Transfer of security association during a mobile terminal handover
First Claim
1. In a communication system having a plurality of access-points, each access point serving a different geographic area within an overall geographic area that is served by said communication system, said communication system further having a plurality of mobile-terminals that are each physically moveable within said overall geographic area and between said different geographic areas, a method of providing information security when communication with a given mobile-terminal is handed-over from a first access-point to a second access-point, said method comprising the steps of:
- sensing when said given mobile-terminal moves from a communication-influence with said first access-point into a communication-influence with said second access-point;
responding to said sensing step by retrieving security-association-parameters from said first access-point, by creating a security association at said second access-point in accordance with said retrieved security-association-parameters, and by creating a security association at said given mobile-terminal in accordance with said retrieved security-association-parameters;
responding to said sensing step by sending an authenticate-access-point-challenge from said given mobile-terminal to said second access-point, and by sending an authenticate-mobile-terminal-challenge from said second access-point to said given mobile-terminal;
generating an authenticate-access-point-response at said second access-point in response to said authenticate-access-point-challenge received from said given mobile-terminal;
sending said authenticate-access-point-response to said given mobile-terminal;
generating an authenticate-mobile-terminal-response at said given mobile-terminal in response to said authenticate-mobile-terminal-challenge received from said second access-point;
sending said authenticate-mobile-terminal-response to said second access-point;
first-comparing said authenticate-access-point-response to a correct response at said given mobile-terminal; and
second-comparing said authenticate-mobile-terminal-response to a correct response at said second access-point.
3 Assignments
0 Petitions
Accused Products
Abstract
An existing security association is re-established when a communication handover event occurs in a radio communications system such as IEEE 082.11 or a HIPERLAN wherein the existing security association between a mobile terminal and a wireless communication network is maintained when the communication handover occurs within the network. Authentication during a handover event is achieved by a challenge/response procedure. In accordance with the challenge/response procedure each member of a communication pair that is made up of a new access point and the mobile terminal that is experiencing a handover to the new access point sends a challenge to the other member of the communication pair. Each member of the communication pair then calculates a response to its received challenge, and these responses are sent back to the other member of the communication pair. Each member of the communication pair then compares its received response to a correct response. When these comparisons are correct, payload communication begins between the second access point and the mobile terminal.
-
Citations
20 Claims
-
1. In a communication system having a plurality of access-points, each access point serving a different geographic area within an overall geographic area that is served by said communication system, said communication system further having a plurality of mobile-terminals that are each physically moveable within said overall geographic area and between said different geographic areas, a method of providing information security when communication with a given mobile-terminal is handed-over from a first access-point to a second access-point, said method comprising the steps of:
-
sensing when said given mobile-terminal moves from a communication-influence with said first access-point into a communication-influence with said second access-point;
responding to said sensing step by retrieving security-association-parameters from said first access-point, by creating a security association at said second access-point in accordance with said retrieved security-association-parameters, and by creating a security association at said given mobile-terminal in accordance with said retrieved security-association-parameters;
responding to said sensing step by sending an authenticate-access-point-challenge from said given mobile-terminal to said second access-point, and by sending an authenticate-mobile-terminal-challenge from said second access-point to said given mobile-terminal;
generating an authenticate-access-point-response at said second access-point in response to said authenticate-access-point-challenge received from said given mobile-terminal;
sending said authenticate-access-point-response to said given mobile-terminal;
generating an authenticate-mobile-terminal-response at said given mobile-terminal in response to said authenticate-mobile-terminal-challenge received from said second access-point;
sending said authenticate-mobile-terminal-response to said second access-point;
first-comparing said authenticate-access-point-response to a correct response at said given mobile-terminal; and
second-comparing said authenticate-mobile-terminal-response to a correct response at said second access-point. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
providing said communications system as a LAN;
providing a server within said LAN;
providing key management and security association re-establishment within said LAN during a communication handover, without requiring a modification to an end-to-end security association, as communication continues during said communications handover, such that said communications handover affects only security functions between said mobile-terminal and said first and second access-points.
-
-
5. The method of claim 4 wherein said LAN includes Internet Protocol Security based security association between said plurality of access-points and said plurality of mobile-terminals.
-
6. The method of claim 1 wherein said communication system is a WLAN communication system wherein a security protocol is used to provide end-to-end security for data packets.
-
7. The method of claim 6 wherein said end-to-end security is provided by authenticating and/or encrypting said data packets, and wherein said security protocol provides symmetric cryptography requiring use of a same encryption and/or authentication key at both ends of a communication link.
-
8. The method of claim 7 wherein a sealable key management protocol operates to generate symmetric keys for said security protocol.
-
9. The method of claim 7 including the step of:
-
providing a session dependent dynamic encryption key between said given mobile-terminal and said second access-point; and
transferring an active security association from first access-point to said second access-point as said given mobile-terminal moves within communication coverage that is provided by said communication system.
-
-
10. The method of claim 1 wherein an authentication key is provided for both ends of a communication pair that is made up of said given mobile-terminal and said first and second access-points, said authentication key being generated by a scaleable key management protocol.
-
11. The method of claim 1 wherein an authentication key or security association exists between said given mobile-terminal and said first access-point in accordance with a scaleable key management protocol;
- and wherein security associations are transferred between said plurality of access-points in order to avoid the need for a new key exchange during a communication handover.
-
12. The method of claim 11 wherein said sealable key management protocol is IKE, and wherein security associations are transferred between said first access-point and said second access-point in manner to avoid a need for a new key exchange during said communication handover from said first access-point to said second access-point.
-
13. The method of claim 12 including the step of encrypting messages that that carry the keys.
-
14. The method of claim 1 further comprising the step of initiating communication between said given mobile-terminal and said second access-point based upon said first-comparing step and said second-comparing step.
-
15. A challenge/response method for maintaining a security association when a communication-handover event occurs in a radio communications system, comprising the steps of:
-
providing a communication-pair that is made up of an access-point and a mobile-terminal that is experiencing a communication handover to said access-point;
sending a first-challenge from said mobile-terminal to said access-point;
sending a second-challenge from said access-point to said mobile-terminal;
calculating a first-response to said received first-challenge at said access-point;
sending said first-response to said mobile-terminal;
calculating a second-response to said received second-challenge at said mobile-terminal;
sending said second-response to said access-point;
first-comparing said received first-response to a correct response at said mobile-terminal;
second-comparing said received second-response to a correct response at said access-point; and
beginning communication between said access-point and said mobile-terminal as a function of said first-comparing step and said second-comparing step. - View Dependent Claims (16, 17)
-
-
18. Apparatus for maintaining a given security-association in a radio communications system when a communication-handover occurs as a mobile-terminal physically moves from a first geographic area that is served by a first communication-access-point to a second geographic area that is served by a second communication-access-point, said mobile-terminal initially forming a first communication-pair with said first communication-access-point, and after said communication-handover said mobile-terminal forming a second communication-pair with said second communication-access-point, each member of said first communication-pair having said given security-association associated therewith, the apparatus comprising;
-
first means at said mobile-terminal for sensing a need to initiate said communication-handover;
second means within said radio communications system and responsive to said first means sensing said need to initiate said communication-handover for establishing said given security-association at said second communication-access-point;
third means at said mobile-terminal for generating an access-point-challenge as a function said given security-association, and for sending said access-point-challenge to said second communication-access-point;
fourth means at said second communication-access-point for generating a mobile-terminal-challenge as a function of said given security-association established at said second communication-access-point, and for sending said mobile-terminal-challenge to said mobile-terminal;
fifth means at said mobile-terminal and responsive to said mobile-terminal-challenge for generating a mobile-terminal-response as a function of said given security-association, and for sending said mobile-terminal-response to said second communication-access-point;
sixth means at said second communication-access-point and responsive to said access-point-challenge for generating an access-point-response as a function of said given security-association established at said second communication-access-point, and for sending said access-point-response to said mobile-terminal;
seventh means at said mobile-terminal and responsive to said access-point-response for determining if said access-point-response is correct as a function of said given security-association;
eighth means at said second communication-access-point and responsive to said mobile-terminal-response for determining if said mobile-terminal-response is correct as a function of said given security-association established at said second communication-access-point; and
ninth means within said radio communications system and responsive to said eighth and ninth means for establishing said communication-handover when both said mobile-terminal-response and said access-point-response are correct. - View Dependent Claims (19)
-
-
20. A method for maintaining a given security-association in a radio communications system when a communication-handover of a mobile terminal occurs, said mobile-terminal initially forming a first communication-pair with said first communication-access-point, and after said communication-handover said mobile-terminal forming a second communication-pair with said second communication-access-point, each member of said first communication-pair having said given security-association associated therewith, the method comprising the steps of;
-
sensing a need to initiate said communication-handover;
responding to said need to initiate said communication-handover and establishing said given security-association at said second communication-access-point in response thereto;
generating at said mobile-terminal an access-point-challenge as a function said given security-association;
sending said access-point-challenge to said second communication-access-point;
generating at said second communication-access-point a mobile-terminal-challenge as a function of said given security-association established at said second communication-access-point;
sending said mobile-terminal-challenge to said mobile-terminal;
responding to said mobile-terminal-challenge at said mobile-terminal and generating a mobile-terminal-response as a function of said given security-association;
sending said mobile-terminal-response to said second communication-access-point;
responding to said access-point-challenge at said second communication-access-point and generating an access-point-response as a function of said given security-association established at said second communication-access-point;
sending said access-point-response to said mobile-terminal;
responding to said access-point-response at said mobile-terminal and determining if said access-point-response is correct as a function of said given security-association;
responding to said mobile-terminal-response at said second communication-access-point and determining if said mobile-terminal-response is correct as a function of said given security-association established at said second communication-access-point; and
establishing said communication-handover when both said mobile-terminal-response and said access-point-response are correct.
-
Specification