KERBERIZED HANDOVER KEYING IMPROVEMENTS

US 20080212783A1
Filed: 01/10/2008
Published: 09/04/2008
Est. Priority Date: 03/01/2007
Status: Active Grant

First Claim

Patent Images

1. A method for media-independent handover key management for secure key distribution among a server, an authenticator and a mobile node using Kerberized Handover Keying in a reactive mode employing ticket delivery after handover, comprising:

a) having a mobile node transmit an AS-REQ to a Key Distribution Center, and having the mobile node receive an AS-REP from the Key Distribution Center with a Ticket Granting Ticket (TGT);

b) after handover of said mobile node to a target authenticator, having the target authenticator transmit a TGS-REQ to the Key Distribution Center, and having the target authenticator receive a TGS-REP from the Key Distribution Center to obtain a ticket (T) for the mobile node; and

c) having the authenticator transmit an AP-REQ to the mobile node, and having the mobile node transmit an AP-REP message to the authenticator to authenticate the mobile node.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A media-independent handover key management architecture is disclosed that uses Kerberos for secure key distribution among a server, an authenticator, and a mobile node. In the preferred embodiments, signaling for key distribution is based on re-keying and is decoupled from re-authentication that requires EAP (Extensible Authentication Protocol) and AAA (Authentication, Authorization and Accounting) signaling similar to initial network access authentication. In this framework, the mobile node is able to obtain master session keys required for dynamically establishing the security associations with a set of authenticators without communicating with them before handover. By separating re-key operation from re-authentication, the proposed architecture is more optimized for a proactive mode of operation. It can also be optimized for reactive mode of operation by reversing the key distribution roles between the mobile node and the target access node.

Citations

18 Claims

1. A method for media-independent handover key management for secure key distribution among a server, an authenticator and a mobile node using Kerberized Handover Keying in a reactive mode employing ticket delivery after handover, comprising:
- a) having a mobile node transmit an AS-REQ to a Key Distribution Center, and having the mobile node receive an AS-REP from the Key Distribution Center with a Ticket Granting Ticket (TGT);
  
  b) after handover of said mobile node to a target authenticator, having the target authenticator transmit a TGS-REQ to the Key Distribution Center, and having the target authenticator receive a TGS-REP from the Key Distribution Center to obtain a ticket (T) for the mobile node; and
  
  c) having the authenticator transmit an AP-REQ to the mobile node, and having the mobile node transmit an AP-REP message to the authenticator to authenticate the mobile node.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further including establishing a secure association between the mobile node and the target authenticator using the ticket (T).
  - 3. The method of claim 1, further including prior to step b), after handover of said mobile node to the target authenticator, having said mobile node transmit a trigger message to the target authenticator;
  - 4. The method of claim 1, further including locating the Key Distribution Center at a location close to the target authenticator using cross-realm operation to reduce signally latency in the reactive mode due to round trip signaling between the authenticator and the Key Distribution Center.
  - 5. The method of claim 1, further including having authorization information embedded in ticket authorization data such that the target authenticator performs access control without AAA signaling after handover for authorization.
  - 6. The method of claim 5, further including carrying the authorization information in an encrypted data part of the TGS-REP message.
  - 7. The method of claim 1, further including performing the following authorization method:
    - a) having a node that implements the Key Distribution Center also implement an AAA client that communicates with an AAA server for authorization purposes; and
      
      b) having said AM client obtain authorization information from the AM server using an AM protocol and return the obtained information to the Key Distribution Center.
  - 8. The method of claim 7, further including having the Key Distribution Center directly pass the authorization information to the authenticator in a reactive mode.
  - 9. The method of claim 1, further including establishing inter-realm keys for different Kerberos realms, such that said target authenticator node is able to obtain a Ticket Granting Ticket (TGT) for a remote Kerberos realm'"'"'s ticket granting service from a local Kerberos realm.
  - 10. The method of claim 8, further including having one or more intermediate realms between the local realm and the remote realm, and the target authenticator iterating the Ticket Granting Ticket (TGT) procedure along an authentication path between the realms.

11. A media-independent handover key management architecture for secure key distribution among a server, an authenticator and a mobile node, comprising:
- a) a mobile node having an EAP peer that is configured to communicate with an EAP server;
  
  b) said mobile node further having a Kerberos server that is configured to communicate with at least one authenticator for at least one target network that has a respective Kerberos client; and
  
  c) said mobile node being configured to perform security signaling in relation to handover to said at least one target network via said at least one authenticator, including network access authentication and key management signaling to obtain master session keys using Kerberos to dynamically establish a security association via said at least one authenticator without re-authentication using EAP and AM signaling.
- View Dependent Claims (12, 13, 14)
- - 12. The media-independent handover key management architecture of claim 11, wherein said at least one authenticator has a Kerberos client.
  - 13. The media-independent handover key management architecture of claim 11, wherein said at least one authenticator includes a plurality of authenticators and said mobile node is configured to reactively obtain per-authenticator keys for said plurality of authenticators.
  - 14. The media-independent handover key management architecture of claim 11, wherein said plurality of authenticators includes at least one access point or base station.

15. A method for media-independent handover key management for secure key distribution among a server, an authenticator and a mobile node, comprising:
- a) having a mobile node obtain the identity of a Key Distribution Center and a secret key shared with an Application Server during initial network access authentication via bootstrapping Kerberos from network access authentication credentials using an EAP method; and
  
  b) having said mobile node establish security associations with a set of authenticators using Kerberos after handover.
- View Dependent Claims (16, 17, 18)
- - 16. The method of claim 15, further including having said mobile node include a Kerberos server that communicates with respective Kerberos clients of said authenticators.
  - 17. The method of claim 15, further including delivering a ticket (T) for the mobile node to the authenticator after handover of the mobile.
  - 18. The method of claim 15, wherein for said bootstrapping, an EAP server and the Key Distribution Center are implemented on the same node using a same identifier for the EAP server identity and the Key Distribution Center.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Four Batons Wireless LLC (Two Gold Capital LLC)
Original Assignee
Telcordia Technologies Incorporated (Telefonaktiebolaget LM Ericsson), Toshiba America Research Inc (Toshiba Corporation)
Inventors
OBA, Yoshihiro

Granted Patent

US 8,817,990 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/279
CPC Class Codes

G06F 21/335   for accessing specific reso...

H04L 2209/80   Wireless

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/162   at the data link layer

H04L 9/083   involving central third par...

H04L 9/321   involving a third party or ...

H04L 9/3213   using tickets or tokens, e....

H04W 36/005   involving radio access medi...

KERBERIZED HANDOVER KEYING IMPROVEMENTS

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

KERBERIZED HANDOVER KEYING IMPROVEMENTS

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links