Derivation method for cached keys in wireless communication system

US 7,558,388 B2
Filed: 10/15/2004
Issued: 07/07/2009
Est. Priority Date: 10/15/2004
Status: Active Grant

First Claim

Patent Images

1. A system for communicating information over a wireless network, comprising:

an authentication server operable to generate a first authentication key;

a controller operable to receive and store the first authentication key and to generate derived authentication keys therefrom;

a plurality of access points operable to advertise;

a cache hierarchy depth (N) supported by the plurality of access points, in which the plurality of access points are hierarchically arranged from the authentication server that is at cache hierarchy depth zero and in which N is greater than one and designates a farthest depth of a hierarchy for the access points;

a hierarchically ordered list of identifiers for a derivation path for derived authentication keys;

wherein selected access points are operable to generate transient authentication keys from respective derived authentication keys of N−

1 hierarchy level and when a particular access point lacks a hierarchy level to generate a N−

1 level derived authentication key, the particular access point is to calculate the N−

1 level derived authentication key in order to generate a transient authentication key, so that all transient authentication keys are generated from derived authentication keys of the N−

1 hierarchy level; and

a station operable to associate with selected access points in the plurality of access points and to mutually derive the transient authentication keys therefrom to establish an authenticated connection within the wireless network.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for providing improved security and improved roaming transition times in wireless networks. In the present invention, the same pairwise master key (PMK) from an authentication server can be used across multiple access points and a new pairwise transition key (PTK) is derived for each association of a station to any of the access points. A plurality of access points are organized in functional hierarchical levels and are operable to advertise an indicator of the PMK cache depth supported by a group of access points (N) and an ordered list of the identifiers for the derivation path. Access points in each level in the cache hierarchy compute the derived pairwise master keys (DPMKs) for devices in the next lower level in the hierarchy and then deliver the DPMKs to those devices. An access point calculates the PTK as part of the security exchange process when the station wishes to associate to the access point. The station also computes the PTK as part of the security exchange process. The station calculates all the DMPKs in the hierarchy as part of computing the PTK. The method and apparatus of the present invention allows the cache depth to vary per station, but it remains constant for a given station within a key circle.

Citations

21 Claims

1. A system for communicating information over a wireless network, comprising:
- an authentication server operable to generate a first authentication key;
  
  a controller operable to receive and store the first authentication key and to generate derived authentication keys therefrom;
  
  a plurality of access points operable to advertise;
  
  a cache hierarchy depth (N) supported by the plurality of access points, in which the plurality of access points are hierarchically arranged from the authentication server that is at cache hierarchy depth zero and in which N is greater than one and designates a farthest depth of a hierarchy for the access points;
  
  a hierarchically ordered list of identifiers for a derivation path for derived authentication keys;
  
  wherein selected access points are operable to generate transient authentication keys from respective derived authentication keys of N−
  
  1 hierarchy level and when a particular access point lacks a hierarchy level to generate a N−
  
  1 level derived authentication key, the particular access point is to calculate the N−
  
  1 level derived authentication key in order to generate a transient authentication key, so that all transient authentication keys are generated from derived authentication keys of the N−
  
  1 hierarchy level; and
  
  a station operable to associate with selected access points in the plurality of access points and to mutually derive the transient authentication keys therefrom to establish an authenticated connection within the wireless network.
- View Dependent Claims (2, 3, 4)
- - 2. The system of claim 1, wherein the first authentication key comprises a pairwise master key.
  - 3. The system of claim 1, wherein the derived authentication keys comprise derived pairwise master keys.
  - 4. The system of claim 1, wherein the transient authentication keys comprise pairwise transient keys.

5. A method for communicating information over a wireless network, comprising:
- initiating an association between a station and a first access point, thereby causing an authentication server to generate a first authentication key;
  
  storing the first authentication key in a controller and generating derived authentication keys therefrom;
  
  receiving the derived authentication keys in selected access points in a plurality of access points wherein the plurality of access points are operable to advertise;
  
  a cache hierarchy depth (N) supported by the plurality of access points, in which the plurality of access points are hierarchically arranged from the authentication server that is at cache hierarchy depth zero and in which N is greater than one and designates a farthest depth of a hierarchy for the access points;
  
  a hierarchically ordered list of identifiers for a derivation path for derived authentication keys;
  
  wherein selected access points are operable to generate transient authentication keys for use by a station from respective derived authentication keys of N−
  
  1 hierarchy level and when a particular access point lacks a hierarchy level to generate a N−
  
  1 level derived authentication key, the particular access point is to calculate the N−
  
  1 level derived authentication key in order to generate a transient authentication key, so that all transient authentication keys are generated from derived authentication keys of the N−
  
  1 hierarchy level; and
  
  associating a station with selected access points in the plurality of access points and receiving transient authentication keys therefrom to establish an authenticated connection within the wireless network.
- View Dependent Claims (6, 7, 8)
- - 6. The method of claim 5, wherein the first authentication key comprises a pairwise master key.
  - 7. The method of claim 5, wherein the derived authentication keys comprise derived pairwise master keys.
  - 8. The method of claim 5, wherein the transient authentication key comprises a pairwise transient key.

9. A system for communicating information over a wireless network, comprising:
- an authentication server operable to generate a first authentication key;
  
  a plurality of access points operable to advertise;
  
  a cache hierarchy depth (N) supported by the plurality of access points, in which the plurality of access points are hierarchically arranged from the authentication server that is at cache hierarchy depth zero and in which N is greater than one and designates a farthest depth of a hierarchy for the access points; and
  
  a hierarchically ordered list of identifiers for a derivation path for derived authentication keys;
  
  whereinselected access points are operable to generate transient authentication keys from respective derived authentication keys of N−
  
  1 hierarchy level and when a particular access point lacks a hierarchy level to generate a N−
  
  1 level derived authentication key, the particular access point is to calculate the N−
  
  1 level derived authentication key in order to generate a transient authentication key, so that all transient authentication keys are generated from derived authentication keys of the N−
  
  1 hierarchy level; and
  
  a station operable to associate with selected access points in the plurality of access points and to mutually derive the transient authentication keys therefrom to establish an authenticated connection within the wireless network.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The system of claim 9, wherein the system further includes a plurality of controllers operable to generate derived authentication keys.
  - 11. The system of claim 9, wherein the system further includes a plurality of controllers organized at more than one hierarchy level and wherein the controllers in the hierarchy levels are operable to compute derived authentication keys.
  - 12. The system of claim 10, wherein at least one of the access points is at a same hierarchy level as one of the controllers.
  - 13. The system of claim 9, wherein the first authentication key comprises a pairwise master key.
  - 14. The system of claim 9, wherein the derived authentication keys comprise derived pairwise master keys.
  - 15. The system of claim 9, wherein the transient authentication keys comprise pairwise transient keys.

16. A system for communicating information over a wireless network having a plurality of hierarchal functional levels, comprising:
- an authentication server operable to generate a first authentication key, wherein the authentication server is at hierarchy level zero;
  
  a controller at hierarchy level one, in which the controller is operable to receive and store the first authentication key and to generate derived authentication keys therefrom;
  
  a plurality of access points operable to advertise;
  
  a cache hierarchy depth (N) supported by the plurality of access points, in which the plurality of access points are hierarchically arranged from the authentication server that is at cache hierarchy depth zero and in which N is greater than one and designates a farthest depth of a hierarchy for the access points; and
  
  a hierarchically ordered list of identifiers for a derivation path for derived authentication keys;
  
  whereinselected access points are operable to generate transient authentication keys from respective derived authentication keys of N−
  
  1 hierarchy level and when a particular access point lacks a hierarchy level to generate a N−
  
  1 level derived authentication key, the particular access point is to calculate the N−
  
  1 level derived authentication key in order to generate a transient authentication key, so that all transient authentication keys are generated from derived authentication keys of the N−
  
  1 hierarchy level;
  
  a station operable to associate with selected access points in the plurality of access points and to mutually derive the transient authentication keys therefrom to establish an authenticated connection within the wireless network.
- View Dependent Claims (17, 18, 19, 20, 21)
- - 17. The system of claim 16, wherein at least one of the controllers includes an authenticator.
  - 18. The system of claim 16, wherein the access points are functionally arranged having different tiers in the hierarchy.
  - 19. The system of claim 16, wherein the first authentication key comprises a pairwise master key.
  - 20. The system of claim 16, wherein the derived authentication keys comprise derived pairwise master keys.
  - 21. The system of claim 16, wherein the transient authentication keys comprise pairwise transient keys.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avago Technologies International Sales Pte Limited (Broadcom, Inc.)
Original Assignee
Broadcom Corporation (Broadcom, Inc.)
Inventors
Ptasinski, Henry S.
Primary Examiner(s)
Moazzami; Nasser G
Assistant Examiner(s)
McNally; Michael S

Application Number

US10/966,276
Publication Number

US 20060083377A1
Time in Patent Office

1,726 Days
Field of Search

380/270
US Class Current

380/270
CPC Class Codes

H04L 2209/80   Wireless

H04L 2463/061   applying further key deriva...

H04L 63/062   for key distribution, e.g. ...

H04L 63/0892   by using authentication-aut...

H04L 9/0836   using tree structure or hie...

H04W 12/041   Key generation or derivation

H04W 12/0431   Key distribution or pre-dis...

H04W 84/12   WLAN [Wireless Local Area N...

Derivation method for cached keys in wireless communication system

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Derivation method for cached keys in wireless communication system

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links