PRIVATE PAIRWISE KEY MANAGEMENT FOR GROUPS

US 20100220856A1
Filed: 04/28/2009
Published: 09/02/2010
Est. Priority Date: 02/27/2009
Status: Active Grant

First Claim

Patent Images

1. An apparatus, comprising:

a transceiver;

logic in communication with the transceiver;

wherein the logic is configured to receive data corresponding to keying material derived from a symmetric key generation system for a predefined group; and

wherein the logic is responsive to a signal received from a device via the transceiver indicating the device is a member of the predefined group to generate a session key based on the data corresponding to keying material for the predefined group and an identifier for the device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In an example embodiment, a key generation system (KGS) is used to generate private pairwise keys between peers belonging to a group. Each member of the group is provisioned with a set of parameters which allows each member to generate a key with any other member of the group; however, no group member can derive a key for pairings involving other group members. The private pairwise keys may be used to derive session keys between peers belonging to the group. Optionally, an epoch value may be employed to derive the private pairwise keys.

92 Citations

View as Search Results

21 Claims

1. An apparatus, comprising:
- a transceiver;
  
  logic in communication with the transceiver;
  
  wherein the logic is configured to receive data corresponding to keying material derived from a symmetric key generation system for a predefined group; and
  
  wherein the logic is responsive to a signal received from a device via the transceiver indicating the device is a member of the predefined group to generate a session key based on the data corresponding to keying material for the predefined group and an identifier for the device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The apparatus of claim 1, wherein the keying material includes an epoch value.
  - 3. The apparatus of claim 1, wherein the logic is operable to update the epoch value and generate a new session key based on updated epoch value.
  - 4. The apparatus of claim 3, wherein the logic is operable to send the updated epoch value to the device via the transceiver.
  - 5. The apparatus of claim 3, wherein the transceiver is in communication with a plurality of devices, the logic is operable to send the updated epoch value to the plurality of devices via the transceiver.
  - 6. The apparatus of claim 3, wherein the logic is operable to update the epoch value after a predetermined time period.
  - 7. The apparatus of claim 3, wherein the logic is operable to update the epoch value during boot up.
  - 8. The apparatus of claim 3, wherein the logic is operable to send data to the device to update the session key upon receipt of the updated epoch value.
  - 9. The apparatus of claim 1, wherein the logic is operable to broadcast one of a group consisting of a beacon frame, a probe request frame and a probe response frame with data representative of the predefined group.
  - 10. The apparatus of claim 1, wherein the logic is operable to determine whether the device is a member of the predefined group from one of a group consisting of a beacon frame, a probe request frame and a probe response frame received via the transceiver from the device.
  - 11. The apparatus of claim 1, wherein the logic is configured with data corresponding to keying material for a plurality of predefined groups;
    - wherein the logic is responsive to determining a selected one of the plurality of predefined groups the device is a member; and
      
      wherein the logic is operable to generate the session key based on the data corresponding to keying material for the selected one of the plurality of predefined groups the device is a member and the identifier for the device.
  - 12. The apparatus of claim 11, wherein the logic is operable to communicate with the device via the transceiver to agree with the device for determining a selected one of the plurality of predefined groups the device is a member.
  - 13. The apparatus of claim 1, wherein the logic is operable to authenticate the device by communicating with the device via the transceiver and determining that the device possesses the same session key.
  - 14. The apparatus of claim 1, wherein the transceiver is a wireless transceiver.
  - 15. The apparatus of claim 14, wherein the logic is operable to authenticate with an authentication server by communicating with a first access point via the wireless transceiver;
    - andthe logic is operable to receive the data corresponding to keying material derived from the symmetric key generation system for the predefined group from the authentication server via the wireless transceiver.
  - 16. The apparatus of claim 15, wherein the logic is operable to determine the wireless transceiver has roamed and is communicating with a second access point to determine whether the second access point belongs to the predefined group;
    - andwherein the logic is operable to generate a pairwise master key for the second access point based on the data corresponding to keying material derived from the symmetric key generation system for the predefined group and an identifier for the second access point.
  - 17. The apparatus of claim 16, wherein the logic is further operable to generate a session key for communicating with the second access point based on the pairwise master key for the second access point, a Medium Access Control address for the second access point, a nonce received from the second access point, a Medium Access Control address for the wireless transceiver, and a nonce generated by the logic sent to the second access point.

18. A method, comprising:
- receiving data for a symmetric key generation system group, the data comprising data representative of an identity of the symmetric key generation system group, data representative of a public identifier, and data representative of a secret key;
  
  detecting another member of the symmetric key generation system group;
  
  exchanging identifiers with the another member;
  
  deriving a pairwise master key based on the secret key and the identifier of the another member; and
  
  deriving a session key from the pairwise master key.
- View Dependent Claims (19, 20, 21)
- - 19. The method set forth in claim 18, wherein the session key is derived from the pairwise master key, a Medium Access Control address associated with a transceiver, a nonce associated with the first transceiver, a Medium Access Control address associated with the another device, and a nonce received from the another device.
  - 20. The method set forth in claim 18, wherein the data for the symmetric key generation system group further comprises an epoch value;
    - andwherein the deriving a pairwise master key is based on the secret key, the identifier of the another member and the epoch value.
  - 21. The method set forth in claim 18, wherein the detecting another member of the symmetric key generation system group comprises receiving data representative of at least one symmetric key generation system group membership from the another member.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
KRUYS, Johannes Petrus, Pritikin, Max, McGrew, David, Weis, Brian, Salowey, Joseph

Granted Patent

US 8,983,066 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/44
CPC Class Codes

H04L 2209/80   Wireless network architectu...

H04L 9/0833   involving conference or gro...

H04L 9/0866   involving user or device id...

H04L 9/321   involving a third party or ...

PRIVATE PAIRWISE KEY MANAGEMENT FOR GROUPS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

92 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

PRIVATE PAIRWISE KEY MANAGEMENT FOR GROUPS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

92 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links