DISTRIBUTED GROUP TEMPORAL KEY (GTK) STATE MANAGEMENT

US 20130283360A1
Filed: 04/20/2012
Published: 10/24/2013
Est. Priority Date: 04/20/2012
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

determining, by a particular security protocol supplicant in a computer network, a group temporal key (GTK) state at the particular supplicant;

exchanging, by the particular supplicant, the GTK state with one or more neighbor supplicants in the computer network;

determining whether any inconsistencies exist in the GTK state at the particular supplicant based on the exchange; and

in response to determining that any inconsistencies exist in the GTK state, performing, by the particular supplicant, a GTK state synchronization with a security protocol authenticator by indicating to the authenticator what is needed to resolve the inconsistent GTK state at the particular supplicant.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, each security protocol supplicant in a computer network determines its group temporal key (GTK) state, and exchanges the GTK state with one or more neighbor supplicants in the computer network. Based on the exchange, a supplicant may determine whether any inconsistencies exist in its GTK state, and in response to any inconsistencies in the GTK state, may perform a GTK state synchronization with a security protocol authenticator by indicating to the authenticator what is needed to resolve the inconsistent GTK state at the particular supplicant. In another embodiment, the authenticator, which is configured to not store per-supplicant GTK state, may transmit beacons containing GTK identifiers (IDs) of GTKs currently enabled on the authenticator, and also responds to supplicants having inconsistent GTK states with one or more needed GTKs as indicated by the supplicants.

Citations

20 Claims

1. A method, comprising:
- determining, by a particular security protocol supplicant in a computer network, a group temporal key (GTK) state at the particular supplicant;
  
  exchanging, by the particular supplicant, the GTK state with one or more neighbor supplicants in the computer network;
  
  determining whether any inconsistencies exist in the GTK state at the particular supplicant based on the exchange; and
  
  in response to determining that any inconsistencies exist in the GTK state, performing, by the particular supplicant, a GTK state synchronization with a security protocol authenticator by indicating to the authenticator what is needed to resolve the inconsistent GTK state at the particular supplicant.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method as in claim 1, wherein exchanging comprises:
    - receiving at least one beacon from at least one neighbor supplicant, each beacon comprising a GTK identifier (ID) for each GTK currently enabled on the neighbor supplicant.
  - 3. The method as in claim 2, wherein exchanging further comprises:
    - transmitting at least one beacon comprising a GTK identifier (ID) for each GTK currently enabled on the particular supplicant to one or more neighbor supplicants in response to a consistent GTK state at the particular supplicant.
  - 4. The method as in claim 2, further comprising:
    - translating between GTK IDs and GTKs using a cryptographic hashing function.
  - 5. The method as in claim 2, wherein each beacon includes a GTK state version that is globally established by the authenticator for the GTK IDs.
  - 6. The method as in claim 1, wherein determining whether any inconsistencies exist comprises:
    - determining, for each neighbor supplicant, whether each GTK identifier (ID) of each GTK currently enabled on the particular supplicant matches a GTK ID of a GTK currently enabled on the neighbor supplicant.
  - 7. The method as in claim 1, wherein determining whether any inconsistencies exist comprises:
    - determining, for each neighbor supplicant, whether a GTK state version number at the particular supplicant is equal to or newer than a GTK state version number of the neighbor supplicant.
  - 8. The method as in claim 1, wherein indicating to the authenticator what is needed to resolve the inconsistent GTK state comprises:
    - transmitting to the authenticator a GTK bitmap that indicates each GTK needed by the particular supplicant.
  - 9. The method as in claim 1, further comprising:
    - performing, by the particular supplicant, a GTK state synchronization with the authenticator independently of determining that any inconsistencies exist in the GTK state.
  - 10. The method as in claim 9, wherein performing the GTK state synchronization with the authenticator independently of determining that any inconsistencies exist in the GTK state is in response to either having no GTK state or in response to a trigger to confirm validity of neighbor supplicant GTK state.
  - 11. The method as in claim 9, wherein performing the GTK state synchronization with the authenticator independently determining that any inconsistencies exist in the GTK state comprises:
    - sending each GTK identifier (ID) of each GTK currently enabled on the particular supplicant to the authenticator; and
      
      receiving an indication of which, if any, GTK IDs are inconsistent from the authenticator.

12. A method, comprising:
- transmitting at least one beacon comprising a group temporal key (GTK) identifier (ID) of each GTK currently enabled on a security protocol authenticator configured to not store per-supplicant GTK state;
  
  receiving a GTK state synchronization request from a particular security protocol supplicant with an inconsistent GTK state;
  
  determining, from the request, what one or more GTKs are needed to resolve the inconsistent GTK state at the particular supplicant; and
  
  replying to the particular supplicant with the one or more needed GTKs.
- View Dependent Claims (13, 14, 15)
- - 13. The method as in claim 12, wherein determining, from the request, what one or more GTKs are needed to resolve the inconsistent GTK state at the particular supplicant comprises:
    - interpreting a GTK bitmap from the request that indicates the GTKs needed.
  - 14. The method as in claim 12, further comprising:
    - receiving GTK IDs of GTKs currently enabled on the particular supplicant at the authenticator;
      
      determining which, if any, GTK IDs are inconsistent from GTKs currently enabled on the authenticator; and
      
      replying to the particular supplicant with an indication of which, if any, GTK IDs are inconsistent from GTKs currently enabled on the authenticator.
  - 15. The method as in claim 12, wherein replying to the particular supplicant with the one or more needed GTKs comprises:
    - replying to the particular supplicant without an acknowledgment from the particular supplicant that the particular supplicant received the reply.

16. An apparatus, comprising:
- one or more network interfaces to communicate within a computer network;
  
  a processor coupled to the network interfaces and adapted to execute one or more processes; and
  
  a memory configured to store a supplicant process executable by the processor, the process when executed operable to;
  
  determine a group temporal key (GTK) state of the supplicant process;
  
  exchange the GTK state with one or more neighbor supplicants in the computer network;
  
  determine whether any inconsistencies exist in the GTK state of the supplicant process based on the exchange; and
  
  in response to determining that any inconsistencies exist in the GTK state, perform a GTK state synchronization with a security protocol authenticator by indicating to the authenticator what is needed to resolve the inconsistent GTK state of the supplicant process.
- View Dependent Claims (17, 18, 19)
- - 17. The apparatus as in claim 16, wherein the process when executed to exchange is further operable to:
    - receive at least one beacon from at least one neighbor supplicant, each beacon comprising a GTK identifier (ID) for each GTK currently enabled on the neighbor supplicant; and
      
      transmit at least one beacon comprising a GTK ID for each GTK currently enabled on the supplicant process to one or more neighbor supplicants in response to a consistent GTK state at the particular supplicant.
  - 18. The apparatus as in claim 16, wherein the process when executed to determine whether any inconsistencies exist is further operable to:
    - determine, for each neighbor supplicant, whether each GTK identifier (ID) of each GTK currently enabled on the supplicant process matches a GTK ID of a GTK currently enabled on the neighbor supplicant; and
      
      determine, for each neighbor supplicant, whether a GTK state version number at the supplicant process is equal to or newer than a GTK state version number of the neighbor supplicant.
  - 19. The apparatus as in claim 16, wherein the process when executed to indicate to the authenticator what is needed to resolve the inconsistent GTK state is further operable to:
    - transmit to the authenticator a GTK bitmap that indicates each GTK needed by the supplicant process.

20. An apparatus, comprising:
- one or more network interfaces to communicate within a computer network;
  
  a processor coupled to the network interfaces and adapted to execute one or more processes; and
  
  a memory configured to store an authenticator process executable by the processor, the process when executed operable to;
  
  transmit at least one beacon comprising a group temporal key (GTK) identifier (ID) of each GTK currently enabled by the authenticator process, the authenticator process configured to not store per-supplicant GTK state;
  
  receive a GTK state synchronization request from a particular security protocol supplicant with an inconsistent GTK state;
  
  determine, from the request, what one or more GTKs are needed to resolve the inconsistent GTK state at the particular supplicant; and
  
  reply to the particular supplicant with the one or more needed GTKs.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Hui, Jonathan W., Ahuja, Anjum, Kondaka, Krishna, Hong, Wei

Granted Patent

US 8,800,010 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/6
CPC Class Codes

H04L 63/08 for authentication of entit...

H04L 9/0866 involving user or device id...

DISTRIBUTED GROUP TEMPORAL KEY (GTK) STATE MANAGEMENT

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

DISTRIBUTED GROUP TEMPORAL KEY (GTK) STATE MANAGEMENT

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links