Method and Apparatus for Authenticating Nodes in a Wireless Network

US 20090086973A1
Filed: 09/27/2007
Published: 04/02/2009
Est. Priority Date: 09/27/2007
Status: Active Grant

First Claim

Patent Images

1. A method for authenticating a wireless node requesting to join a wireless network, comprising:

receiving, at an authentication server node, an authentication request from the wireless node;

negotiating at least one authentication parameter with the wireless node;

deriving a first encryption key using the at least one authentication parameter, wherein the first encryption key is independently derived at the wireless node;

encrypting a second encryption key using the first encryption key; and

propagating the encrypted second encryption key toward the wireless node.

View all claims

13 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention includes a method and apparatus for authenticating a wireless node requesting to join a network. A method includes receiving an authentication request from the wireless node, negotiating at least one authentication parameter with the wireless node, deriving a first encryption key using the at least one authentication parameter, encrypting a second encryption key using the first encryption key, and propagating the encrypted second encryption key toward the wireless node, wherein the wireless node independently derives the first encryption key for use in decrypting the encrypted second encryption key received from the authentication server node. The wireless node decrypts the encrypted second encryption key and stores the second encryption key for use to securely communicate with other wireless nodes of the network. In one embodiment, the present invention may be implemented using a modified version of the EAP-TLS protocol, in which rather than a Pairwise Master Key (PMK) being sent from the authentication server node to the wireless node, the authentication server node and the wireless node each derive the PMK and the authentication server node securely provides a group encryption key to the wireless node by encrypting the group encryption key using the PMK.

Citations

20 Claims

1. A method for authenticating a wireless node requesting to join a wireless network, comprising:
- receiving, at an authentication server node, an authentication request from the wireless node;
  
  negotiating at least one authentication parameter with the wireless node;
  
  deriving a first encryption key using the at least one authentication parameter, wherein the first encryption key is independently derived at the wireless node;
  
  encrypting a second encryption key using the first encryption key; and
  
  propagating the encrypted second encryption key toward the wireless node.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the first encryption key comprises an Extensible Authentication Protocol (EAP) Pairwise Master Key (PMK).
  - 3. The method of claim 1, wherein the second encryption key comprises one of a unicast encryption key, a multicast encryption key, and a broadcast encryption key.
  - 4. The method of claim 1, wherein negotiating the at least one authentication parameter with the authentication server node is performed using an EAP method.
  - 5. The method of claim 1, further comprising:
    - after receiving the authentication request and prior to negotiating the at least one authentication parameter, establishing a secure tunnel between the wireless node and the authentication server node; and
      
      negotiating the at least one authentication parameter with the wireless node using the secure tunnel.
  - 6. The method of claim 5, wherein the secure tunnel is established using one of EAP-TTLS and PEAP.
  - 7. The method of claim 1, further comprising:
    - in response to a determination that a third encryption key is available for the wireless node, encrypting the third encryption key using the first encryption key and propagating the encrypted third encryption key toward the wireless node.
  - 8. The method of claim 1, wherein the wireless node comprises an access node portion and a supplicant node portion, wherein the supplicant node portion is adapted to derive the first encryption key for use in decrypting the encrypted second encryption key.

9. An apparatus for authenticating a target node requesting to join a network, comprising:
- means for receiving, at an authentication server node, an authentication request from the wireless node;
  
  means for negotiating at least one authentication parameter with the wireless node;
  
  means for deriving a first encryption key using the at least one authentication parameter, wherein the first encryption key is independently derived at the wireless node;
  
  means for encrypting a second encryption key using the first encryption key; and
  
  means for propagating the encrypted second encryption key toward the wireless node.

10. A method for authenticating a wireless node requesting to join a network, comprising:
- negotiating at least one authentication parameter with an authentication server node;
  
  deriving, at the wireless node, a first encryption key, wherein the first encryption key is derived using the at least one authentication parameter, wherein the first encryption key is independently derived at the authentication server node; and
  
  receiving, from the authentication server node, a message including an encrypted second encryption key, wherein the encrypted second encryption key is encrypted using the first encryption key, wherein the second encryption key is adapted for use by the node in communicating with at least one other node of the network.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 11. The method of claim 10, further comprising:
    - decrypting the encrypted second encryption key using the first encryption key; and
      
      storing the second encryption key in a memory.
  - 12. The method of claim 10, further comprising:
    - receiving, from the authentication node, a message including an encrypted third encryption key, wherein the third encryption key is encrypted using the first encryption key, wherein the third encryption key is adapted for use by the node in communicating with at least one other node of the network;
      
      decrypting the encrypted third encryption key using the first encryption key; and
      
      storing the third encryption key in a memory.
  - 13. The method of claim 11, further comprising:
    - receiving a packet from a wireless user device;
      
      retrieving the second encryption key from the memory;
      
      encrypting the received packet using the second encryption key; and
      
      transmitting the encrypted packet toward another node.
  - 14. The method of claim 11, further comprising:
    - receiving an encrypted packet from another node;
      
      retrieving the second encryption key from the memory;
      
      decrypting the receiving encrypted packet using the second encryption key; and
      
      transmitting the decrypted packet toward a wireless user device for which the packet is intended.
  - 15. The method of claim 10, wherein the first encryption key comprises an Extensible Authentication Protocol (EAP) Pairwise Master Key (PMK).
  - 16. The method of claim 10, wherein the second encryption key comprises one of a unicast encryption key, a multicast encryption key, and a broadcast encryption key.
  - 17. The method of claim 10, wherein negotiating the at least one authentication parameter with the authentication node is performed using an EAP method.
  - 18. The method of claim 10, further comprising:
    - prior to negotiating the at least one authentication parameter with the authentication server node, establishing a secure tunnel between the wireless node and the authentication server node; and
      
      negotiating the at least one authentication parameter with the authentication server node using the secure tunnel.
  - 19. The method of claim 18, wherein the secure tunnel is established using one of EAP-TTLS and PEAP.

20. An apparatus for authenticating a wireless node requesting to join a network, comprising:
- means for negotiating at least one authentication parameter with an authentication server node;
  
  means for deriving, at the wireless node, a first encryption key, wherein the first encryption key is derived using the at least one authentication parameter, wherein the first encryption key is independently derived at the authentication server node; and
  
  means for receiving, from the authentication server node, a message including an encrypted second encryption key, wherein the encrypted second encryption key is encrypted using the first encryption key, wherein the second encryption key is adapted for use by the node in communicating with at least one other node of the network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
RPX Corporation
Original Assignee
Alcatel-Lucent SA (Nokia Corporation)
Inventors
Buddhikot, Milind Madhav, Payette, Charles

Granted Patent

US 9,198,033 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/273
CPC Class Codes

H04L 2209/80   Wireless

H04L 2463/062   applying encryption of the ...

H04L 63/062   for key distribution, e.g. ...

H04L 63/0823   using certificates cryptogr...

H04L 9/0822   using key encryption key

H04L 9/0833   involving conference or gro...

H04L 9/321   involving a third party or ...

H04L 9/3271   using challenge-response

H04W 12/041   Key generation or derivation

H04W 12/0433   Key management protocols

H04W 12/069   using certificates or pre-s...

Method and Apparatus for Authenticating Nodes in a Wireless Network

First Claim

13 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and Apparatus for Authenticating Nodes in a Wireless Network

First Claim

13 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links