802.11 using a compressed reassociation exchange to facilitate fast handoff

US 7,350,077 B2
Filed: 04/17/2003
Issued: 03/25/2008
Est. Priority Date: 11/26/2002
Status: Active Grant

First Claim

Patent Images

1. A method for establishing a secure association for a mobile node with a network, the steps comprising:

associating with an access point;

authenticating the mobile node using an extensible authentication protocol by the access point;

establishing a network session key; and

wherein the network session key is used to establish a key request key and a base transient key;

wherein the base transient key is used as a counter mode key generator to provide fresh pairwise transient keys;

wherein the key request key is used by the mobile node to prove it has proper authorization for a session;

wherein roaming after establishing the network session key comprises;

incrementing a rekey number, producing an incremented rekey number,generating a fresh pairwise transient key based on the incremented rekey number;

sending a reassociation request to a new access point, the reassociation request containing the incremented rekey number, andverifying the new access point is using the fresh pairwise transient key based on the incremented rekey number.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for handling roaming mobile nodes in a wireless network. The system uses a Subnet Context Manager to store current Network session keys, security policy and duration of the session (e.g. session timeout) for mobile nodes, which is established when the mobile node is initially authenticated. Pairwise transit keys are derived from the network session key. The Subnet Context Manager handles subsequent reassociation requests. When a mobile node roams to a new access point, the access point obtains the network session key from the Subnet Context Manager and validates the mobile node by computing a new pairwise transient key from the network session key.

Citations

42 Claims

1. A method for establishing a secure association for a mobile node with a network, the steps comprising:
- associating with an access point;
  
  authenticating the mobile node using an extensible authentication protocol by the access point;
  
  establishing a network session key; and
  
  wherein the network session key is used to establish a key request key and a base transient key;
  
  wherein the base transient key is used as a counter mode key generator to provide fresh pairwise transient keys;
  
  wherein the key request key is used by the mobile node to prove it has proper authorization for a session;
  
  wherein roaming after establishing the network session key comprises;
  
  incrementing a rekey number, producing an incremented rekey number,generating a fresh pairwise transient key based on the incremented rekey number;
  
  sending a reassociation request to a new access point, the reassociation request containing the incremented rekey number, andverifying the new access point is using the fresh pairwise transient key based on the incremented rekey number.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 40, 41, 42)
- - 2. The method of claim 1 further comprising sending the network session key to a Subnet Context Manager.
  - 3. The method of claim 1 wherein the extensible authentication protocol is 802.1X compliant.
  - 4. The method of claim 1 further comprising authenticating key refreshes using the key request key.
  - 5. The method of claim 4 further comprising deriving a pairwise transient keys using the base transient key.
  - 6. The method of claim 1 further comprising delivering the group transient key in the re-association request to compress and optimize messages.
  - 7. The method of claim 1 further comprising computing a Key Request Key and a Base Transient Key from the network session key using a pseudo random function.
  - 8. The method of claim 1 further comprising sending a re-association request, the re-association request comprising a rekey request number and an authenticated element.
  - 9. The method of claim 8 further comprising verifying the rekey request number of the re-association request is greater than a previous rekey request number.
  - 10. The method of claim 8 wherein the re-association request further comprises replay protection.
  - 11. The method of claim 10 wherein the replay protection comprises a timestamp.
  - 12. The method of claim 10 wherein the replay protection comprises a random challenge.
  - 13. The method of claim 8 wherein the authenticated element authenticates a security policy defined by the mobile node.
  - 40. A method according to claim 1, the verifying step further comprises retrieving group transient key from the new access point using the fresh pairwise key.
  - 41. A method according to claim 1, further comprisingthe reassociation request further comprising a mobile node identification and an authentication element;
    - validating the current security association to the network by use of the key request key; and
      
      the verifying step further comprising receiving a response from the new access point, the response comprising an authentication element, the authentication element comprising delivery of a new group transient key, and proof of possession of the fresh pairwise transient key by using the new pairwise transient key to authenticate the element.
  - 42. The method according to claim 1, wherein roaming comprises a rekey sequence, the rekey sequence comprising:
    - computing an authentication element, the authentication element comprising a rekey request number and the fresh pairwise transient key;
      
      transmitting to the new access point a call for a new pairwise transient key and alerting the new access point that the mobile node is ready to receive and transmit using the fresh pairwise transient key;
      
      receiving a response authentication element from the new access point; and
      
      the verifying step comprises verifying the response authentication element comprises the fresh pairwise transient key and receipt of the group transient key.

14. A mobile node, comprising:
- means for associating with an access point;
  
  means for authenticating the mobile node using an extensible authentication protocol by the access point;
  
  means for establishing a network session key; and
  
  wherein the network session key is used to establish a key request key and a base transient key;
  
  wherein the base transient key is used as a counter mode key generator to provide fresh pairwise transient keys;
  
  wherein the key request key is used by the mobile node to prove it has proper authorization for a session; and
  
  means for roaming, the means for roaming comprises means for incrementing a rekey number, producing an incremented rekey number, means for generating a fresh pairwise transient key based on the incremented rekey number, means for sending a reassociation request to a new access point, the new reassociation request containing the incremented rekey number, and means for verifying the new access point is using the fresh pairwise transient key based on the incremented rekey number.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 15. The mobile node of claim 14 further comprising means for sending the network session key to a Subnet Context Manager.
  - 16. The mobile node of claim 14 wherein the extensible authentication protocol is 802.1X compliant.
  - 17. The mobile node of claim 14 further comprising means for authenticating key refreshes using the key request key.
  - 18. The mobile node of claim 17 further comprising means for deriving a pairwise transient keys using the base transient key.
  - 19. The mobile node of claim 14 further comprising means for delivering the group transient key in the re-association request to compress and optimize messages.
  - 20. The mobile node of claim 14 further comprising means for computing a Key Request Key and a Base Transient Key from the network session key using a pseudo random function.
  - 21. The mobile node of claim 14 further comprising means for sending a re-association request, the re-association request comprising a rekey request number and an authenticated element.
  - 22. The mobile node of claim 21 further means for comprising verifying the rekey request number of the re-association request is greater than a previous rekey request number.
  - 23. The mobile node of claim 21 wherein the means for re-association request further comprises means for replay protection.
  - 24. The mobile node of claim 23 wherein the means for replay protection comprises means for using a timestamp.
  - 25. The mobile node of claim 23 wherein the means for replay protection comprises means for a random challenge.
  - 26. The mobile node of claim 21 wherein the authenticated element authenticates a security policy defined by the mobile node.

27. A computer program product having a computer readable medium having computer program logic recorded thereon for establishing a secure association for a mobile node with a network, comprising means for associating with an access point;
- means for authenticating the computer readable instructions using an extensible authentication protocol by the access point;
  
  means for establishing a network session key; and
  
  wherein the network session key is used to establish a key request key and a base transient key;
  
  wherein the base transient key is used as a counter mode key generator to provide fresh Pairwise transient keys;
  
  wherein the key request key is used by the computer readable instructions to prove it has proper authorization for a session; and
  
  means for roaming, the means for roaming comprises means for incrementing a rekey number, producing an incremented rekey number, means for generating a fresh pairwise transient key based on the incremented rekey number, means for sending a reassociation request to a new access point, the new reassociation request containing the incremented rekey number, and means for verifying the new access point is using the fresh pairwise transient key based on the incremented rekey number.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39)
- - 28. The computer program product of claim 27 further comprising means for sending the network session key to a Subnet Context Manager.
  - 29. The computer program product of claim 27 wherein the extensible authentication protocol is 802.1X compliant.
  - 30. The computer program product of claim 27 further comprising means for authenticating key refreshes using the key request key.
  - 31. The computer program product of claim 30 further comprising means for deriving a pairwise transient keys using the base transient key.
  - 32. The computer program product of claim 27 further comprising means for delivering the group transient key in the re-association request to compress and optimize messages.
  - 33. The computer program product of claim 27 further comprising means for computing a Key Request Key and a Base Transient Key from the network session key using a pseudo random function.
  - 34. The computer program product of claim 27 further comprising means for sending a re-association request, the re-association request comprising a rekey request number and an authenticated element.
  - 35. The computer program product of claim 34 further means for comprising verifying the rekey request number of the re-association request is greater than a previous rekey request number.
  - 36. The computer program product of claim 34 wherein the means for re-association request further comprises means for replay protection.
  - 37. The computer program product of claim 36 wherein the means for replay protection comprises means for using a timestamp.
  - 38. The computer program product of claim 36 wherein the means for replay protection comprises means for a random challenge.
  - 39. The computer program product of claim 34 wherein the authenticated element authenticates a security policy defined by the computer program product.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Meier, Robert, Smith, Douglas, Rebo, Richard D., Winget, Nancy Cam, Griswold, Victor J.
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
Tolentino; Roderick

Application Number

US10/417,653
Publication Number

US 20040103282A1
Time in Patent Office

1,804 Days
Field of Search

713/171, 713/168, 370/338
US Class Current

713/171
CPC Class Codes

G06Q 20/3674   involving authentication

H04L 2209/80   Wireless

H04L 2463/061   applying further key deriva...

H04L 63/06   for supporting key manageme...

H04L 63/08   for authentication of entit...

H04L 9/0836   using tree structure or hie...

H04L 9/0891   Revocation or update of sec...

H04W 12/04   Key management, e.g. using ...

H04W 12/062   Pre-authentication

H04W 84/12   WLAN [Wireless Local Area N...

Y10S 707/99945   Object-oriented database st...

Y10S 707/99948   Application of database or ...

802.11 using a compressed reassociation exchange to facilitate fast handoff

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

42 Claims

Specification

Solutions

Use Cases

Quick Links

802.11 using a compressed reassociation exchange to facilitate fast handoff

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

42 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links