Tunneling security association messages through a mesh network

US 7,707,415 B2
Filed: 09/07/2006
Issued: 04/27/2010
Est. Priority Date: 09/07/2006
Status: Active Grant

First Claim

Patent Images

1. A method for establishing security associations within a wireless Mesh communication network, the method comprising:

authenticating one or more Mesh Authenticators with an Authentication Server using the Mesh Key Distributor as an Authentication, Authorization and Accounting (AAA) client for the Authentication Server, including creating a master key for each Mesh Authenticator and delivering the master key to the Mesh Key Distributor;

maintaining a secure communication channel using one or more layer 2 protocols between the Mesh Key Distributor and one or more Mesh Authenticators including deriving from the master key for each of the one or more Mesh Authenticators;

at least one derived Mesh Authenticator key for communicating between the Mesh Key Distributor and the Mesh Authenticator, andat least one derived Mesh Authenticator key for key delivery from the Mesh Key Distributor to the Mesh Authenticator for establishing new Supplicant security associations; and

establishing a security association of a Supplicant node including;

communicating an Extensible Authentication Protocol (EAP) request message from the Supplicant node to one of the Mesh Authenticators,communicating the EAP request message from the Supplicant node to the Authentication Server by passing the EAP request message within an EAP encapsulation request message from the Mesh Authenticator to the Mesh Key Distributor over the secure communication channel using the derived key for communicating, and from the Mesh Key Distributor to the Authentication server,communicating an EAP response message from the Authentication Server to the Mesh Key Distributor,communicating the EAP response message and a message type between the Mesh Key Distributor and the Mesh Authenticator to communicate encapsulated EAP response messages, using the secure communication channel between the Mesh Key Distributor and the Mesh Authenticator, wherein the message type indicating whether the supplicant node is accepted or should not be granted access to the mesh,communicating the EAP response message from the Mesh Authenticator to the Supplicant node, andestablishing the security association of the Supplicant node using a distributed unwrapped key when the message type is an accept message type.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosure relates to techniques and technologies for establishing a secure link between a mesh authenticator and a mesh key distributor for transporting security association messages. The secure link can allow the mesh key distributor to communicate results of an authentication process to the mesh authenticator.

59 Citations

View as Search Results

17 Claims

1. A method for establishing security associations within a wireless Mesh communication network, the method comprising:
- authenticating one or more Mesh Authenticators with an Authentication Server using the Mesh Key Distributor as an Authentication, Authorization and Accounting (AAA) client for the Authentication Server, including creating a master key for each Mesh Authenticator and delivering the master key to the Mesh Key Distributor;
  
  maintaining a secure communication channel using one or more layer 2 protocols between the Mesh Key Distributor and one or more Mesh Authenticators including deriving from the master key for each of the one or more Mesh Authenticators;
  
  at least one derived Mesh Authenticator key for communicating between the Mesh Key Distributor and the Mesh Authenticator, andat least one derived Mesh Authenticator key for key delivery from the Mesh Key Distributor to the Mesh Authenticator for establishing new Supplicant security associations; and
  
  establishing a security association of a Supplicant node including;
  
  communicating an Extensible Authentication Protocol (EAP) request message from the Supplicant node to one of the Mesh Authenticators,communicating the EAP request message from the Supplicant node to the Authentication Server by passing the EAP request message within an EAP encapsulation request message from the Mesh Authenticator to the Mesh Key Distributor over the secure communication channel using the derived key for communicating, and from the Mesh Key Distributor to the Authentication server,communicating an EAP response message from the Authentication Server to the Mesh Key Distributor,communicating the EAP response message and a message type between the Mesh Key Distributor and the Mesh Authenticator to communicate encapsulated EAP response messages, using the secure communication channel between the Mesh Key Distributor and the Mesh Authenticator, wherein the message type indicating whether the supplicant node is accepted or should not be granted access to the mesh,communicating the EAP response message from the Mesh Authenticator to the Supplicant node, andestablishing the security association of the Supplicant node using a distributed unwrapped key when the message type is an accept message type.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. A method according to claim 1, further comprising:
    - authenticating the Supplicant node at the Authentication Server prior to communicating the EAP response message from the Authentication Server to the Mesh Key Distributor.
  - 3. A method according to claim 2, wherein the message type comprises:
    - an accept message type when the authentication of the Supplicant node is successful and the Authentication Server provided an accept indication to the Mesh Key Distributor to indicate that the Supplicant node is accepted.
  - 4. A method according to claim 3, wherein the accept message type provides an indication to the Mesh Authenticator that the Supplicant node should be granted access.
  - 5. A method according to claim 2, wherein the message type comprises:
    - a reject message type when the authentication of the Supplicant node is a failure, and the Authentication Server provided a reject indication to the Mesh Key Distributor to indicate that the Supplicant node is rejected.
  - 6. A method according to claim 5, wherein the reject message type provides an indication to the Mesh Authenticator that the Supplicant node should not be granted access.
  - 7. A method according to claim 5, further comprising:
    - terminating an association with the Supplicant node at the Mesh Authenticator when the Mesh Authenticator receives the EAP encapsulation response message comprising the reject message type.
  - 8. A method according to claim 1, wherein the EAP encapsulation request message comprises:
    - a category field;
      
      an action value field; and
      
      an EAP encapsulation information element.
  - 9. A method according to claim 8, wherein the EAP encapsulation information element comprises:
    - a message integrity check (MIC) field which contains a message integrity check value for integrity checking and ensures that a valid EAP message is passed to the Authentication Server from the Mesh Key Distributor;
      
      a EAP message type field which specifies that the message type is a request;
      
      a message token field which specifies a unique nonce value chosen by the Mesh Authenticator; and
      
      an EAP message field which contains the EAP request message.
  - 10. A method according to claim 9, wherein the EAP encapsulation information element further comprises:
    - a Message Integrity Check (MIC) control field which comprises a MIC algorithm field used to select an algorithm for calculating the MIC, a reserved field and an information element (IE) count field which specifies that one IE is protected by the MIC and included in the MIC calculation; and
      
      an address field which specifies a Medium Access Control (MAC) address of the Supplicant node.
  - 11. A method according to claim 9, further comprising upon receiving the EAP encapsulation request message at the Mesh Key Distributor:
    - verifying the MIC value; and
      
      storing the unique nonce value specified in the message token field for use in constructing the EAP encapsulation response message.
  - 12. A method according to claim 1, wherein the EAP encapsulation response message provides an indication to the Mesh Authenticator to perform appropriate action when authenticating the Supplicant node.
  - 13. A method according to claim 1, wherein the EAP encapsulation response message comprises:
    - a category field;
      
      an action value; and
      
      an EAP encapsulation information element.
  - 14. A method according to claim 13, wherein the EAP encapsulation information element comprises:
    - a message integrity check (MIC) field which contains a message integrity check value for integrity checking to ensure that a valid EAP response message is passed to the Supplicant node from the Mesh Authenticator;
      
      an EAP message type field which specifies the message type;
      
      a message token field which contains the value of the message token field in the corresponding EAP encapsulation request message to which the EAP encapsulation response message corresponds, wherein the message token field specifies a value that is identical to the unique nonce value chosen by the Mesh Authenticator; and
      
      an EAP message field which contains the EAP response message.
  - 15. A method according to claim 14, wherein the EAP encapsulation information element further comprises:
    - a Message Integrity Check (MIC) control field which comprises a MIC algorithm field which is used to select an algorithm for calculating the MIC, a reserved field and an information element (IE) count field which specifies that the frame includes one IE to be protected by the MIC and included in the MIC calculation; and
      
      an address field which specifies a Medium Access Control (MAC) address of the Supplicant node.
  - 16. A method according to claim 14, further comprising upon receiving the EAP encapsulation response message from the Mesh Key Distributor at the Mesh Authenticator:
    - verifying the message integrity check value at the Mesh Authenticator;
      
      using the message token field to verify that the message token received in the EAP encapsulation response message matches the message token sent in the corresponding EAP encapsulation request message.
  - 17. A method according to claim 1, wherein the wireless communication network comprises an ad hoc multi hop communication network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ARRIS Enterprises LLC (CommScope Holding Company, Inc.)
Original Assignee
Motorola, Inc. (Motorola Solutions, Inc.)
Inventors
Braskich, Anthony J., Emeott, Stephen P.
Primary Examiner(s)
LAFORGIA, CHRISTIAN A

Application Number

US11/470,973
Publication Number

US 20080063205A1
Time in Patent Office

1,328 Days
Field of Search

713/168
US Class Current

713/168
CPC Class Codes

H04L 63/0892   by using authentication-aut...

H04L 63/123   received data contents, e.g...

H04L 63/162   at the data link layer

H04W 12/069   using certificates or pre-s...

Tunneling security association messages through a mesh network

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

59 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Tunneling security association messages through a mesh network

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

59 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links