KERBERIZED HANDOVER KEYING IMPROVEMENTS
First Claim
1. A method for media-independent handover key management for secure key distribution among a server, an authenticator and a mobile node using Kerberized Handover Keying in a reactive mode employing ticket delivery after handover, comprising:
- a) having a mobile node transmit an AS-REQ to a Key Distribution Center, and having the mobile node receive an AS-REP from the Key Distribution Center with a Ticket Granting Ticket (TGT);
b) after handover of said mobile node to a target authenticator, having the target authenticator transmit a TGS-REQ to the Key Distribution Center, and having the target authenticator receive a TGS-REP from the Key Distribution Center to obtain a ticket (T) for the mobile node; and
c) having the authenticator transmit an AP-REQ to the mobile node, and having the mobile node transmit an AP-REP message to the authenticator to authenticate the mobile node.
3 Assignments
0 Petitions
Accused Products
Abstract
A media-independent handover key management architecture is disclosed that uses Kerberos for secure key distribution among a server, an authenticator, and a mobile node. In the preferred embodiments, signaling for key distribution is based on re-keying and is decoupled from re-authentication that requires EAP (Extensible Authentication Protocol) and AAA (Authentication, Authorization and Accounting) signaling similar to initial network access authentication. In this framework, the mobile node is able to obtain master session keys required for dynamically establishing the security associations with a set of authenticators without communicating with them before handover. By separating re-key operation from re-authentication, the proposed architecture is more optimized for a proactive mode of operation. It can also be optimized for reactive mode of operation by reversing the key distribution roles between the mobile node and the target access node.
-
Citations
18 Claims
-
1. A method for media-independent handover key management for secure key distribution among a server, an authenticator and a mobile node using Kerberized Handover Keying in a reactive mode employing ticket delivery after handover, comprising:
-
a) having a mobile node transmit an AS-REQ to a Key Distribution Center, and having the mobile node receive an AS-REP from the Key Distribution Center with a Ticket Granting Ticket (TGT); b) after handover of said mobile node to a target authenticator, having the target authenticator transmit a TGS-REQ to the Key Distribution Center, and having the target authenticator receive a TGS-REP from the Key Distribution Center to obtain a ticket (T) for the mobile node; and c) having the authenticator transmit an AP-REQ to the mobile node, and having the mobile node transmit an AP-REP message to the authenticator to authenticate the mobile node. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A media-independent handover key management architecture for secure key distribution among a server, an authenticator and a mobile node, comprising:
-
a) a mobile node having an EAP peer that is configured to communicate with an EAP server; b) said mobile node further having a Kerberos server that is configured to communicate with at least one authenticator for at least one target network that has a respective Kerberos client; and c) said mobile node being configured to perform security signaling in relation to handover to said at least one target network via said at least one authenticator, including network access authentication and key management signaling to obtain master session keys using Kerberos to dynamically establish a security association via said at least one authenticator without re-authentication using EAP and AM signaling. - View Dependent Claims (12, 13, 14)
-
-
15. A method for media-independent handover key management for secure key distribution among a server, an authenticator and a mobile node, comprising:
-
a) having a mobile node obtain the identity of a Key Distribution Center and a secret key shared with an Application Server during initial network access authentication via bootstrapping Kerberos from network access authentication credentials using an EAP method; and b) having said mobile node establish security associations with a set of authenticators using Kerberos after handover. - View Dependent Claims (16, 17, 18)
-
Specification