END-TO-END SECURITY IN AN IEEE 802.11 COMMUNICATION SYSTEM

1. A communication network (400) comprising a front-end network communication device (100 A, 200 A) arranged to operate as a front-end access point for establishing at least one data connection (430), such as an IEEE 802.11 data connection (430), between at least one mobile communications terminal (420) and at least one back-end network communication device (100B, 200A), wherein said front-end network communication device (100A) comprises a memory (240), a controller (210) and a data port and said back-end network communication device (100B) comprises a memory (240), a controller (210) and a data portwherein said front-end network communication device (100 A) has a primary purpose and said at least one data connections (430) is for a secondary purpose associated with said at least one back-end network communication devices (100B),wherein said primary purpose is to provide one or more primary users with data communication services, and at least one of said primary users is in physical control of said front-end network communications device (100A), and said front-end network communications device (100 A) is arranged with access to primary encryption keys necessary for communication with said one or more primary users, andwherein said secondary purpose is to provide one or more secondary users access to secondary service providers, andwherein said data connection (430) is established end-to-end by:

• said front-end network communications device (100 A) being configured to receive at least one 802.11 frame from said mobile communications terminal (420), said IEEE 802.11 frame comprising an information entity, andsend a corresponding message to said back-end network communications device (100B), said message comprising said information entity,and/orreceive at least one message from said back-end network communications device (100B), said message comprising an information entity, andsend a corresponding 802.11 frame to said mobile communications terminal (420), said IEEE 802.11 comprising said information entity,said front-end network communications device (100 A) thereby being configured to act as a forwarding relay between said at least one mobile communications terminal (420) and said at least one back-end network communications device (100B) andwhereinsaid back-end network communication device (100B) is configured for;
  
  sending and receiving messages comprising IEEE 802.11 authentication protocol data to and/or from said at least one mobile communications terminal (420); and
  
  authenticating said mobile communication terminal (420) and deriving secondary encryption keys based on said IEEE 802.11 authentication protocol data,wherein said back-end network communication device (100B) has access to said secondary encryption keys andsaid back-end network communication device (100B) is configured to keep said secondary encryption keys secret from the front-end network communications device (100A).