Subnet box
First Claim
1. A method of facilitating authentication and security at an edge of a network, the method permitting both secure and non-secure clients to simultaneously connect to the same access point, the method not requiring physical modification of the access point, the method comprising the steps of:
- interposing an apparatus between a network and the network access point, the network access point not requiring modification, whereby all secure network traffic between a client and the network passes through the apparatus;
receiving, at the apparatus and from the client, a first random number encrypted using a cryptographic key associated with a token operably coupled to the client;
decrypting, at the apparatus and using a cryptographic key retrieved from a resource internal to the apparatus, the first random number;
sending, from the apparatus and to the client, a second random number encrypted using a cryptographic key associated with the apparatus;
generating, at the apparatus, a session key from at least the first random number and the second random number;
storing, at the apparatus, the session key in association with a source identifier;
receiving a data packet at the apparatus;
determining, at the apparatus, whether a source identifier exists in the data packet; and
if the source identifier exists,retrieving the session key from the local storage using the source identifier,decrypting a portion of the data packet using the session key, anddirecting the data packet toward its recipient;
wherein the generating, at the apparatus, the session key from at least the first random number and the second random number comprises computing a session key from the cryptographic key associated with the token operably coupled to the client using the first random number and the second random number, wherein one of the first random number and the second random number is used to select a first bit of the session key from the cryptographic key associated with the token operably coupled to the client, and wherein the other of the first random number and the second random number is used to select subsequent bits of the session key from the cryptographic key associated with the token operably coupled to the client.
2 Assignments
0 Petitions
Accused Products
Abstract
The invention provides an external in-line device (“Subnet Box”) placed between a network and an access point to achieve secure Wi-Fi communications without needing to modify the access point. The Subnet Box comprises an embedded token and will authenticate users based on pre-stored access rights. In at least one embodiment of the invention, the Subnet Box comprises: a first communications port for intercepting data packets communicated to and from a wired communications network; a second communications port for intercepting data packets communicated to and from a wireless access point, wherein the wireless access point is an edge device of the wired communications network; a database comprising a number of serial numbers each associated with a client token and a secret cryptographic key; and a processor for determining whether a computing device having a client token can access the wired communications network via the wireless access point. The processor establishes a secure tunnel between the computing device and the first communications port.
87 Citations
17 Claims
-
1. A method of facilitating authentication and security at an edge of a network, the method permitting both secure and non-secure clients to simultaneously connect to the same access point, the method not requiring physical modification of the access point, the method comprising the steps of:
-
interposing an apparatus between a network and the network access point, the network access point not requiring modification, whereby all secure network traffic between a client and the network passes through the apparatus; receiving, at the apparatus and from the client, a first random number encrypted using a cryptographic key associated with a token operably coupled to the client; decrypting, at the apparatus and using a cryptographic key retrieved from a resource internal to the apparatus, the first random number; sending, from the apparatus and to the client, a second random number encrypted using a cryptographic key associated with the apparatus; generating, at the apparatus, a session key from at least the first random number and the second random number; storing, at the apparatus, the session key in association with a source identifier; receiving a data packet at the apparatus; determining, at the apparatus, whether a source identifier exists in the data packet; and if the source identifier exists, retrieving the session key from the local storage using the source identifier, decrypting a portion of the data packet using the session key, and directing the data packet toward its recipient; wherein the generating, at the apparatus, the session key from at least the first random number and the second random number comprises computing a session key from the cryptographic key associated with the token operably coupled to the client using the first random number and the second random number, wherein one of the first random number and the second random number is used to select a first bit of the session key from the cryptographic key associated with the token operably coupled to the client, and wherein the other of the first random number and the second random number is used to select subsequent bits of the session key from the cryptographic key associated with the token operably coupled to the client. - View Dependent Claims (2, 3, 4, 5, 11, 12, 13, 16, 17)
-
-
6. An apparatus for facilitating authentication and security at an edge of a network, the apparatus permitting both secure and non-secure clients to simultaneously connect to the same wireless access point without requiring physical modification of the access point, the apparatus comprising:
-
a first communications port for intercepting data packets communicated to and from a wired communications network; a second communications port for intercepting data packets communicated to and from the wireless access point, wherein the wireless access point is an edge device of the wired communications network, the wireless access point not requiring modification; a database comprising a plurality of serial numbers each associated with a client token and a secret cryptographic key; and computer logic configured to; retrieve, in response to the apparatus receiving at the second communications port a first packet from a client, a cryptographic key associated with a serial number of a client token operably coupled to the client; decrypt a first random number received from the client using the cryptographic key associated with the serial number of the client token operably coupled to the client; encrypt a second random number using a cryptographic key associated with the apparatus, whereby an encrypted second random number is generated; direct the apparatus to send the encrypted second random number to the client; generate a session key from at least the first random number and the second random number; store the session key in association with the serial number of the client token operably coupled to the client; retrieve the session key in response to receiving a second packet containing an identifier, wherein the session key is retrieved using the identifier; decrypt at least a portion of the second packet using the session key; and direct the second data packet toward its recipient; wherein the generating, at the apparatus, the session key from at least the first random number and the second random number comprises computing a session key from the cryptographic key associated with the token operably coupled to the client using the first random number and the second random number, wherein one of the first random number and the second random number is used to select a first bit of the session key from the cryptographic key associated with the token operably coupled to the client, and wherein the other of the first random number and the second random number is used to select subsequent bits of the session key from the cryptographic key associated with the token operably coupled to the client. - View Dependent Claims (7, 8, 9, 10, 14, 15)
-
Specification