Network client validation of network management frames

US 20080295144A1
Filed: 12/06/2005
Published: 11/27/2008
Est. Priority Date: 10/16/2003
Status: Active Grant

First Claim

Patent Images

1. In a wireless client that includes one or more wireless network interfaces for communicating with at least one access point, a method comprising:

associating with a wireless access point;

authenticating to an authentication server; and

conditionally applying, at the wireless client, one or more security policies based on a failure to authenticate to the authentication server.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for use in a wireless client that includes one or more wireless network interfaces for communicating with at least one access point wherein the method enables the wireless client to validate the authenticity and integrity of received management frames. The method includes receiving a protected wireless network management frame from an access point verifying a message integrity check (MIC) appended to the protected wireless network management frame. One or more security policies are then conditionally applied based on a failure to verify the MIC.

Citations

38 Claims

1. In a wireless client that includes one or more wireless network interfaces for communicating with at least one access point, a method comprising:
- associating with a wireless access point;
  
  authenticating to an authentication server; and
  
  conditionally applying, at the wireless client, one or more security policies based on a failure to authenticate to the authentication server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method as recited in claim 1 wherein conditionally applying the one or more security policies comprises:
    - incrementing a failure counter if authenticating to the authentication server fails; and
      
      applying the one or more security policies if a current value of the failure counter is above a threshold.
  - 3. The method as recited in claim 1 wherein the one or more security policies comprises at least one of recording a failure to connect to the authentication server, reporting the failure, and disabling a wireless network interface of the one or more wireless network interfaces.
  - 4. The method as recited in claim 3 wherein reporting the failure comprises reporting an authentication failure event that occurred at a next successful authentication.
  - 5. The method as recited in claim 1 further comprising:
    - generating a session key with the wireless access point; and
      
      conditionally applying, at the wireless client, one or more security policies based on a failure to generate the session key.
  - 6. The method as recited in claim 5 wherein conditionally applying the one or more security policies comprises:
    - incrementing a session key failure counter if a successful key generation session fails; and
      
      applying the one or more security policies if a current value of the authentication failure counter or a current value of the session key failure counter is above a threshold.
  - 7. The method as recited in claim 6 wherein the threshold comprises an authentication failure counter threshold and a session key failure threshold.
  - 8. The method as recited in claim 5 wherein the one or more security policies comprises at least one of recording a failure to connect to the authentication server, recording a successful key generation session failure, reporting the failures, and disabling a wireless network interface.

9. A wireless client comprising:
- a wireless network interface;
  
  one or more processors;
  
  a memory;
  
  a wireless network interface driver application, stored in the memory, including instructions operable to cause the one or more processors and the wireless network interface to;
  
  associate with a wireless access point;
  
  authenticate to an authentication server; and
  
  conditionally apply, at the wireless client, one or more security policies based on a failure to authenticate to the authentication server.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The wireless client as recited in claim 9 wherein to conditionally apply the one or more security policies the wireless network interface driver application further comprises instructions operative to cause the one or more processors and the wireless network interface to:
    - increment a failure counter if authenticating to the authentication server fails; and
      
      apply the one or more security policies if a current value of the failure counter is above a threshold.
  - 12. The wireless client as recited in claim 9 wherein the one or more security policies comprises at least one of recording a failure to connect to the authentication server, reporting the failure, and disabling the wireless network interface.
  - 13. The wireless client as recited in claim 11 wherein reporting the failure comprises reporting an authentication failure event at a next successful authentication.
  - 14. The wireless client of claim 9 wherein the wireless network interface driver application further comprises instructions operative to cause the one or more processors and the wireless network interface to:
    - generate a session key with the wireless access point; and
      
      conditionally apply one or more security policies based on a failure to generate the session key.
  - 15. The wireless client as recited in claim 14 wherein to conditionally apply the one or more security policies, the wireless network interface driver application further comprises instructions operative to cause the one or more processors and the wireless network interface to:
    - increment an authentication failure counter if authenticating to the authentication server fails;
      
      increment a session key failure counter if a key generation session fails; and
      
      apply the one or more security policies if a current value of the authentication failure counter or a current value of the session key failure counter is above a threshold.
  - 16. The wireless client as recited in claim 15 wherein the threshold comprises an authentication failure counter threshold and a session key failure threshold.
  - 17. The wireless client as recited in claim 14 wherein the one or more security policies comprises at least one of recording a failure to connect to the authentication server, recording a session key generation session failure, reporting the failures, and disabling a wireless network interface.

18. A wireless client, comprising:
- means for establishing a wireless network connection with a wireless access point;
  
  means for authenticating to an authentication server; and
  
  means for conditionally applying, at the wireless client, one or more security policies based on a failure to authenticate to the authentication server.

19. In a wireless client that includes one or more wireless network interfaces for communicating with at least one access point, a method comprising:
- receiving a wireless network management frame from an access point;
  
  verifying, if the wireless network management frame is protected, a message integrity check (MIC) appended to the protected wireless network management frame; and
  
  conditionally applying, at the wireless client, one or more security policies based on a failure to verify the MIC.
- View Dependent Claims (20, 21, 22, 23, 24)
- - 20. The method as recited in claim 19 wherein the wireless network management frame is an unprotected wireless management frame wherein there is no message integrity check appended to the unprotected wireless management frame, and wherein a different set of one or more security policies are conditionally applied due to the missing message integrity check.
  - 21. The method as recited in claim 19 wherein conditionally applying the one or more security policies comprises:
    - incrementing a failure counter if the MIC can not be verified; and
      
      applying the one or more security policies if a current value of the failure counter is above a threshold.
  - 22. The method as recited in claim 21 wherein the current value of the failure counter is reduced over a time period if additional MIC failures do not occur during that time period.
  - 23. The method as recited in claim 19 further comprising dropping the wireless network management frame if the MIC can not be verified.
  - 24. The method as recited in claim 19 wherein the one or more security policies comprises at least one of recording a failure to verify the MIC, reporting the failure, and disabling a wireless network interface of the one or more wireless network interfaces.

25. A wireless client comprising:
- a wireless network interface;
  
  one or more processors;
  
  a memory;
  
  a wireless network interface driver application, stored in the memory, including instructions operable to cause the one or more processors and the wireless network interface to;
  
  receive a wireless network management frame from an access point;
  
  verify, if the wireless network management frame is protected, a message integrity check (MIC) appended to the protected wireless network management frame; and
  
  conditionally apply one or more security policies based on a failure to verify the MIC.
- View Dependent Claims (26, 27, 28, 29, 30)
- - 26. The wireless client as recited in claim 25 wherein the wireless management frame is an unprotected wireless management frame wherein there is no message integrity check appended to the unprotected wireless management frame, and wherein a different set of one or more security policies are conditionally applied due to the missing message integrity check.
  - 27. The wireless client as recited in claim 25 wherein to conditionally apply the one or more security policies, the wireless network interface driver application further comprises instructions operative to cause the one or more processors and the wireless network interface to:
    - increment a failure counter if the MIC can not be verified; and
      
      apply the one or more security policies if a current value of the failure counter is above a threshold.
  - 28. The wireless client as recited in claim 27 wherein the current value of the failure counter is reduced over a time period if additional MIC failures do not occur during that time period.
  - 29. The wireless client as recited in claim 25 wherein the wireless network interface driver application further comprises instructions operative to cause the one or more processors and the wireless network interface to:
    - drop the wireless network management frame if the MIC can not be verified.
  - 30. The wireless client as recited in claim 25 wherein the one or more security policies comprises at least one of recording a failure verify the MIC, reporting the failure, and disabling the wireless network interface.

31. A wireless client comprisingmeans for establishing a wireless network connection with a wireless access point, and for receiving a wireless network management frame from the access point;
- means for verifying, if the wireless network management frame is protected, a message integrity check (MIC) appended to the protected wireless network management frame; and
  
  means for conditionally applying one or more security policies based on a failure to verify the MIC.

32. In an access point operable in a wireless network infrastructure, a method for preventing a rogue wireless client from connecting to an access point compromising:
- receiving, from a wireless client, a re-association request containing a message integrity check (MIC);
  
  receiving connection state information that includes one or more keys for the wireless client;
  
  verifying the MIC;
  
  establishing a connection with the wireless client if the MIC is valid; and
  
  conditionally applying one or more security policies if the message integrity check (MIC) can not be verified.
- View Dependent Claims (33, 34)
- - 33. The method as recited in claim 32 wherein conditionally applying the one or more security policies comprises:
    - incrementing a failure counter if the MIC is not verified;
      
      comparing a current value of the failure counter to a threshold; and
      
      applying the one or more security policies if the current value is greater than the threshold.
  - 34. The method as recited in claim 32 wherein the one or more security policies comprises at least one of recording a failure verify the MIC, reporting the failure, and blacklisting the wireless client to refuse future re-association requests.

35. An access point compromising:
- a wireless network interface;
  
  one or more processors;
  
  a memory;
  
  a wireless access point application, stored in the memory, including instructions operable to cause the one or more processors and the wireless network interface to;
  
  receive a re-association request that contains a message integrity check (MIC) from a wireless client;
  
  receive connection state information that includes one or more keys for the wireless client;
  
  verify the MIC;
  
  establish a connection if the MIC is valid; and
  
  conditionally apply one or more security policies if the message integrity check (MIC) can not be verified.
- View Dependent Claims (36, 37)
- - 36. The access point as recited in claim 35 wherein conditionally apply the one or more security policies comprises:
    - increment a failure counter if the MIC is not verified;
      
      compare a current value of the failure counter to a threshold; and
      
      apply the one or more security policies if the current value is greater than the threshold.
  - 37. The access point as recited in claim 35 wherein the one or more security policies comprises at least one of record a failure verify the MIC, report the failure and blacklist the wireless client to refuse future re-association requests.

38. A wireless access point, comprisingmeans for receiving, from a wireless client, a re-association request containing a message integrity check (MIC);
- means for receiving connection state information that includes one or more keys for the wireless client;
  
  means for verifying the MIC;
  
  means for establishing a connection with the wireless client if the MIC is valid; and
  
  means for conditionally applying one or more security policies if the message integrity check (MIC) can not be verified.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Krischer, Mark, Cam-Winget, Nancy, O'Hara, Robert B. JR.

Granted Patent

US 8,713,626 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

H04L 41/00   Arrangements for maintenanc...

H04L 63/08   for authentication of entit...

H04L 63/101   Access control lists [ACL]

H04L 63/12   Applying verification of th...

H04L 63/123   received data contents, e.g...

H04L 63/20   for managing network securi...

H04L 9/32   including means for verifyi...

H04W 12/06   Authentication

H04W 12/106   Packet or message integrity

H04W 12/122   Counter-measures against at...

H04W 88/08   Access point devices

Network client validation of network management frames

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

38 Claims

Specification

Solutions

Use Cases

Quick Links

Network client validation of network management frames

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

38 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links