Derivation method for cached keys in wireless communication system

US 20090232302A1
Filed: 05/29/2009
Published: 09/17/2009
Est. Priority Date: 10/15/2004
Status: Active Grant

First Claim

Patent Images

1. In a system having an authentication server to generate an authentication key, a plurality of access points hierarchically arranged from the authentication server that is at hierarchy level zero, and a station that communicates with the authentication server through one or more access points of the plurality of access points to communicate information over a wireless network, and wherein the plurality of access points advertise a hierarchy depth (N) for cached keys in which N is greater than one and designates a farthest level of the hierarchy, and the access points also advertise a hierarchically ordered list of identifiers for a derivation path for derived authentication keys, an apparatus comprising:

an authenticator management module in a particular access point of the plurality of access points that generates a transient authentication key from a derived authentication key of N−

1 hierarchy level and when the particular access point lacks a hierarchy level to generate a N−

1 level derived authentication key, the particular access point is to calculate the N−

1 level derived authentication key in order to generate a transient authentication key, so that the station is operable to mutually derive the transient authentication key to establish an authenticated connection within the wireless network through the particular access point; and

a control module coupled to the authenticator management module to control the authenticator management module.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for providing improved security and improved roaming transition times in wireless networks. The same pairwise master key (PMK) from an authentication server can be used across multiple access points and a new pairwise transition key (PTK) is derived for each association of a station to any of the access points. A plurality of access points are organized in functional hierarchical levels and are operable to advertise an indicator of the PMK cache depth supported by a group of access points (N) and an ordered list of the identifiers for the derivation path. Access points in each level in the cache hierarchy compute the derived pairwise master keys (DPMKs) for devices in the next lower level in the hierarchy and then deliver the DPMKs to those devices. An access point calculates the PTK as part of the security exchange process when the station wishes to associate to the access point. The station also computes the PTK as part of the security exchange process. The station calculates all the DMPKs in the hierarchy as part of computing the PTK. The method and apparatus allow the cache depth to vary per station, but it remains constant for a given station within a key circle.

9 Citations

11 Claims

1. In a system having an authentication server to generate an authentication key, a plurality of access points hierarchically arranged from the authentication server that is at hierarchy level zero, and a station that communicates with the authentication server through one or more access points of the plurality of access points to communicate information over a wireless network, and wherein the plurality of access points advertise a hierarchy depth (N) for cached keys in which N is greater than one and designates a farthest level of the hierarchy, and the access points also advertise a hierarchically ordered list of identifiers for a derivation path for derived authentication keys, an apparatus comprising:
- an authenticator management module in a particular access point of the plurality of access points that generates a transient authentication key from a derived authentication key of N−
  
  1 hierarchy level and when the particular access point lacks a hierarchy level to generate a N−
  
  1 level derived authentication key, the particular access point is to calculate the N−
  
  1 level derived authentication key in order to generate a transient authentication key, so that the station is operable to mutually derive the transient authentication key to establish an authenticated connection within the wireless network through the particular access point; and
  
  a control module coupled to the authenticator management module to control the authenticator management module.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The apparatus of claim 1, wherein the authentication key is a pairwise master key.
  - 3. The apparatus of claim 1, wherein the derived authentication key is a derived pairwise master key.
  - 4. The apparatus of claim 1, wherein the transient authentication key is a pairwise transient key.
  - 5. The apparatus of claim 1, wherein the system includes one or more controllers at level 1 to generate derived authentication key or keys.
  - 6. The apparatus of claim 1, wherein the system includes a plurality of controllers organized at more than one hierarchy level and wherein controllers in more than one hierarchy level compute derived authentication keys.
  - 7. The apparatus of claim 6, wherein at least one of the controllers is at a same hierarchy level as one of the access points.

8. In a system having an authentication server to generate an authentication key, a plurality of access points hierarchically arranged from the authentication server that is at hierarchy level zero, and a station that communicates with the authentication server through one or more access points of the plurality of access points to communicate information over a wireless network, and wherein the plurality of access points advertise a hierarchy depth (N) for cached keys in which N is greater than one and designates a farthest level of the hierarchy, and the access points also advertise a hierarchically ordered list of identifiers for a derivation path for derived authentication keys, a method comprising:
- initiating an association between the station and a particular access point, thereby causing the authentication server to generate an authentication key;
  
  storing the authentication key in a controller and generating derived authentication keys therefrom;
  
  receiving the derived authentication key in a particular access point in the plurality of access points, wherein the particular access point generates a transient authentication key for use by the station from a derived authentication key of N−
  
  1 hierarchy level and when the particular access point lacks a hierarchy level to generate a N−
  
  1 level derived authentication key, the particular access point is to calculate the N−
  
  1 level derived authentication key in order to generate the transient authentication key; and
  
  associating the station with the particular access point and receiving the transient authentication key.
- View Dependent Claims (9, 10, 11)
- - 9. The method of claim 8, wherein the authentication key is a pairwise master key.
  - 10. The method of claim 8, wherein the derived authentication key is a derived pairwise master key.
  - 11. The method of claim 8, wherein the transient authentication key is a pairwise transient key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avago Technologies International Sales Pte Limited (Broadcom, Inc.)
Original Assignee
Broadcom Corporation (Broadcom, Inc.)
Inventors
Ptasinski, Henry S.

Granted Patent

US 7,936,879 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/44
CPC Class Codes

H04L 2209/80   Wireless network architectu...

H04L 2463/061   applying further key deriva...

H04L 63/062   for key distribution, e.g. ...

H04L 63/0892   by using authentication-aut...

H04L 9/0836   using tree structure or hie...

H04W 12/041   Key generation or derivation

H04W 12/0431   Key distribution or pre-dis...

H04W 84/12   WLAN [Wireless Local Area N...

Derivation method for cached keys in wireless communication system

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

9 Citations

11 Claims

Specification

Solutions

Use Cases

Quick Links

Derivation method for cached keys in wireless communication system

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

9 Citations

11 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links