062   Pre-authentication

H04W 12/069   using certificates or pre-s...

SCHEME FOR DEVICE AND USER AUTHENTICATION WITH KEY DISTRIBUTION IN A WIRELESS NETWORK

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

23 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

SCHEME FOR DEVICE AND USER AUTHENTICATION WITH KEY DISTRIBUTION IN A WIRELESS NETWORK

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

23 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links