Communications security

US 7,624,271 B2
Filed: 03/24/2005
Issued: 11/24/2009
Est. Priority Date: 03/24/2005
Status: Expired due to Fees

First Claim

Patent Images

1. A method of re-authenticating a device'"'"'s access to a communications node, the method comprising:

generating by the communications node, a first ANonce for use in derivation of a first pair-wise transient key (PTK);

authenticating by the communication node, in a first communications exchange, the device'"'"'s access to the communication node using at least partially the first PTK;

storing by the communication node, the first ANonce;

associating by the communication node, with the device by establishing a communication link between the communication node and the device based at least in part on said authenticating; and

subsequent to a duration of time during which the communication node and the device are not associated, re-associating by the communication node with the device by re-establishing the communication link between the communication node and the device, wherein the duration of time occurs subsequent to said associating, wherein said re-associating further comprises;

modifying by the communications node, independent of the device, the first ANonce stored in the communication node to create a second ANonce; and

re-authenticating by the communication node, in a second communications exchange, the device'"'"'s access to the communication node using at least partially the second ANonce.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of authenticating a device'"'"'s access to a communications node is disclosed. The method of operation includes the communications node generating a first value for use in the derivation of a first encryption key, the first encryption key being at least partially used to authenticate the device'"'"'s access to the communications node in a first communications exchange. The method of operation includes the communications node modifying the first value, independent of the device, to create a second value. The method includes the communications node using the second value in authenticating the device'"'"'s access to the communications node in a second communications exchange. Embodiments of the present invention include but are not limited to communications nodes and devices, subsystems, and systems equipped to operate in the above-described manner.

31 Citations

View as Search Results

22 Claims

1. A method of re-authenticating a device'"'"'s access to a communications node, the method comprising:
- generating by the communications node, a first ANonce for use in derivation of a first pair-wise transient key (PTK);
  
  authenticating by the communication node, in a first communications exchange, the device'"'"'s access to the communication node using at least partially the first PTK;
  
  storing by the communication node, the first ANonce;
  
  associating by the communication node, with the device by establishing a communication link between the communication node and the device based at least in part on said authenticating; and
  
  subsequent to a duration of time during which the communication node and the device are not associated, re-associating by the communication node with the device by re-establishing the communication link between the communication node and the device, wherein the duration of time occurs subsequent to said associating, wherein said re-associating further comprises;
  
  modifying by the communications node, independent of the device, the first ANonce stored in the communication node to create a second ANonce; and
  
  re-authenticating by the communication node, in a second communications exchange, the device'"'"'s access to the communication node using at least partially the second ANonce.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein said re-authenticating comprises the communication node using the second ANonce to derive a second PTK, the second PTK being at least partially used to authenticate the device'"'"'s access to the communications node in the second communications exchange.
  - 3. The method of claim 1, wherein the first ANonce is a random or a pseudo-random value.
  - 4. The method of claim 1, wherein said modifying of the first ANonce comprises incrementing by the communication node, independent of the device, the first ANonce to create the second ANonce.
  - 5. The method of claim 1, wherein said modifying of the first ANonce comprises incrementing by the communication node, independent of the device, the first ANonce to create the second ANonce, such that the second ANonce=the first ANonce+1.
  - 6. The method of claim 1, wherein the communications node is an 802.11 compliant or compatible access point.
  - 7. The method of claim 1, wherein a derivation of the first PTK is an 802.11i Pair-wise Transient Key derivation.

8. A method of re-authenticating a device'"'"'s access to a communications node, the method comprising:
- communicating, by the device with the communications node in a first communications exchange, the device being authenticated to the communications node using a first pair-wise transient key (PTK) derived from a first ANonce generated by the communications node;
  
  storing by the device, the first ANonce;
  
  establishing by the device, a communication link with the communication node based at least in part on the device being authenticated to the communications node;
  
  terminating by the device, the communication link between the device and the communication node subsequent to establishing the communication link; and
  
  re-establishing by the device, the communication link with the communication node subsequent to said termination, said re-establishing comprising;
  
  modifying by the device, independent of the communications node, the first ANonce to create a second ANonce; and
  
  communicating by the device, with the communications node in a second communications exchange, using the second ANonce, the device being re-authenticated to the communications node using a copy of the second ANonce independently generated by the communications node.
- View Dependent Claims (9, 10)
- - 9. The method of claim 8, wherein said modifying of the first ANonce comprises incrementing by the device, independent of the communications node, the first ANonce.
  - 10. The method of claim 8, wherein the device is an 802.11 compliant or compatible station.

11. A communications node comprising:
- a transmitter; and
  
  a controller coupled to the transmitter, the controller designed to;
  
  generate a first ANonce for use in derivation of a first pair-wise transient key (PTK), the first PTK being at least partially used to authenticate a device'"'"'s access to the communications node in a first communications exchange,store the first ANonce in the communication node;
  
  associate with the device by establishing a communication link between the communication node and the device based at least in part on authenticating the device'"'"'s access to the communications node; and
  
  subsequent to a duration of time during which the communication node and the device are not associated, re-associate with the device by re-establishing the communication link between the communication node and the device, wherein the duration of time occurs subsequent to said associating, wherein during said re-associating, the controller is further designed to;
  
  modify, independent of the device, the first ANonce to create a second ANonce, the controller designed to use the second ANonce in re-authenticating the device'"'"'s access to the communications node in a second communications exchange.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The communications node of claim 11, wherein the controller is designed to use the second ANonce in the derivation of a second PTK, the second PTK being at least partially used to authenticate the device'"'"'s access to the communications node in the second communications exchange.
  - 13. The communications node of claim 11, wherein the first ANonce is a random or a pseudo-random value.
  - 14. The communications node of claim 11, wherein the controller is designed to modify the first ANonce, independent of the device, by incrementing the first ANonce.
  - 15. The communications node of claim 11, wherein the communications node is an 802.11 compliant or compatible access point.
  - 16. The communications node of claim 11, wherein the controller is designed to derive the first PTK using an 802.11i Pair-wise Transient Key derivation.

17. A method of comprising:
- associating a wireless station (STA) with a first access point (AP);
  
  re-associating the STA with a second AP subsequent to associating with the first AP, said re-associating including;
  
  determining, by the STA, that a pair-wise master key identifier (PMKID) tuple associated with the second AP has been cached at the STA prior to an initiation of said re-associating with the second AP, wherein the PMKID tuple includes a first ANonce and a basic service set identifier (BSSID) of the second AP, wherein the PMKID tuple associated with the second AP is cached at the STA from a previous association of the STA with the second AP, said previous association occurring prior to an initiation of said associating with the first AP, wherein during said previous association the STA establishes a communication link with the second AP;
  
  modifying, by the STA, independent of the second AP, the first ANonce to create a second ANonce in response to at least in part on said determining; and
  
  communicating, by the STA, the second ANonce to the second AP for being re-associated with the second AP.
- View Dependent Claims (18, 19)
- - 18. The method of claim 17, wherein said modifying comprises incrementing the first ANonce to create the second ANonce.
  - 19. The method of claim 17, wherein said re-associating with the second AP further comprises:
    - caching, by the STA, a second PMKID tuple associated with the second AP, to be used during a future re-association with the second STA, the second PMKID tuple including the second ANonce and the BSSID of the second AP.

20. A method of re-authenticating a wireless station'"'"'s (STA'"'"'s) access to a first access point (AP), comprising:
- determining, by the first AP, that a pair-wise master key identifier (PMKID) tuple has been cached in the first AP prior to an initiation of said re-authenticating, during a previous association of the STA with the first AP, wherein during said previous association the STA establishes a communication link with the first AP, the PMKID including a media access control (MAC) address of the STA and a first ANonce associated with said STA;
  
  receiving, by the first AP, a second ANonce from the STA;
  
  comparing, by the first AP, the received second ANonce with the first ANonce included in the cached PMDIK tuple; and
  
  re-authenticating, by the first AP, the STA'"'"'s access to the first AP based at least in part on said comparing.
- View Dependent Claims (21, 22)
- - 21. The method of claim 20, further comprising:
    - caching, by the first AP, a second PMKID tuple associated with the STA, to be used during a future re-authentication of the STA to the first AP, the second PMKID tuple including the second ANonce, a basic service set identifier (BSSID) of the second AP, and the MAC address of the STA.
  - 22. The method of claim 20, wherein the PMKID tuple is cached in the first AP during a prior authentication of the STA'"'"'s access to the first AP, the prior authentication occurring prior to the initiation of said re-authentication.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Sood, Kapil, Walker, Jesse
Primary Examiner(s)
CERVETTI, DAVID GARCIA

Application Number

US11/090,822
Publication Number

US 20060218398A1
Time in Patent Office

1,706 Days
Field of Search

380/44, 380/270, 380/273, 713/171
US Class Current

713/171
CPC Class Codes

H04L 2209/80   Wireless network architectu...

H04L 2463/081   applying self-generating cr...

H04L 63/0823   using certificates cryptogr...

H04L 9/0844   with user authentication or...

H04L 9/3273   for mutual authentication n...

Communications security

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

31 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Communications security

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

31 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links