ENHANCED SECURE PROVISIONING FOR HOTSPOTS
First Claim
1. A method comprising:
- deploying, by an access point, a master secret and a first public key-private key pair to an intermediate device accessible to a client device, the first public key-private key pair comprising a first public key and a first private key;
receiving an uplink request from the client device, the uplink request comprising a second public key of a second public key-private key pair provided by the intermediate device;
authenticating the client device using the second public key from the received uplink request;
sending a downlink response to the device based on the client device being authenticated; and
initiating, in response to the downlink response being sent, an association with the client device to permit the client device to connect to a network associated with the access point.
3 Assignments
0 Petitions
Accused Products
Abstract
A ticket-based shared secret authentication is provided. A client device receives a ticket, and performs an authentication with an access point using the ticket. The access point deploys a first public key-private key pair to an intermediate device. The intermediate device and access point share a master secret to protect information in the ticket. The access point receives an association request from the client device that includes a nonce public key and a signature using a second public key-private key pair provided by the intermediate device. The access point authenticates the client device using the nonce public key. The access point sends an association response to the client device based on the authentication and a signature using the first public key-private key pair. The access point initiates an association with the client device to permit the client device to connect to a network associated with the access point.
-
Citations
22 Claims
-
1. A method comprising:
-
deploying, by an access point, a master secret and a first public key-private key pair to an intermediate device accessible to a client device, the first public key-private key pair comprising a first public key and a first private key; receiving an uplink request from the client device, the uplink request comprising a second public key of a second public key-private key pair provided by the intermediate device; authenticating the client device using the second public key from the received uplink request; sending a downlink response to the device based on the client device being authenticated; and initiating, in response to the downlink response being sent, an association with the client device to permit the client device to connect to a network associated with the access point. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. An access point comprising:
-
one or more processors; and a memory comprising instructions stored thereon that, when executed by the one or more processors, cause the one or more processors to perform operations, the operations comprising; generating a master secret and a first public key-private key pair, the first public key-private key pair comprising an access point private key; deploying the master secret and the first public key-private key pair to an intermediate device accessible to a client device; receiving an association request from the client device, the association request including an encrypted nonce public key and a device signature; decrypting the encrypted nonce public key using the master secret; verifying the device signature using the decrypted nonce public key; generating an access point ephemeral public key-private key pair; encrypting an access point signature with an access point private key; providing an access point ephemeral public key of the access point ephemeral public key-private key pair and the encrypted access point signature to the client device; and initiating an association with the client device using one or more ephemeral keys exchanged with the client device. - View Dependent Claims (14, 15, 16, 17, 18, 19)
-
-
20. A method comprising:
-
receiving, by a device, a ticket from an intermediate device, the ticket comprising a nonce private key, an encrypted nonce public key, an access point public key, and an expiration time associated with the ticket; generating, by the device, a device ephemeral public key-private key pair; generating, by the device, a random challenge; encrypting, by the device, a device signature using the nonce private key; providing, by the device to an access point, the encrypted nonce public key, a device ephemeral public key of the device ephemeral public key-private key pair, the random challenge, and the encrypted device signature; receiving an access point signature from the access point; verifying the access point signature using the access point public key; and obtaining access to a network associated with the access point by an association with the access point. - View Dependent Claims (21, 22)
-
Specification