METHOD AND SYSTEM FOR AUTHENTICATING PEER DEVICES USING EAP

US 20080195861A1
Filed: 02/09/2007
Published: 08/14/2008
Est. Priority Date: 02/09/2007
Status: Active Grant

First Claim

Patent Images

1. A method for authenticating a peer device onto a network having an authenticator and an authentication server, the authentication server supporting Extensible Authentication Protocol (EAP), the network being accessible through an access point associated with the authenticator, the method including steps of:

exchanging EAP-specific authentication messages between the peer device and the authentication server via the authenticator;

generating keying material in the peer device;

generating said keying material and an associated key lifetime in the authentication server, and communicating said keying material and said associated key lifetime from the authentication server to the authenticator; and

communicating an EAP Success message from the authenticator to the peer device following the exchange of EAP-specific authentication messages, wherein the EAP Success message contains said associated key lifetime.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for authenticating a peer device onto a network using Extensible Authentication Protocol (EAP). The key lifetime associated with the keying material generated in the peer device and the authentication server is communicated from the authenticator to the peer device within the EAP Success message. The peer device, having been provided with the key lifetime, can anticipate the termination of its authenticated session and initiate re-authentication prior to expiry of the key lifetime.

Citations

21 Claims

1. A method for authenticating a peer device onto a network having an authenticator and an authentication server, the authentication server supporting Extensible Authentication Protocol (EAP), the network being accessible through an access point associated with the authenticator, the method including steps of:
- exchanging EAP-specific authentication messages between the peer device and the authentication server via the authenticator;
  
  generating keying material in the peer device;
  
  generating said keying material and an associated key lifetime in the authentication server, and communicating said keying material and said associated key lifetime from the authentication server to the authenticator; and
  
  communicating an EAP Success message from the authenticator to the peer device following the exchange of EAP-specific authentication messages, wherein the EAP Success message contains said associated key lifetime.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further including the step of conducting a Secure Association Protocol to complete authentication and grant the peer device unblocked access to the network after communication of the EAP success message to the peer device.
  - 3. The method of claim 2, wherein said keying material comprises a master session key (MSK), and wherein the Secure Association Protocol comprises a 4-way handshake, which includes deriving a pairwise master key (PMK) from the MSK, and generating a transient session key (TSK) from the PMK, and wherein the TSK is used for encrypting subsequent communications between the peer device and the access point.
  - 4. The method of claim 3, wherein the key lifetime associated with the MSK is associated with each key derived from the MSK, including the PMK and TSK.
  - 5. The method of claim 1, wherein the EAP Success message comprises a code field and a data field, said code field containing a success indicator and said data field containing said associated key lifetime.
  - 6. The method of claim 1, further including, prior to expiration of the associated key lifetime, the peer device initiating a further EAP authentication exchange with the server to re-authenticate the peer device and to generate new keying material and a new associated key lifetime.
  - 7. The method of claim 6, further including steps of detecting an active session on the peer device and awaiting termination of the active session prior to initiating said further EAP authentication exchange.

8. A communications system, comprising:
- a network having an access point;
  
  an authenticator associated with the access point;
  
  an authentication server connected to the network and configured to communicate with the authenticator, the authentication server being configured to support Extensible Authentication Protocol (EAP); and
  
  a peer device configured to connect to said access point and exchange EAP-specific authentication messages with the authentication server via the authenticator, the peer device being further configured to generate keying material,wherein the authentication server is configured to generate said keying material and an associated key lifetime, and to communicate said keying material and said associated lifetime to the authenticator,and wherein the authenticator is configured to communicate an EAP Success message to the peer device following the exchange of EAP-specific authentication messages, wherein the EAP Success message contains said associated key lifetime.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- - 9. The system of claim 8, wherein said peer device and said authenticator are configured to engage in a Secure Association Protocol to complete authentication and grant the peer device unblocked access to the network.
  - 10. The system of claim 9, wherein said keying material comprises a master session key (MSK), and wherein the Secure Association Protocol comprises a 4-way handshake, which includes deriving a pairwise master key (PMK) from the MSK, and generating a transient session key (TSK) from the PMK, and wherein the TSK is used for encrypting subsequent communications between the peer device and the access point.
  - 11. The system of claim 10, wherein the key lifetime associated with the MSK is associated with each key derived from the MSK, including the PMK and TSK.
  - 12. The system of claim 8, wherein the EAP Success message comprises a code field and a data field, said code field containing a success indicator and said data field containing said associated key lifetime.
  - 13. The system of claim 8, wherein the peer device is further configured to initiate a further EAP authentication exchange with the server to re-authenticate the peer device and to generate new keying material and a new associated key lifetime prior to expiration of the associated key lifetime.
  - 14. The system of claim 13, wherein the peer device is further configured to detect an active session on the peer device and await termination of the active session prior to initiating said further EAP authentication exchange.
  - 15. The system of claim 8, wherein the peer device comprises a display, and wherein the peer device is configured to display a timer indicating a time remaining in the key lifetime.

16. An access point in a network for permitting access by a peer device onto the network, the network including an authentication server supporting Extensible Authentication Protocol (EAP), the access point comprising:
- an authenticator configured to exchange EAP-specific authentication messages between the authentication server and the peer device, and being configured to receive keying material and an associated key lifetime from the authentication server, the authenticator comprising a component for generating an EAP success message and transmitting the EAP Success message to the peer device following the exchange of EAP-specific authentication messages, wherein the EAP Success message contains said associated key lifetime.
- View Dependent Claims (17, 18, 19)
- - 17. The access point of claim 16, wherein the EAP Success message comprises a code field and a data field, said code field containing a success indicator and said data field containing said associated key lifetime.
  - 18. The access point of claim 16, wherein the keying material comprises a master session key (MSK), wherein the Secure Association Protocol comprises a 4-way handshake, which includes deriving a pairwise master key (PMK) from the MSK, and generating a transient session key (TSK) from the PMK, and wherein the TSK is used for encrypting subsequent communications between the peer device and the access port.
  - 19. The access point of claim 18, wherein the key lifetime associated with the MSK is associated with each key derived from the MSK, including the PMK and TSK.

20. A method at an access point in a network for permitting access by a peer device onto the network, the network comprising an authentication server supporting Extensible Authentication Protocol (EAP), the method comprising:
- exchanging EAP-specific authentication messages between the authentication server and the peer device;
  
  receiving keying material and an associated key lifetime from the authentication server;
  
  generating an EAP success message; and
  
  transmitting the EAP Success message to the peer device following the exchange of EAP-specific authentication messages, wherein the EAP Success message contains said associated key lifetime.

21. A computer readable medium comprising program code executable by a processor of a computing device to configure an access point in a network for permitting access by a peer device onto the network, the network comprising an authentication server supporting Extensible Authentication Protocol (EAP), the code comprising:
- computer executable instructions for exchanging EAP-specific authentication messages between the authentication server and the peer device;
  
  computer executable instructions for receiving keying material and an associated key lifetime from the authentication server;
  
  computer executable instructions for generating an EAP success message; and
  
  computer executable instructions for transmitting the EAP Success message to the peer device following the exchange of EAP-specific authentication messages, wherein the EAP Success message contains said associated key lifetime.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Malikie Innovations Limited (Key Patent Innovations Limited)
Original Assignee
Research In Motion Limited (Blackberry Limited)
Inventors
Salomone, Leonardo Jose Silva

Granted Patent

US 8,356,176 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/155
CPC Class Codes

H04L 63/068   using time-dependent keys, ...

H04L 63/08   for authentication of entit...

H04L 63/162   at the data link layer

H04L 9/0844   with user authentication or...

H04L 9/088   Usage controlling of secret...

H04L 9/321   involving a third party or ...

METHOD AND SYSTEM FOR AUTHENTICATING PEER DEVICES USING EAP

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND SYSTEM FOR AUTHENTICATING PEER DEVICES USING EAP

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links