METHOD AND SYSTEM FOR AUTHENTICATING PEER DEVICES USING EAP

US 20130097422A1
Filed: 12/03/2012
Published: 04/18/2013
Est. Priority Date: 02/09/2007
Status: Active Grant

First Claim

Patent Images

1. A method for authenticating a peer device onto a network having an authenticator and an authentication server, the authentication server supporting modifications to Extensible Authentication Protocol (EAP), the network being accessible through an access point associated with the authenticator, the method including steps of:

exchanging EAP-specific authentication messages between the peer device and the authentication server via the authenticator;

generating keying material in the peer device, wherein the authentication server generates said keying material and an associated key lifetime in the authentication server, and communicates said keying material and said associated key lifetime from the authentication server to the authenticator;

receiving an EAP Success packet from the authenticator to the peer device following the exchange of EAP-specific authentication messages, wherein the EAP Success packet contains said associated key lifetime, to complete authentication to grant the peer device unblocked access to the network; and

detecting an active media session on the peer device, waiting for termination of the active media session, and in response to said termination, establishing re-authentication with the authentication server via the authenticator prior to expiration of the associated key lifetime.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for authenticating a peer device onto a network using Extensible Authentication Protocol (EAP). The key lifetime associated with the keying material generated in the peer device and the authentication server is communicated from the authenticator to the peer device within the EAP Success message. The peer device, having been provided with the key lifetime, can anticipate the termination of its authenticated session and initiate re-authentication prior to expiry of the key lifetime.

23 Citations

View as Search Results

23 Claims

1. A method for authenticating a peer device onto a network having an authenticator and an authentication server, the authentication server supporting modifications to Extensible Authentication Protocol (EAP), the network being accessible through an access point associated with the authenticator, the method including steps of:
- exchanging EAP-specific authentication messages between the peer device and the authentication server via the authenticator;
  
  generating keying material in the peer device, wherein the authentication server generates said keying material and an associated key lifetime in the authentication server, and communicates said keying material and said associated key lifetime from the authentication server to the authenticator;
  
  receiving an EAP Success packet from the authenticator to the peer device following the exchange of EAP-specific authentication messages, wherein the EAP Success packet contains said associated key lifetime, to complete authentication to grant the peer device unblocked access to the network; and
  
  detecting an active media session on the peer device, waiting for termination of the active media session, and in response to said termination, establishing re-authentication with the authentication server via the authenticator prior to expiration of the associated key lifetime.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further including the step of conducting a first Secure Association Protocol to complete said authentication and grant the peer device unblocked access to the network after communication of the EAP Success packet to the peer device.
  - 3. The method of claim 2, wherein said keying material comprises a master session key (MSK), and wherein the first Secure Association Protocol comprises a 4-way handshake, which includes deriving a pairwise master key (PMK) from the MSK, and generating a transient session key (TSK) from the PMK, and wherein the TSK is used for encrypting subsequent communications between the peer device and the access point.
  - 4. The method of claim 3, wherein the key lifetime associated with the MSK is associated with each key derived from the MSK, including the PMK and TSK.
  - 5. The method of claim 1, wherein the EAP Success packet is modified to include a code field and a data field, said code field containing a success indicator and said data field containing said associated key lifetime.
  - 6. The method of claim 1, further including, prior to expiration of the associated key lifetime, the peer device initiating a further EAP authentication exchange with the authentication server to re-authenticate the peer device and to generate new keying material and a new associated key lifetime.
  - 7. The method of claim 1, further comprising displaying on a display of the peer device a timer indicating a time remaining in the key lifetime.

8. A peer device for communicating with a communications system including a network having an access point, an authenticator associated with the access point, and an authentication server connected to the network and configured to communicate with the authenticator, the authentication server being configured to support modifications to Extensible Authentication Protocol (EAP), the peer device comprising:
- a processor configured to connect to said access point and exchange EAP-specific authentication messages with the authentication server via the authenticator, and configured to generate keying material, wherein the authentication server is configured to generate said keying material and an associated key lifetime, and to communicate said keying material and said associated lifetime to the authenticator;
  
  the processor configured to receive an EAP Success packet to the peer device following the exchange of EAP-specific authentication messages, wherein the EAP Success packet contains said associated key lifetime, to complete authentication to grant the peer device unblocked access to the network,and wherein the processor is further configured to detect an active media session on the peer device, wait for termination of the active media session, and in response to said termination, establish re-authentication with the authentication server via the authenticator prior to expiration of the associated key lifetime.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- - 9. The peer device of claim 8, wherein said processor is configured to engage in a first Secure Association Protocol with the authenticator to complete said authentication and grant the peer device unblocked access to the network.
  - 10. The peer device of claim 9, wherein said keying material comprises a master session key (MSK), and wherein the first Secure Association Protocol comprises a 4-way handshake, which includes deriving a pairwise master key (PMK) from the MSK, and generating a transient session key (TSK) from the PMK, and wherein the TSK is used for encrypting subsequent communications between the peer device and the access point.
  - 11. The peer device of claim 10, wherein the key lifetime associated with the MSK is associated with each key derived from the MSK, including the PMK and TSK.
  - 12. The peer device of claim 8, wherein the EAP Success packet is modified to include a code field and a data field, said code field containing a success indicator and said data field containing said associated key lifetime.
  - 13. The peer device of claim 8, wherein the processor is further configured to initiate a further EAP authentication exchange with the authentication server to re-authenticate the peer device and to generate new keying material and a new associated key lifetime prior to expiration of the associated key lifetime.
  - 14. The peer device of claim 8, further comprising a manual user selectable input, wherein the processor is further configured to receive through the manual user selectable input a selection for initiating re-authentication.
  - 15. The peer device of claim 8, further comprising a display, and wherein the processor is configured to display a timer indicating a time remaining in the key lifetime.

16. An access point in a network for permitting access by a peer device onto the network, the network including an authentication server supporting modifications to Extensible Authentication Protocol (EAP), the access point comprising:
- an authenticator configured to exchange EAP-specific authentication messages between the authentication server and the peer device, and being configured to receive keying material and an associated key lifetime from the authentication server, the authenticator comprising a component for generating an EAP Success packet and transmitting the EAP Success packet to the peer device following the exchange of EAP-specific authentication messages, wherein the EAP Success packet contains said associated key lifetime, wherein the authenticator is configured to complete authentication to grant the peer device unblocked access to the network, and wherein the authenticator is configured to establish re-authentication with the authentication server and the peer device prior to expiration of the associated key lifetime initiated by the peer device in response to the peer device waiting for and detecting termination of an active media session on the peer device.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The access point of claim 16, wherein the EAP Success packet is modified to include a code field and a data field, said code field containing a success indicator and said data field containing said associated key lifetime.
  - 18. The access point of claim 16, wherein the keying material comprises a master session key (MSK), wherein the Secure Association Protocol comprises a 4-way handshake, which includes deriving a pairwise master key (PMK) from the MSK, and generating a transient session key (TSK) from the PMK, and wherein the TSK is used for encrypting subsequent communications between the peer device and the access port.
  - 19. The access point of claim 18, wherein the key lifetime associated with the MSK is associated with each key derived from the MSK, including the PMK and TSK.
  - 20. The access point of claim 16, wherein the authenticator is configured to implement 802.1X for permitting access to the network by the peer device.

21. A method at an access point in a network for permitting access by a peer device onto the network, the network comprising an authentication server supporting modifications to Extensible Authentication Protocol (EAP), the method comprising:
- exchanging EAP-specific authentication messages between the authentication server and the peer device;
  
  receiving keying material and an associated key lifetime from the authentication server;
  
  generating an EAP Success packet;
  
  transmitting the EAP Success packet to the peer device following the exchange of EAP-specific authentication messages, wherein the EAP Success packet contains said associated key lifetime;
  
  completing authentication to grant the peer device unblocked access to the network; and
  
  establishing re-authentication with the authentication server and the peer device prior to expiration of the associated key lifetime initiated by the peer device in response to the peer device waiting for and detecting termination of an active media session on the peer device.
- View Dependent Claims (22)
- - 22. The method of claim 21, wherein the access point is configured to implement 802.1X for permitting access to the network by the peer device.

23. A non-transitory computer readable medium comprising program code executable by a processor of a peer device for authenticating the peer device onto a network having an authenticator and an authentication server, the authentication server supporting modifications to Extensible Authentication Protocol (EAP), the network being accessible through an access point associated with the authenticator, the code comprising:
- computer executable instructions for exchanging EAP-specific authentication messages between the peer device and the authentication server via the authenticator;
  
  computer executable instructions for generating keying material in the peer device, wherein the authentication server generates said keying material and an associated key lifetime in the authentication server, and communicates said keying material and said associated key lifetime from the authentication server to the authenticator;
  
  computer executable instructions for receiving an EAP Success packet from the authenticator to the peer device following the exchange of EAP-specific authentication messages, wherein the EAP Success packet contains said associated key lifetime, to complete authentication to grant the peer device unblocked access to the network; and
  
  computer executable instructions for detecting an active media session on the peer device, waiting for termination of the active media session, and in response to said termination, establishing re-authentication with the authentication server via the authenticator prior to expiration of the associated key lifetime.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Malikie Innovations Limited (Key Patent Innovations Limited)
Original Assignee
Blackberry Limited
Inventors
Salomone, Leonardo Jose Silva

Granted Patent

US 8,850,202 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/168
CPC Class Codes

H04L 63/068   using time-dependent keys, ...

H04L 63/08   for authentication of entit...

H04L 63/162   at the data link layer

H04L 9/0844   with user authentication or...

H04L 9/088   Usage controlling of secret...

H04L 9/321   involving a third party or ...

METHOD AND SYSTEM FOR AUTHENTICATING PEER DEVICES USING EAP

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

23 Citations

23 Claims

Specification

Use Cases

Quick Links

Others

METHOD AND SYSTEM FOR AUTHENTICATING PEER DEVICES USING EAP

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

23 Citations

23 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others