Method and apparatus for communicating credential information within a network device authentication conversation

US 7,171,555 B1
Filed: 05/29/2003
Issued: 01/30/2007
Est. Priority Date: 05/29/2003
Status: Expired due to Fees

First Claim

Patent Images

1. A method of communicating a security credential within a network device authentication conversation, the method comprising the computer-implemented steps of:

performing, at an authenticator that is communicatively coupled to a supplicant through a network, a first message conversation resulting in creating a security context that is known to the authenticator and the supplicant;

initiating a second message conversation between the authenticator and the supplicant, wherein the second message conversation is cryptographically protected using the same security context that was created in the first message conversation;

providing a security credential to the supplicant in the second message conversation;

concluding the second message conversation and the first message conversation;

wherein the first message conversation and the second message conversation are for granting initial network access.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is disclosed for communicating a security credential within a network device authentication conversation. An authenticator that is coupled to a supplicant through a network performs a first message conversation resulting in creating a security context that is known to the authenticator and the supplicant. A second message conversation is initiated. The second message conversation is cryptographically protected using the same security context. A security credential is provided to the supplicant in the second message conversation. The second message conversation and first message conversation are then concluded. Specific embodiments can bootstrap digital certificates, public/private key pairs, and other credentials to supplicants, in-band, within an EAP-SIM or EAP-AKA conversation and without initiating a new session or exchanging special-purpose keys to protect distribution of the credentials.

Citations

47 Claims

1. A method of communicating a security credential within a network device authentication conversation, the method comprising the computer-implemented steps of:
- performing, at an authenticator that is communicatively coupled to a supplicant through a network, a first message conversation resulting in creating a security context that is known to the authenticator and the supplicant;
  
  initiating a second message conversation between the authenticator and the supplicant, wherein the second message conversation is cryptographically protected using the same security context that was created in the first message conversation;
  
  providing a security credential to the supplicant in the second message conversation;
  
  concluding the second message conversation and the first message conversation;
  
  wherein the first message conversation and the second message conversation are for granting initial network access.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. A method as recited in claim 1 wherein the first message conversation is an EAP-SIM conversation.
  - 3. A method as recited in claim 1, wherein the first message conversation is an EAP-AKA conversation.
  - 4. A method as recited in claim 1, wherein the security credential is a root digital certificate of an authentication server associated with the authenticator.
  - 5. A method as recited in claim 1, wherein the security credential is a public/private key pair for the supplicant.
  - 6. A method as recited in claim 1, wherein the security credential is a digital certificate that is requested for the supplicant from a third party.
  - 7. A method as recited in claim 1, wherein the security credential is provided to the supplicant in an EAP-Response message, wherein the EAP-Response message includes the security credential, and a message authentication code attribute containing a message authentication code that is generated based on the security credential.
  - 8. A method as recited in claim 1, wherein the supplicant further performs the computer-implemented steps of:
    - sending an EAP response message that requests a digital certificate from an authentication server associated with the authenticator;
      
      receiving an EAP response message that contains a digital certificate and a message authentication code based on the digital certificate;
      
      verifying the message authentication code with respect to the digital certificate;
      
      when verification is successful, sending an EAP response message that indicates successful verification.
  - 9. A method as recited in claim 1, wherein the security credential is provided in a protected type-length-value (TLV) attribute of an EAP response message.
  - 10. A method as recited in claim 1, wherein the second message conversation is initiated by the supplicant using a generic EAP-method, wherein the second message conversation further comprises issuing a query to the supplicant about whether a certificate or a key pair is requested, and wherein the second message conversation further comprises providing either a certificate or a key pair to the supplicant based on a response to the query.

11. A method of distributing a security credential to a network device within an extensible authentication protocol (EAP) authentication conversation, the method comprising the computer-implemented steps of:
- performing, at an authenticator that is communicatively coupled to a supplicant through a network, an EAP-SIM message conversation resulting in creating a security context that is known to the authenticator and the supplicant;
  
  during the EAP-SIM message conversation, receiving a request for the security credential, wherein the request is formatted as a first EAP message;
  
  providing the security credential to the supplicant in a second EAP message, wherein the security credential is cryptographically protected using the security context;
  
  providing to the supplicant in the second EAP message, verification information based on the security credential;
  
  wherein the EAP-SIM message conversation is for granting initial network access.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. A method as recited in claim 11, wherein the security credential is a root digital certificate of an authentication server associated with the authenticator.
  - 13. A method as recited in claim 11, wherein the security credential is a public/private key pair for the supplicant.
  - 14. A method as recited in claim 11, wherein the security credential is a digital certificate that is requested for the supplicant from a third party.
  - 15. A method as recited in claim 11, wherein the first EAP message is an EAP-Response message, wherein the EAP-Response message includes the security credential, and a message authentication code attribute containing a message authentication code that is generated based on the security credential.
  - 16. A method as recited in claim 11, wherein the supplicant further performs the computer-implemented steps of:
    - sending the first EAP message that requests a digital certificate from an authentication server associated with the authenticator;
      
      receiving the second EAP message, which comprises a digital certificate and a message authentication code based on the digital certificate;
      
      verifying the message authentication code with respect to the digital certificate;
      
      when verification is successful, sending a third EAP message that indicates successful verification.
  - 17. A method as recited in claim 11, wherein the security credential is provided in a protected type-length-value (TLV) attribute of an EAP response message.

18. A computer-readable medium carrying one or more sequences of instructions for communicating a security credential within a network device authentication conversation, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps of:
- performing, at an authenticator that is communicatively coupled to a supplicant through a network, a first message conversation resulting in creating a security context that is known to the authenticator and the supplicant;
  
  initiating a second message conversation between the authenticator and the supplicant, wherein the second message conversation is cryptographically protected using the same security context that was created in the first message conversation;
  
  providing a security credential to the supplicant in the second message conversation;
  
  concluding the second message conversation and the first message conversation;
  
  wherein the first message conversation and the second message conversation are for granting initial network access.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 19. A computer-readable medium as recited in claim 18 wherein the first message conversation is an EAP-SIM conversation.
  - 20. A computer-readable medium as recited in claim 18, wherein the first message conversation is an EAP-AKA conversation.
  - 21. A computer-readable medium as recited in claim 18, wherein the security credential is a root digital certificate of an authentication server associated with the authenticator.
  - 22. A computer-readable medium as recited in claim 18, wherein the security credential is a public/private key pair for the supplicant.
  - 23. A computer-readable medium as recited in claim 18, wherein the security credential is a digital certificate that is requested for the supplicant from a third party.
  - 24. A computer-readable medium as recited in claim 18, wherein the security credential is provided to the supplicant in an EAP-Response message, wherein the EAP-Response message includes the security credential, and a message authentication code attribute containing a message authentication code that is generated based on the security credential.
  - 25. A computer-readable medium as recited in claim 18, further comprising instructions wherein the supplicant further performs the steps of:
    - sending an EAP response message that requests a digital certificate from an authentication server associated with the authenticator;
      
      receiving an EAP response message that contains a digital certificate and a message authentication code based on the digital certificate;
      
      verifying the message authentication code with respect to the digital certificate;
      
      when verification is successful, sending an EAP response message that indicates successful verification.
  - 26. A computer-readable medium as recited in claim 18, wherein the security credential is provided in a protected type-length-value (TLV) attribute of an EAP response message.
  - 27. A computer-readable medium as recited in claim 18, wherein the second message conversation is initiated by the supplicant using a generic EAP-method, wherein the second message conversation further comprises issuing a query to the supplicant about whether a certificate or a key pair is requested, and wherein the second message conversation further comprises providing either a certificate or a key pair to the supplicant based on a response to the query.

28. An apparatus for communicating a security credential within a network device authentication conversation, comprising:
- means for performing, at an authenticator that is communicatively coupled to a supplicant through a network, a first message conversation resulting in creating a security context that is known to the authenticator and the supplicant;
  
  means for initiating a second message conversation between the authenticator and the supplicant, wherein the second message conversation is cryptographically protected using the same security context that was created in the first message conversation;
  
  means for providing a security credential to the supplicant in the second message conversation; and
  
  means for concluding the second message conversation and the first message conversation;
  
  wherein the first message conversation and the second message conversation are for granting initial network access.
- View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36, 37)
- - 29. An apparatus as recited in claim 28 wherein the first message conversation is an EAP-SIM conversation.
  - 30. An apparatus as recited in claim 28, wherein the first message conversation is an EAP-AKA conversation.
  - 31. An apparatus as recited in claim 28, wherein the security credential is a root digital certificate of an authentication server associated with the authenticator.
  - 32. An apparatus as recited in claim 28, wherein the security credential is a public/private key pair for the supplicant.
  - 33. An apparatus as recited in claim 28, wherein the security credential is a digital certificate that is requested for the supplicant from a third party.
  - 34. An apparatus as recited in claim 28, wherein the security credential is provided to the supplicant in an EAP-Response message, wherein the EAP-Response message includes the security credential, and a message authentication code attribute containing a message authentication code that is generated based on the security credential.
  - 35. An apparatus as recited in claim 28, wherein the supplicant further comprises:
    - means for sending an EAP response message that requests a digital certificate from an authentication server associated with the authenticator;
      
      means for receiving an EAP response message that contains a digital certificate and a message authentication code based on the digital certificate;
      
      means for verifying the message authentication code with respect to the digital certificate;
      
      means for sending, when verification is successful, an EAP response message that indicates successful verification.
  - 36. An apparatus as recited in claim 28, wherein the security credential is provided in a protected type-length-value (TLV) attribute of an EAP response message.
  - 37. An apparatus as recited in claim 28, wherein the second message conversation is initiated by the supplicant using a generic EAP-method, wherein the second message conversation further comprises issuing a query to the supplicant about whether a certificate or a key pair is requested, and wherein the second message conversation further comprises providing either a certificate or a key pair to the supplicant based on a response to the query.

38. An apparatus for communicating a security credential within a network device authentication conversation, comprising:
- a network interface that is coupled to the data network for receiving one or more packet flows therefrom;
  
  a processor;
  
  one or more stored sequences of instructions which, when executed by the processor, cause the processor to carry out the steps of;
  
  performing, at an authenticator that is communicatively coupled to a supplicant through a network, a first message conversation resulting in creating a security context that is known to the authenticator and the supplicant;
  
  initiating a second message conversation between the authenticator and the supplicant, wherein the second message conversation is cryptographically protected using the same security context that was created in the first message conversation;
  
  providing a security credential to the supplicant in the second message conversation;
  
  concluding the second message conversation and the first message conversation;
  
  wherein the first message conversation and the second message conversation are for granting initial network access.
- View Dependent Claims (39, 40, 41, 42, 43, 44, 45, 46, 47)
- - 39. An apparatus as recited in claim 38 wherein the first message conversation is an EAP-SIM conversation.
  - 40. An apparatus as recited in claim 38, wherein the first message conversation is an EAP-AKA conversation.
  - 41. An apparatus as recited in claim 38, wherein the security credential is a root digital certificate of an authentication server associated with the authenticator.
  - 42. An apparatus as recited in claim 38, wherein the security credential is a public/private key pair for the supplicant.
  - 43. An apparatus as recited in claim 38, wherein the security credential is a digital certificate that is requested for the supplicant from a third party.
  - 44. An apparatus as recited in claim 38, wherein the security credential is provided to the supplicant in an EAP-Response message, wherein the EAP-Response message includes the security credential, and a message authentication code attribute containing a message authentication code that is generated based on the security credential.
  - 45. An apparatus as recited in claim 38, wherein the supplicant further performs the computer-implemented steps of:
    - sending an EAP response message that requests a digital certificate from an authentication server associated with the authenticator;
      
      receiving an EAP response message that contains a digital certificate and a message authentication code based on the digital certificate;
      
      verifying the message authentication code with respect to the digital certificate;
      
      when verification is successful, sending an EAP response message that indicates successful verification.
  - 46. An apparatus as recited in claim 38, wherein the security credential is provided in a protected type-length-value (TLV) attribute of an EAP response message.
  - 47. An apparatus as recited in claim 38, wherein the second message conversation is initiated by the supplicant using a generic EAP-method, wherein the second message conversation further comprises issuing a query to the supplicant about whether a certificate or a key pair is requested, and wherein the second message conversation further comprises providing either a certificate or a key pair to the supplicant based on a response to the query.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Salowey, Joseph, Gossman, William
Primary Examiner(s)
Song; Hosuk

Application Number

US10/449,180
Time in Patent Office

1,342 Days
Field of Search

726 1- 5, 713/168, 713/175, 713/155, 713/156
US Class Current

713/156
CPC Class Codes

H04L 2209/80   Wireless

H04L 63/062   for key distribution, e.g. ...

H04L 63/0823   using certificates cryptogr...

H04L 63/0892   by using authentication-aut...

H04L 63/162   at the data link layer

H04L 9/321   involving a third party or ...

H04L 9/3263   involving certificates, e.g...

H04L 9/3271   using challenge-response

H04W 12/0431   Key distribution or pre-dis...

H04W 12/0471   Key exchange

H04W 12/062   Pre-authentication

H04W 12/069   using certificates or pre-s...

H04W 84/12   WLAN [Wireless Local Area N...

Method and apparatus for communicating credential information within a network device authentication conversation

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

47 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for communicating credential information within a network device authentication conversation

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

47 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links