Facilitating 802.11 roaming by pre-establishing session keys
First Claim
1. A method of reducing handoff latency of a mobile node (MN) roaming between access points in a wireless network (WLAN), the method comprising:
- authenticating the mobile node (MN) with an access point (AP) to produce a pairwise master key (PMK);
establishing a pairwise transient key (PTK) as a link layer session key to provide secure communication of 802.1X messages and 802.11 data between the mobile node and the access point;
associating the mobile node with the access point disposed on said wireless network, wherein said associating includes issuing an association request by said mobile node to the access point including signature information indicative of the mobile node holding a fresh/live pairwise transient key;
validating the signature information by the access point;
delivering a protected group transient key (GTK) from the access point to the mobile node, the group transient key being used to protect broadcast communication of the access point comprising generating an association response to send to the MN containing an encrypted field protecting the GTK and including signature information indicative of the AP holding the same fresh/live key PTK as the MN;
validating the signature information by the MN and storing the encrypted GTK for use in multicast communications by the AP; and
forwarding a re-association confirmation message from the mobile node MN to the access point AP to confirm receipt of the group transient key GTK by the mobile node MN;
wherein said establishing establishes said pairwise transient key PTK before said associating is initiated;
wherein said issuing the re-association request by the mobile node MN includes issuing a resuscitation request as Authenticate PTK (SRandom, PTKID MIC);
wherein said validating and said delivering includes delivering a re-association response from the access point AP to the mobile node MN as Authenticate PTK (ARandom, SRandom, PTKID, GTK, GTKID, MIC), deliver encrypted group key; and
,wherein said forwarding the re-association confirmation message includes forwarding a re-association confirm from the mobile node MN to the access point AP as Group Key Confirm (ARandom, MIC).
1 Assignment
0 Petitions
Accused Products
Abstract
A method and system for pre-authenticating a pre-establishing key management on a roaming device prior to reassociation to facilitate fast hand-off in a wireless network is described. For enhanced mobility, both authentication and key establishment is performed prior to reassociation of the roaming device between access points. When the roaming device enters in contact with one of the access points, a local authentication is performed between the access point and the roaming device prior to reassociation with the access point to allow for fast hand-offs of the device between access points within the network.
-
Citations
15 Claims
-
1. A method of reducing handoff latency of a mobile node (MN) roaming between access points in a wireless network (WLAN), the method comprising:
-
authenticating the mobile node (MN) with an access point (AP) to produce a pairwise master key (PMK); establishing a pairwise transient key (PTK) as a link layer session key to provide secure communication of 802.1X messages and 802.11 data between the mobile node and the access point; associating the mobile node with the access point disposed on said wireless network, wherein said associating includes issuing an association request by said mobile node to the access point including signature information indicative of the mobile node holding a fresh/live pairwise transient key; validating the signature information by the access point; delivering a protected group transient key (GTK) from the access point to the mobile node, the group transient key being used to protect broadcast communication of the access point comprising generating an association response to send to the MN containing an encrypted field protecting the GTK and including signature information indicative of the AP holding the same fresh/live key PTK as the MN; validating the signature information by the MN and storing the encrypted GTK for use in multicast communications by the AP; and forwarding a re-association confirmation message from the mobile node MN to the access point AP to confirm receipt of the group transient key GTK by the mobile node MN; wherein said establishing establishes said pairwise transient key PTK before said associating is initiated; wherein said issuing the re-association request by the mobile node MN includes issuing a resuscitation request as Authenticate PTK (SRandom, PTKID MIC); wherein said validating and said delivering includes delivering a re-association response from the access point AP to the mobile node MN as Authenticate PTK (ARandom, SRandom, PTKID, GTK, GTKID, MIC), deliver encrypted group key; and
,wherein said forwarding the re-association confirmation message includes forwarding a re-association confirm from the mobile node MN to the access point AP as Group Key Confirm (ARandom, MIC). - View Dependent Claims (2, 3, 4, 5)
-
-
6. In a wireless network (WLAN) including at least one mobile node (MN) roaming between access points of the wireless network, a system for reducing handoff latency, the system comprising:
-
means for authenticating the mobile node with an access point (AP) to produce a pairwise master key (PMK); means for establishing a pairwise transient key (PTK) as a link layer session key to provide secure communication of 802.1X compatible messages and 802.11 compatible data between the mobile node and the access point; means for associating the mobile node with the access point in said wireless network; means for validating the signature information by the access point; and
,means for delivering a protected group transient key (GTK) from the access point to the mobile node, the group transient key being used to protect broadcast traffic from the access point, the means for delivering comprises means for generating an association response to send to the MN containing an encrypted field protecting the GTK and including signature information indicative of the AP holding the same fresh/live key PTK as the MN; means for validating the signature information by the MN and storing the encrypted GTK for use in multicast communications by the AP; and means for forwarding a re-association confirmation message from the mobile node to the access point to confirm receipt of the group transient key by the mobile node; wherein said means for establishing is adapted to establish said pairwise transient key PTK before said associating means is initiated; wherein said re-associating means includes means for issuing a re-association request by said mobile node MN to the access point AP including signature information indicative of the mobile node MN holding a fresh/live pairwise transient key PTK; wherein said means for issuing the re-association request by the mobile node includes means for issuing a resuscitation request as Authenticate PTK (SRandom, PTKID MIC); wherein said means for validating and said delivering includes means for delivering a re-association response from the access point to the mobile node as Authenticate PTK (ARandom, SRandom, PTKID, GTKID, GTK, MIC), deliver encrypted group key; and wherein said means for forwarding the re-association confirmation message includes means for forwarding a re-association confirm from the mobile node to the access point as Group Key Confirm (ARandom, MIC). - View Dependent Claims (7, 8, 9, 10)
-
-
11. An article of manufacture comprising a program storage medium readable by a computer and embodying one or more instructions executable by the computer to perform method steps for executing a command to perform method of reducing handoff latency of a mobile node (MN) roaming between access points in a wireless network (WLAN), the method comprising:
-
authenticating the mobile node with an access point (AP) to produce a pairwise master key (PMK); establishing a pairwise transient key (PTK) as a link layer session key to provide secure communication of 802.1X compatible messages and 802.11 compatible data between the mobile node and the access point; associating the mobile node with the access point in said wireless network; validating the signature information by the access point AP; and
,delivering a protected group transient key (GTK) from the access point to the mobile node, the group transient key being used to protect communication between the mobile node and the access point, the delivering a protected GTK comprises generating an association response to send to the MN containing an encrypted field protecting the GTK and including signature information indicative of the AP holding the same fresh/live key PTK as the MN; validating the signature information by the MN and storing the encrypted GTK for use in multicast communications by the AP; and forwarding a re-association confirmation message from the mobile node to the access point to confirm receipt of the group transient key GTK by the mobile node; wherein said establishing establishes said pairwise transient key PTK before said associating is initiated; wherein said re-associating includes issuing a re-association request by said mobile node MN to the access point AP including signature information indicative of the mobile node MN holding a fresh/live pairwise transient key PTK wherein said issuing the re-association request by the mobile node includes issuing a resuscitation request as Authenticate PTK (SRandom, PTKID, MIC); wherein said validating and said delivering includes delivering a re-association response from the access point to the mobile node as Authenticate PTK (ARandom, SRandom, PTKID, GTKID, GTK, MIC), deliver encrypted group key; and wherein said forwarding the re-association confirmation message includes forwarding a re-association confirm from the mobile node to the access point as Group Key Confirm (ARandom, MIC). - View Dependent Claims (12, 13, 14, 15)
-
Specification