SUPPORT OF MULTIPLE PRE-SHARED KEYS IN ACCESS POINT

US 20100115278A1
Filed: 01/26/2009
Published: 05/06/2010
Est. Priority Date: 11/04/2008
Status: Active Grant

First Claim

Patent Images

1. A method of operating a device configured as an access point, the access point being provisioned with a plurality of pre-shared keys, and the method comprising:

receiving a request for a connection to the access point from at least one client device, the request comprising a portion generated with a key;

determining whether the portion comprises information that matches information generated with a key from the plurality of pre-shared keys provisioned to the access point;

when it is determined that the information of the portion matches the information generated with the key from the plurality of pre-shared keys, allowing the connection; and

when it is determined that the information of the portion does not match the information generated with the key from the plurality of pre-shared keys, disallowing the connection.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of operating an access point (AP) configured to support multiple pre-shared keys at a given time to authenticate its associated client devices. Each client device associated with the AP is provisioned with a key. To authenticate the client device tat attempts to connect to the AP, the AP determines which pre-shared key (PSK) of the multiple supported pre-shared keys (PSKs). if any, matches information including the key received from the client device. When the information matches, the client device is allowed to connect to the AP. Provisioning the AP with multiple PSKs allows selectively disconnecting associated client devices from the AP. The AP may be configured to support PSKs of different lifetime and complexity. Removing a PSK of the multiple PSKs supported by the AP and disconnecting a client device that uses this PSK does not disconnect other client devices using different keys to access the AP.

83 Citations

View as Search Results

20 Claims

1. A method of operating a device configured as an access point, the access point being provisioned with a plurality of pre-shared keys, and the method comprising:
- receiving a request for a connection to the access point from at least one client device, the request comprising a portion generated with a key;
  
  determining whether the portion comprises information that matches information generated with a key from the plurality of pre-shared keys provisioned to the access point;
  
  when it is determined that the information of the portion matches the information generated with the key from the plurality of pre-shared keys, allowing the connection; and
  
  when it is determined that the information of the portion does not match the information generated with the key from the plurality of pre-shared keys, disallowing the connection.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the plurality of pre-shared keys comprise at least one of a long term pre-shared key and a short term pre-shared key.
  - 3. The method of claim 1, further comprising, in response to a request to remove a selected pre-shared key from the plurality of pre-shared keys:
    - removing the selected pre-shared key from the plurality of pre-shared keys;
      
      determining whether the at least one client device uses the selected pre-shared key; and
      
      when it is determined that the at least one client device uses the selected pre-shared key, disconnecting the at least one client device.
  - 4. The method of claim 3, wherein the request to remove the selected pre-shared key is performed by a user via a user interface.
  - 5. The method of claim 3, wherein:
    - keys of the plurality of pre-shared keys have a time-to-live value associated therewith, andthe request to remove the selected pre-shared key is generated in response to a determination that a time-to-live of the selected pre-shared key is expired.
  - 6. The method of claim 1, wherein:
    - receiving the request comprises receiving the request in accordance with a WPA or WPA2 protocol.
  - 7. The method of claim 6, further comprising:
    - when the connection is allowed, sending a farther message in accordance with the WPA or WPA2 protocol.
  - 8. The method of claim 1, further comprising, when the at least one client device comprises a plurality of client devices connected to the access point:
    - removing the pre-shared key associated with at least one of the plurality of clients; and
      
      selectively breaking down the connection to the at least one of the plurality of clients without disrupting connections to others of the plurality of client devices.
  - 9. The method of claim 8, removing the pre-shared key comprises removing a pre-shared key when a lifetime of the pre-shared key is expired and/or when the pre-shared key used by the at least one client device is removed from the plurality of pre-shared keys.
  - 10. The method of claim 1, further comprising, when it is determined that the pre-shared key matches the key from the plurality of pre-shared keys, generating a group key for the at least one client device.

11. An apparatus configured as an access point, the apparatus comprising:
- computer memory configured to store a plurality of pre-shared keys;
  
  an interface configured to receive a request for a connection to the access point from at least one client device, the request comprising information generated with a key; and
  
  control logic configured to;
  
  determine whether the information generated with the key matches information generated with a key from the plurality of pre-shared keys;
  
  when it is determined that the information generated with the key matches the information generated with the key from the plurality of pre-shared keys, allowing the connection; and
  
  when it is determined that the information generated with the key does not match the information generated with the key from the plurality of pre-shared keys, disallowing the connection.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The apparatus of claim 11, wherein the computer memory further comprises:
    - a plurality data structures configured to store information on client devices connected to the access point, each data structure from the plurality data structures storing an identifier of a client device and a pre-shared key used by the client device.
  - 13. The apparatus of claim 11, wherein:
    - the information generated with the key comprises a signature of a message comprising the request; and
      
      determining whether the information generated with the key matches the information generated with the key from the plurality of pre-shared keys comprises computing a signature of the message with information generated with keys from the plurality of pre-shared keys.
  - 14. The apparatus of claim 11, wherein the control logic is configured to, in response to a request to remove a selected pre-shared key from the plurality of pre-shared keys:
    - remove the selected pre-shared key from the plurality of pre-shared keys;
      
      determine whether the at least one client device uses the selected pre-shared key; and
      
      when it is determined that the at least one client device uses the selected pre-shared key, instruct disconnection of the at least one client device.
  - 15. The apparatus of claim 11, wherein the access point comprises a Wi-Fi enabled device and the at least one client device comprises a Wi-Fi enabled client device.

16. A computer-storage medium encoded with computer-executable instructions for performing, when executed, a method of operating an access point, the method comprising:
- provisioning the access point with a plurality of pre-shared keys;
  
  receiving a request for a connection to the access point from a client device, the request comprising information generated with a key;
  
  determining whether the key matches a key from the plurality of pre-shared keys provisioned to the access point;
  
  when it is determined that the key matches the key from the plurality of pre-shared keys, allowing the connection, the allowing comprising generating one or more keys based on the matching pre-shared key for subsequent communication with the client device; and
  
  when it is determined that the pre-shared key does not match the key from the plurality of pre-shared keys, disallowing the connection
- View Dependent Claims (17, 18, 19, 20)
- - 17. The computer-storage medium of claim 16, wherein provisioning the access point with the plurality of the pre-shared keys comprises receiving a plurality of calls through a programming interface, each call identifying a pre-shared key to be stored in the access point.
  - 18. The computer-storage medium of claim 17, wherein:
    - the computer-storage medium is further encoded with computer-executable instructions that, when executed, construct a data structure for each allowed connection, the data structure comprising at least one field identifying a pre-shared key of the plurality of pre-shared keys used in forming the connection.
  - 19. The computer-storage medium of claim 16, wherein receiving the request comprises receiving the request in accordance with the WPA or WPA2 protocol.
  - 20. The computer-storage medium of claim 16, wherein:
    - the plurality of pre-shared keys comprises at least one short-term key having a lifetime associated therewith; and
      
      the computer-storage medium is further encoded with computer executable instructions that, when executed, selectively break down the connection when the lifetime of the short-term key is expires and/or when the short-term key used by at least one client device is removed from the plurality of pre-shared keys.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Jiang, Xiong, Liu, Hong, Shen, Hui, Banerjee, Anirban, Mandhana, Taroon

Granted Patent

US 8,898,474 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/171
CPC Class Codes

H04L 2209/80   Wireless network architectu...

H04L 63/061   for key exchange, e.g. in p...

H04L 9/0844   with user authentication or...

H04W 12/0431   Key distribution or pre-dis...

H04W 88/08   Access point devices

SUPPORT OF MULTIPLE PRE-SHARED KEYS IN ACCESS POINT

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

83 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SUPPORT OF MULTIPLE PRE-SHARED KEYS IN ACCESS POINT

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

83 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links