Facilitating 802.11 roaming by pre-establishing session keys

US 7,275,157 B2
Filed: 12/05/2003
Issued: 09/25/2007
Est. Priority Date: 05/27/2003
Status: Expired due to Fees

First Claim

Patent Images

1. A method of reducing handoff latency of a mobile node (MN) roaming between access points in a wireless network (WLAN), the method comprising:

authenticating the mobile node (MN) with an access point (AP) to produce a pairwise master key (PMK);

establishing a pairwise transient key (PTK) as a link layer session key to provide secure communication of 802.1X messages and 802.11 data between the mobile node and the access point;

associating the mobile node with the access point disposed on said wireless network, wherein said associating includes issuing an association request by said mobile node to the access point including signature information indicative of the mobile node holding a fresh/live pairwise transient key;

validating the signature information by the access point;

delivering a protected group transient key (GTK) from the access point to the mobile node, the group transient key being used to protect broadcast communication of the access point comprising generating an association response to send to the MN containing an encrypted field protecting the GTK and including signature information indicative of the AP holding the same fresh/live key PTK as the MN;

validating the signature information by the MN and storing the encrypted GTK for use in multicast communications by the AP; and

forwarding a re-association confirmation message from the mobile node MN to the access point AP to confirm receipt of the group transient key GTK by the mobile node MN;

wherein said establishing establishes said pairwise transient key PTK before said associating is initiated;

wherein said issuing the re-association request by the mobile node MN includes issuing a resuscitation request as Authenticate PTK (SRandom, PTKID MIC);

wherein said validating and said delivering includes delivering a re-association response from the access point AP to the mobile node MN as Authenticate PTK (ARandom, SRandom, PTKID, GTK, GTKID, MIC), deliver encrypted group key; and

,wherein said forwarding the re-association confirmation message includes forwarding a re-association confirm from the mobile node MN to the access point AP as Group Key Confirm (ARandom, MIC).

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for pre-authenticating a pre-establishing key management on a roaming device prior to reassociation to facilitate fast hand-off in a wireless network is described. For enhanced mobility, both authentication and key establishment is performed prior to reassociation of the roaming device between access points. When the roaming device enters in contact with one of the access points, a local authentication is performed between the access point and the roaming device prior to reassociation with the access point to allow for fast hand-offs of the device between access points within the network.

Citations

15 Claims

1. A method of reducing handoff latency of a mobile node (MN) roaming between access points in a wireless network (WLAN), the method comprising:
- authenticating the mobile node (MN) with an access point (AP) to produce a pairwise master key (PMK);
  
  establishing a pairwise transient key (PTK) as a link layer session key to provide secure communication of 802.1X messages and 802.11 data between the mobile node and the access point;
  
  associating the mobile node with the access point disposed on said wireless network, wherein said associating includes issuing an association request by said mobile node to the access point including signature information indicative of the mobile node holding a fresh/live pairwise transient key;
  
  validating the signature information by the access point;
  
  delivering a protected group transient key (GTK) from the access point to the mobile node, the group transient key being used to protect broadcast communication of the access point comprising generating an association response to send to the MN containing an encrypted field protecting the GTK and including signature information indicative of the AP holding the same fresh/live key PTK as the MN;
  
  validating the signature information by the MN and storing the encrypted GTK for use in multicast communications by the AP; and
  
  forwarding a re-association confirmation message from the mobile node MN to the access point AP to confirm receipt of the group transient key GTK by the mobile node MN;
  
  wherein said establishing establishes said pairwise transient key PTK before said associating is initiated;
  
  wherein said issuing the re-association request by the mobile node MN includes issuing a resuscitation request as Authenticate PTK (SRandom, PTKID MIC);
  
  wherein said validating and said delivering includes delivering a re-association response from the access point AP to the mobile node MN as Authenticate PTK (ARandom, SRandom, PTKID, GTK, GTKID, MIC), deliver encrypted group key; and
  
  ,wherein said forwarding the re-association confirmation message includes forwarding a re-association confirm from the mobile node MN to the access point AP as Group Key Confirm (ARandom, MIC).
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method according to claim 1 wherein said authenticating and said establishing are initiated before said re-associating.
  - 3. The method according to claim 1 wherein said establishing includes perfonning an 802.11 4-way handshake to generate said pairwise transient key PMK using said pairwise master key PMK.
  - 4. The method according to claim 1 wherein the authenticating includes:
    - producing said pairwise master key PMK by at least one of;
      
      retrieving said pairwise master key PMK from a cache memory of said access point AP, andexecuting an 802.1X extensible authenticated protocol EAP by the access point AP together with an authentication server AS of said wireless network WLAN to generate said pairwise master key PMK.
  - 5. The method according to claim 1 wherein said authenticating includes negotiating a security association type.

6. In a wireless network (WLAN) including at least one mobile node (MN) roaming between access points of the wireless network, a system for reducing handoff latency, the system comprising:
- means for authenticating the mobile node with an access point (AP) to produce a pairwise master key (PMK);
  
  means for establishing a pairwise transient key (PTK) as a link layer session key to provide secure communication of 802.1X compatible messages and 802.11 compatible data between the mobile node and the access point;
  
  means for associating the mobile node with the access point in said wireless network;
  
  means for validating the signature information by the access point; and
  
  ,means for delivering a protected group transient key (GTK) from the access point to the mobile node, the group transient key being used to protect broadcast traffic from the access point, the means for delivering comprises means for generating an association response to send to the MN containing an encrypted field protecting the GTK and including signature information indicative of the AP holding the same fresh/live key PTK as the MN;
  
  means for validating the signature information by the MN and storing the encrypted GTK for use in multicast communications by the AP; and
  
  means for forwarding a re-association confirmation message from the mobile node to the access point to confirm receipt of the group transient key by the mobile node;
  
  wherein said means for establishing is adapted to establish said pairwise transient key PTK before said associating means is initiated;
  
  wherein said re-associating means includes means for issuing a re-association request by said mobile node MN to the access point AP including signature information indicative of the mobile node MN holding a fresh/live pairwise transient key PTK;
  
  wherein said means for issuing the re-association request by the mobile node includes means for issuing a resuscitation request as Authenticate PTK (SRandom, PTKID MIC);
  
  wherein said means for validating and said delivering includes means for delivering a re-association response from the access point to the mobile node as Authenticate PTK (ARandom, SRandom, PTKID, GTKID, GTK, MIC), deliver encrypted group key; and
  
  wherein said means for forwarding the re-association confirmation message includes means for forwarding a re-association confirm from the mobile node to the access point as Group Key Confirm (ARandom, MIC).
- View Dependent Claims (7, 8, 9, 10)
- - 7. The system according to claim 6 wherein said means for authenticating and said means for establishing are initiated before said means for re-associating.
  - 8. The system according to claim 6 wherein said means for establishing includes means for performing an 802.11 4-way handshake to generate said pairwise transient key PMK using said pairwise master key PMK.
  - 9. The system according to claim 6 wherein the means for authenticating includes:
    - means for producing said pairwise master key PMK by at least one of;
      
      retrieving said pairwise master key PMK from a cache memory of said access point AP, andexecuting an 802.1X extensible authenticated protocol EAP by the access point AP together with an authentication server AS of said wireless network WLAN to generate said pairwise master key PMK.
  - 10. The system according to claim 6 wherein said means for authenticating includes means for negotiating a security association type.

11. An article of manufacture comprising a program storage medium readable by a computer and embodying one or more instructions executable by the computer to perform method steps for executing a command to perform method of reducing handoff latency of a mobile node (MN) roaming between access points in a wireless network (WLAN), the method comprising:
- authenticating the mobile node with an access point (AP) to produce a pairwise master key (PMK);
  
  establishing a pairwise transient key (PTK) as a link layer session key to provide secure communication of 802.1X compatible messages and 802.11 compatible data between the mobile node and the access point;
  
  associating the mobile node with the access point in said wireless network;
  
  validating the signature information by the access point AP; and
  
  ,delivering a protected group transient key (GTK) from the access point to the mobile node, the group transient key being used to protect communication between the mobile node and the access point, the delivering a protected GTK comprises generating an association response to send to the MN containing an encrypted field protecting the GTK and including signature information indicative of the AP holding the same fresh/live key PTK as the MN;
  
  validating the signature information by the MN and storing the encrypted GTK for use in multicast communications by the AP; and
  
  forwarding a re-association confirmation message from the mobile node to the access point to confirm receipt of the group transient key GTK by the mobile node;
  
  wherein said establishing establishes said pairwise transient key PTK before said associating is initiated;
  
  wherein said re-associating includes issuing a re-association request by said mobile node MN to the access point AP including signature information indicative of the mobile node MN holding a fresh/live pairwise transient key PTKwherein said issuing the re-association request by the mobile node includes issuing a resuscitation request as Authenticate PTK (SRandom, PTKID, MIC);
  
  wherein said validating and said delivering includes delivering a re-association response from the access point to the mobile node as Authenticate PTK (ARandom, SRandom, PTKID, GTKID, GTK, MIC), deliver encrypted group key; and
  
  wherein said forwarding the re-association confirmation message includes forwarding a re-association confirm from the mobile node to the access point as Group Key Confirm (ARandom, MIC).
- View Dependent Claims (12, 13, 14, 15)
- - 12. The article of manufacture according to claim 11 wherein said authenticating and said establishing are initiated before said re-associating.
  - 13. The article of manufacture according to claim 11 wherein said establishing includes performing an 802.11 compatible 4-way handshake to generate said pairwise transient key using said pairwise master key.
  - 14. The article of manufacture according to claim 11 wherein the authenticating includes:
    - producing said pairwise master key by at least one of;
      
      retrieving said pairwise master key from a cache memory of said access point, andexecuting an 802.1X compatible extensible authenticated protocol EAP by the access point together with an authentication server (AS) of said wireless network to generate said pairwise master key.
  - 15. The article of manufacture according to claim 11 wherein said authenticating includes negotiating a security association type.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Cam Winget, Nancy
Primary Examiner(s)
Vu; Kim
Assistant Examiner(s)
GYORFI, THOMAS A

Application Number

US10/729,171
Publication Number

US 20040240412A1
Time in Patent Office

1,390 Days
Field of Search

713/168, 713/169, 726/5, 380/272
US Class Current

713/168
CPC Class Codes

H04L 2209/80   Wireless

H04L 63/061   for key exchange, e.g. in p...

H04L 63/123   received data contents, e.g...

H04L 63/162   at the data link layer

H04W 12/04   Key management, e.g. using ...

H04W 12/062   Pre-authentication

H04W 36/0016   Hand-off preparation specia...

H04W 36/0088   Scheduling hand-off measure...

H04W 84/12   WLAN [Wireless Local Area N...

Facilitating 802.11 roaming by pre-establishing session keys

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Facilitating 802.11 roaming by pre-establishing session keys

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links