ENHANCED SECURE PROVISIONING FOR HOTSPOTS

US 20180020353A1
Filed: 07/14/2017
Published: 01/18/2018
Est. Priority Date: 07/15/2016
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

deploying, by an access point, a master secret and a first public key-private key pair to an intermediate device accessible to a client device, the first public key-private key pair comprising a first public key and a first private key;

receiving an uplink request from the client device, the uplink request comprising a second public key of a second public key-private key pair provided by the intermediate device;

authenticating the client device using the second public key from the received uplink request;

sending a downlink response to the device based on the client device being authenticated; and

initiating, in response to the downlink response being sent, an association with the client device to permit the client device to connect to a network associated with the access point.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A ticket-based shared secret authentication is provided. A client device receives a ticket, and performs an authentication with an access point using the ticket. The access point deploys a first public key-private key pair to an intermediate device. The intermediate device and access point share a master secret to protect information in the ticket. The access point receives an association request from the client device that includes a nonce public key and a signature using a second public key-private key pair provided by the intermediate device. The access point authenticates the client device using the nonce public key. The access point sends an association response to the client device based on the authentication and a signature using the first public key-private key pair. The access point initiates an association with the client device to permit the client device to connect to a network associated with the access point.

51 Citations

View as Search Results

22 Claims

1. A method comprising:
- deploying, by an access point, a master secret and a first public key-private key pair to an intermediate device accessible to a client device, the first public key-private key pair comprising a first public key and a first private key;
  
  receiving an uplink request from the client device, the uplink request comprising a second public key of a second public key-private key pair provided by the intermediate device;
  
  authenticating the client device using the second public key from the received uplink request;
  
  sending a downlink response to the device based on the client device being authenticated; and
  
  initiating, in response to the downlink response being sent, an association with the client device to permit the client device to connect to a network associated with the access point.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the uplink request comprises a concatenation of an encrypted second public key, a device ephemeral public key and a random challenge, wherein the second public key is hashed from a second private key of the second public key-private key pair.
  - 3. The method of claim 2, wherein the uplink request comprises a device signature of the concatenation using the second private key.
  - 4. The method of claim 3, further comprising:
    - decoding the second public key and an expiration time from the encrypted second public key using the master secret.
  - 5. The method of claim 4, wherein authenticating the client device comprises:
    - verifying the device signature using the decoded second public key, the verified device signature indicating that the intermediate device that provided a ticket to the client device is genuine.
  - 6. The method of claim 1, further comprising:
    - generating an access point ephemeral public key-private key pair.
  - 7. The method of claim 6, wherein the association response comprises a concatenation of an ephemeral public key from the access point ephemeral public key-private key pair and an access point signature.
  - 8. The method of claim 7, wherein the access point signature is computed over a concatenation of the ephemeral public key and a random challenge from the uplink request, the access point signature being encoded using the first private key.
  - 9. The method of claim 6, further comprising:
    - deriving a pairwise master key using one or more ephemeral keys of the access point ephemeral public key-private key pair; and
      
      performing a handshake with the client device using the derived pairwise master key.
  - 10. The method of claim 2, wherein the encrypted second public key is provided by the intermediate device to the client device.
  - 11. The method of claim 1, wherein the uplink request comprises an association request and the downlink response comprises an association response.
  - 12. The method of claim 1, wherein the uplink request comprises an authentication request and the downlink response comprises an authentication response.

13. An access point comprising:
- one or more processors; and
  
  a memory comprising instructions stored thereon that, when executed by the one or more processors, cause the one or more processors to perform operations, the operations comprising;
  
  generating a master secret and a first public key-private key pair, the first public key-private key pair comprising an access point private key;
  
  deploying the master secret and the first public key-private key pair to an intermediate device accessible to a client device;
  
  receiving an association request from the client device, the association request including an encrypted nonce public key and a device signature;
  
  decrypting the encrypted nonce public key using the master secret;
  
  verifying the device signature using the decrypted nonce public key;
  
  generating an access point ephemeral public key-private key pair;
  
  encrypting an access point signature with an access point private key;
  
  providing an access point ephemeral public key of the access point ephemeral public key-private key pair and the encrypted access point signature to the client device; and
  
  initiating an association with the client device using one or more ephemeral keys exchanged with the client device.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The access point of claim 13, wherein the association request comprises a concatenation of the encrypted nonce public key, a device ephemeral public key and a random challenge, wherein the association request comprises a device signature of the concatenation using a nonce private key associated with the client device, and wherein the operations further comprise:
    - decoding a nonce public key and an expiration time from the encrypted nonce public key using the master secret.
  - 15. The access point of claim 14, wherein authenticating the client device comprises:
    - verifying the device signature using the decoded nonce public key, the verified device signature indicating that the intermediate device that provided a ticket to the client device is genuine.
  - 16. The access point of claim 13, wherein the operations further comprise:
    - generating an access point ephemeral public key-private key pair.
  - 17. The access point of claim 16, wherein the operations further comprise:
    - deriving a pairwise master key using one or more ephemeral keys of the access point ephemeral public key-private key pair; and
      
      performing a handshake with the client device using the derived pairwise master key.
  - 18. The access point of claim 13, wherein the access point signature is computed over a concatenation of the access point ephemeral public key and a random challenge associated with the client device.
  - 19. The access point of claim 13, wherein the associating comprises:
    - permitting the client device to connect to a network associated with the access point.

20. A method comprising:
- receiving, by a device, a ticket from an intermediate device, the ticket comprising a nonce private key, an encrypted nonce public key, an access point public key, and an expiration time associated with the ticket;
  
  generating, by the device, a device ephemeral public key-private key pair;
  
  generating, by the device, a random challenge;
  
  encrypting, by the device, a device signature using the nonce private key;
  
  providing, by the device to an access point, the encrypted nonce public key, a device ephemeral public key of the device ephemeral public key-private key pair, the random challenge, and the encrypted device signature;
  
  receiving an access point signature from the access point;
  
  verifying the access point signature using the access point public key; and
  
  obtaining access to a network associated with the access point by an association with the access point.
- View Dependent Claims (21, 22)
- - 21. The method of claim 20, wherein receiving the ticket comprises:
    - receiving a two-dimensional barcode readable by the device to provide the nonce private key, the encrypted nonce public key, and the access point public key to the device.
  - 22. The method of claim 20, wherein the encrypted nonce public key is encrypted with a master key provided by the access point to the intermediate device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avago Technologies International Sales Pte Limited (Broadcom, Inc.)
Original Assignee
Avago Technologies General IP PTE Limited (Broadcom, Inc.)
Inventors
BHANDARU, Nehru, DERHAM, Thomas

Granted Patent

US 10,645,577 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G09C 5/00   Ciphering apparatus or meth...

H04L 2209/30   Compression, e.g. Merkle-Da...

H04L 2209/80   Wireless network architectu...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0876   based on the identity of th...

H04L 63/10   for controlling access to d...

H04L 9/0844   with user authentication or...

H04L 9/088   Usage controlling of secret...

H04W 12/041   Key generation or derivation

H04W 12/0433   Key management protocols

H04W 12/069   using certificates or pre-s...

H04W 48/08   Access restriction or acces...

ENHANCED SECURE PROVISIONING FOR HOTSPOTS

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

51 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

ENHANCED SECURE PROVISIONING FOR HOTSPOTS

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

51 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links