Authentication of 6LoWPAN Nodes Using EAP-GPSK

US 20090103731A1
Filed: 10/23/2007
Published: 04/23/2009
Est. Priority Date: 10/23/2007
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

at least one processor; and

instructions when executed by the at least one processor promote exchanging extensible authentication protocol (EAP) messages for authentication by sending a plurality of data packets formatted in accordance with an IEEE 802.15.4 standard, wherein EAP messages are encapsulated within a data field of the IEEE 802.15.4 standard data packet and wherein the encapsulated EAP message comprises an EAP header and a data portion.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system is provided that includes at least one processor and instructions that when executed by the processor promote exchanging extensible authentication protocol (EAP) messages for authentication by sending a plurality of data packets formatted in accordance with an IEEE 802.15.4 standard. The EAP messages are encapsulated within a data field of the IEEE 802.15.4 standard data packet and wherein the encapsulated EAP message comprises an EAP header and a data portion.

54 Citations

View as Search Results

20 Claims

1. A system, comprising:
- at least one processor; and
  
  instructions when executed by the at least one processor promote exchanging extensible authentication protocol (EAP) messages for authentication by sending a plurality of data packets formatted in accordance with an IEEE 802.15.4 standard, wherein EAP messages are encapsulated within a data field of the IEEE 802.15.4 standard data packet and wherein the encapsulated EAP message comprises an EAP header and a data portion.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein the EAP header includes a code field that indicates the type of EAP message, an identifier field identifies an EAP requestor device, and a length field defines the length of the encapsulated EAP message.
  - 3. The system of claim 2, wherein the code field is one octet in size, the identifier field is one octet in size, and the length field is two octets in size.
  - 4. The system of claim 2, wherein the EAP header further includes a type field that identifies a EAP general pre-shared key (GPSK) type.
  - 5. The system of claim 4, wherein when the type field identifies an EAP general pre-shared key 1 type, the data portion comprises a cipher suite list field containing only one cipher suite identifier, a server random nonce field having 16 octets, and a server identity field having 16 octets, wherein the server identity field contains a 128-bit Internet protocol version 6 address.
  - 6. The system of claim 4, wherein when the type field identifies an EAP general pre-shared key 2 type, the data portion comprises a selected cipher suite field of zero length, a client nonce field containing only 16 octets, and a client identity field having 8 octets, wherein the client identity field contains an IEEE 64-bit extended MAC address.
  - 7. The system of claim 1, wherein the system is one of plurality of wireless devices of an Internet protocol version 6 (IPv6) over low power wireless personal area network (6LoWPAN).

8. A method of authenticating a wireless device, comprising:
- configuring an authentication server and the wireless device with a pre-shared key (PSK);
  
  sending a first extensible authentication protocol (EAP) request message encapsulated in an IEEE 802.15.4 packet, the first EAP request message comprising an EAP header and a data portion comprising an identity of the authentication server and a server random nonce;
  
  determining a plurality of keys based on the PSK, the identity of the authentication server, and the server random nonce;
  
  determining a first message integrity code (MIC) based on the identity of the authentication server, the server random nonce, and one of the plurality of keys determined based on the PSK;
  
  sending a first EAP response message encapsulated in an IEEE 802.1 packet, the first EAP response message comprising an EAP header and a data portion comprising a client random nonce, a selected cipher suite identity, and the first message integrity code (MIC);
  
  determining a second MIC based on the identity of the authentication server, the server random nonce, and one of the plurality of keys determined based on the PSK; and
  
  determining that the wireless device passes authentication based in part on comparing the second MIC with the first MIC contained in the first EAP response message.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The method of claim 8, further including:
    - determining a third MIC based on the selected cipher suite identity and one of the plurality of keys determined based on the PSK;
      
      sending a second EAP request message encapsulated in an IEEE 802.1 packet, the second EAP request message comprising an EAP header and a data portion comprising the third MIC;
      
      sending a second EAP response message encapsulated in an IEEE 802.1 packet; and
      
      sending an access-accept message to a personal area network (PAN) coordinator that performs communication gateway functions for the wireless device.
  - 10. The method of claim 9, wherein the data portion of the second EAP request message includes an opcode field identifying a GPSK message type, and a server random nonce field, and a client random nonce field.
  - 11. The method of claim 8, wherein the data portion of the first EAP request message includes an opcode field identifying a GPSK message type, a server identity field, a server random nonce field, and a cipher suite list field.
  - 12. The method of claim 8, wherein the data portion of the first EAP response message includes an opcode field identifying a GPSK message type, a client identity field, a client random nonce field, and a selected cipher suite field.
  - 13. The method of claim 8, wherein the EAP header includes a code field that indicates the type of EAP message, an identifier field identifies an EAP requester device, and a length field defines the length of the encapsulated EAP message.

14. A method of generating a message encryption key and a message authentication key, comprising:
- sending a first extensible authentication protocol (EAP) key message encapsulated in an IEEE 802.15.4 packet, the first EAP key message comprising an EAP header and a data portion comprising an initiator random nonce and an initiator identity;
  
  deriving a plurality of keys based on the initiator random nonce;
  
  sending a second EAP key message encapsulated in an IEEE 802.15.4 packet, the second EAP key message comprising an EAP header and a data portion comprising a responder random nonce and a first message integrity code (MIC) based on the initiator random nonce, the responder random nonce, and the keys derived based on the initiator random nonce;
  
  sending a third EAP key message encapsulated in an IEEE 802.15.4 packet, the third EAP key message comprising an EAP header and a data portion containing a second MIC; and
  
  deriving the encryption key and the message authentication key based on a temporal key (TK), wherein the temporal key is one of the plurality of keys derived based on the initiator random nonce.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The method of claim 14, wherein the first, second, and third EAP key messages include a descriptor type field that identifies each message as one of an EAP SAP-1 type message, an EAP SAP-2 type message, and an EAP SAP-3 type message.
  - 16. The method of claim 14, wherein the EAP header comprises a code field that indicates the type of EAP message, an identifier field identifies an EAP requester device, and a length field defines the length of the encapsulated EAP message.
  - 17. The method of claim 14, further including receiving an access-accept message from an authentication server containing a master session key (MSK), wherein deriving the plurality of keys is further based on the MSK.
  - 18. The method of claim 14, wherein deriving the plurality of keys comprises determining a 96-octet key string based on the MSK, the initiator random nonce, the responder random nonce, wherein the plurality of keys are contained in the 96-octet key string.
  - 19. The method of claim 18 wherein the TK is a 16-octet substring of the 96-octet key string defined as 96-octet key string[80.95].
  - 20. The method of claim 14 wherein a 32-octet key string is determined based on the TK, the initiator random nonce, the initiator identity, the responder random nonce, and the responder identity, wherein the encryption key is defined as a 16-octet substring of the 32-octet key string[0 . . . 15], and wherein the message authentication key is defined as a 16-octet substring of the 32-octet key string[16 . . . 31].

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Futurewei Technologies Incorporated (Huawei Investment & Holding Co., Ltd.)
Original Assignee
Futurewei Technologies Incorporated (Huawei Investment & Holding Co., Ltd.)
Inventors
Sarikaya, Behcet

Granted Patent

US 7,941,663 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/270
CPC Class Codes

H04L 2209/805   Lightweight hardware, e.g. ...

H04L 63/065   for group communications cr...

H04L 63/162   at the data link layer

H04L 9/0836   using tree structure or hie...

H04L 9/14   using a plurality of keys o...

H04L 9/3236   using cryptographic hash fu...

H04W 12/041   Key generation or derivation

H04W 12/0431   Key distribution or pre-dis...

H04W 84/12   WLAN [Wireless Local Area N...

Authentication of 6LoWPAN Nodes Using EAP-GPSK

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

54 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Authentication of 6LoWPAN Nodes Using EAP-GPSK

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

54 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links