Subnet box

US 7,934,005 B2
Filed: 09/08/2004
Issued: 04/26/2011
Est. Priority Date: 09/08/2003
Status: Expired due to Fees

First Claim

Patent Images

1. A method of facilitating authentication and security at an edge of a network, the method permitting both secure and non-secure clients to simultaneously connect to the same access point, the method not requiring physical modification of the access point, the method comprising the steps of:

interposing an apparatus between a network and the network access point, the network access point not requiring modification, whereby all secure network traffic between a client and the network passes through the apparatus;

receiving, at the apparatus and from the client, a first random number encrypted using a cryptographic key associated with a token operably coupled to the client;

decrypting, at the apparatus and using a cryptographic key retrieved from a resource internal to the apparatus, the first random number;

sending, from the apparatus and to the client, a second random number encrypted using a cryptographic key associated with the apparatus;

generating, at the apparatus, a session key from at least the first random number and the second random number;

storing, at the apparatus, the session key in association with a source identifier;

receiving a data packet at the apparatus;

determining, at the apparatus, whether a source identifier exists in the data packet; and

if the source identifier exists,retrieving the session key from the local storage using the source identifier,decrypting a portion of the data packet using the session key, anddirecting the data packet toward its recipient;

wherein the generating, at the apparatus, the session key from at least the first random number and the second random number comprises computing a session key from the cryptographic key associated with the token operably coupled to the client using the first random number and the second random number, wherein one of the first random number and the second random number is used to select a first bit of the session key from the cryptographic key associated with the token operably coupled to the client, and wherein the other of the first random number and the second random number is used to select subsequent bits of the session key from the cryptographic key associated with the token operably coupled to the client.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention provides an external in-line device (“Subnet Box”) placed between a network and an access point to achieve secure Wi-Fi communications without needing to modify the access point. The Subnet Box comprises an embedded token and will authenticate users based on pre-stored access rights. In at least one embodiment of the invention, the Subnet Box comprises: a first communications port for intercepting data packets communicated to and from a wired communications network; a second communications port for intercepting data packets communicated to and from a wireless access point, wherein the wireless access point is an edge device of the wired communications network; a database comprising a number of serial numbers each associated with a client token and a secret cryptographic key; and a processor for determining whether a computing device having a client token can access the wired communications network via the wireless access point. The processor establishes a secure tunnel between the computing device and the first communications port.

87 Citations

View as Search Results

17 Claims

1. A method of facilitating authentication and security at an edge of a network, the method permitting both secure and non-secure clients to simultaneously connect to the same access point, the method not requiring physical modification of the access point, the method comprising the steps of:
- interposing an apparatus between a network and the network access point, the network access point not requiring modification, whereby all secure network traffic between a client and the network passes through the apparatus;
  
  receiving, at the apparatus and from the client, a first random number encrypted using a cryptographic key associated with a token operably coupled to the client;
  
  decrypting, at the apparatus and using a cryptographic key retrieved from a resource internal to the apparatus, the first random number;
  
  sending, from the apparatus and to the client, a second random number encrypted using a cryptographic key associated with the apparatus;
  
  generating, at the apparatus, a session key from at least the first random number and the second random number;
  
  storing, at the apparatus, the session key in association with a source identifier;
  
  receiving a data packet at the apparatus;
  
  determining, at the apparatus, whether a source identifier exists in the data packet; and
  
  if the source identifier exists,retrieving the session key from the local storage using the source identifier,decrypting a portion of the data packet using the session key, anddirecting the data packet toward its recipient;
  
  wherein the generating, at the apparatus, the session key from at least the first random number and the second random number comprises computing a session key from the cryptographic key associated with the token operably coupled to the client using the first random number and the second random number, wherein one of the first random number and the second random number is used to select a first bit of the session key from the cryptographic key associated with the token operably coupled to the client, and wherein the other of the first random number and the second random number is used to select subsequent bits of the session key from the cryptographic key associated with the token operably coupled to the client.
- View Dependent Claims (2, 3, 4, 5, 11, 12, 13, 16, 17)
- - 2. The method of claim 1, wherein the step of retrieving comprises the steps of:
    - identifying a match to the source identifier within a stored list of source identifiers; and
      
      loading a cryptographic key associated with a matching source identifier from the pre-stored list of source identifiers.
  - 3. The method of claim 1, wherein the source identifier is a MAC address.
  - 4. The method of claim 1, further comprising the steps of:
    - the source identifier does not exist,identifying whether the data packet is a pass-through data packet, and then either directing the data packet toward its recipient if the data packet is identified as a pass-through data packet, ordropping the data packet if the data packet is not identified as a pass-through data packet.
  - 5. The method of claim 1, wherein the local storage comprises a token.
  - 11. The method of claim 1, further comprising:
    - determining that the data packet is a pass-through data packet; and
      
      directing the data packet toward its recipient.
  - 12. The method of claim 1 wherein the first random number encrypted using a cryptographic key associated with the token operably coupled to the client is contained in a packet configured to be broadcast to a plurality of nodes.
  - 13. The method of claim 1 wherein the receiving comprises receiving at the apparatus and from the client, a first random number encrypted using a cryptographic key associated with a token operably coupled to the client, wherein the first random number encrypted using a cryptographic key associated with a token operably coupled to the client is further encrypted using a cryptographic key associated with the apparatus.
  - 16. The method of claim 1, further comprising:
    - determining if the data packet includes a non-standard header type.
  - 17. The method of claim 16, wherein the non-standard header type is a Koolspan header type.

6. An apparatus for facilitating authentication and security at an edge of a network, the apparatus permitting both secure and non-secure clients to simultaneously connect to the same wireless access point without requiring physical modification of the access point, the apparatus comprising:
- a first communications port for intercepting data packets communicated to and from a wired communications network;
  
  a second communications port for intercepting data packets communicated to and from the wireless access point, wherein the wireless access point is an edge device of the wired communications network, the wireless access point not requiring modification;
  
  a database comprising a plurality of serial numbers each associated with a client token and a secret cryptographic key; and
  
  computer logic configured to;
  
  retrieve, in response to the apparatus receiving at the second communications port a first packet from a client, a cryptographic key associated with a serial number of a client token operably coupled to the client;
  
  decrypt a first random number received from the client using the cryptographic key associated with the serial number of the client token operably coupled to the client;
  
  encrypt a second random number using a cryptographic key associated with the apparatus, whereby an encrypted second random number is generated;
  
  direct the apparatus to send the encrypted second random number to the client;
  
  generate a session key from at least the first random number and the second random number;
  
  store the session key in association with the serial number of the client token operably coupled to the client;
  
  retrieve the session key in response to receiving a second packet containing an identifier, wherein the session key is retrieved using the identifier;
  
  decrypt at least a portion of the second packet using the session key; and
  
  direct the second data packet toward its recipient;
  
  wherein the generating, at the apparatus, the session key from at least the first random number and the second random number comprises computing a session key from the cryptographic key associated with the token operably coupled to the client using the first random number and the second random number, wherein one of the first random number and the second random number is used to select a first bit of the session key from the cryptographic key associated with the token operably coupled to the client, and wherein the other of the first random number and the second random number is used to select subsequent bits of the session key from the cryptographic key associated with the token operably coupled to the client.
- View Dependent Claims (7, 8, 9, 10, 14, 15)
- - 7. The apparatus of claim 6, wherein the first and second communication ports are Ethernet ports.
  - 8. The apparatus of claim 6, wherein the database is stored in a smart card.
  - 9. The apparatus of claim 6, wherein the wireless access point is an IEEE 802.11 access point.
  - 10. The apparatus of claim 6, wherein the wired network is a LAN.
  - 14. The apparatus of claim 6 wherein the first random number is received in a packet configured to be broadcast to a plurality of nodes.
  - 15. The apparatus of claim 6 wherein the first random number received from the client is encrypted using the cryptographic key associated with the serial number of the client token operably coupled to the client and is further encrypted using a cryptographic key associated with the apparatus.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
KoolSpan, Inc.
Original Assignee
KoolSpan, Inc.
Inventors
Fascenda, Anthony C.
Primary Examiner(s)
Mesfin; Yemane
Assistant Examiner(s)
BENGZON, GREG C

Application Number

US10/935,123
Publication Number

US 20050091483A1
Time in Patent Office

2,421 Days
Field of Search

709220-229, 709201-203, 709/243, 709249-250, 709/200, 370/338, 370/389, 370/392, 370/395.3, 370/395.52, 455/414.1, 713153-159, 713169-175, 726/20, 726/23, 726/29
US Class Current

709/229
CPC Class Codes

H04L 2209/80   Wireless network architectu...

H04L 2463/061   applying further key deriva...

H04L 63/0236   Filtering by address, proto...

H04L 63/0272   Virtual private networks

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0853   using an additional device,...

H04L 63/0876   based on the identity of th...

H04L 63/101   Access control lists [ACL]

H04L 9/3234   involving additional secure...

H04W 12/041   Key generation or derivation

H04W 12/06   Authentication

H04W 12/08   Access security

H04W 84/12   WLAN [Wireless Local Area N...

Subnet box

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

87 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Subnet box

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

87 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links