Method and arrangement for providing a wireless mesh network

US 8,122,249 B2
Filed: 08/01/2007
Issued: 02/21/2012
Est. Priority Date: 08/17/2006
Status: Active Grant

First Claim

Patent Images

1. A method for providing a wireless local area network, having stationary communication devices and mobile communication devices embodied according to the IEEE 802.11 standard and its derivatives and belonging to a mesh subnetwork which is connected to an infrastructure network in such a way that it can exchange authentication messages via a station assigned to the subnetwork with an Authentication, Authorization, Accounting (AAA) server disposed in the infrastructure network using the Extensible Authentication Protocol (EAP) protocol comprising:

the AAA server;

generating basic encryption information valid for the subnetwork precisely once within a first validity period, the generating being performed after a successful first-time authentication of a first communication device of the subnetwork with specification of first identity information vis-à

-vis a communication device of the subnetwork fulfilling a role of an authenticator defined in accordance with the EAP protocol, andtransmitting the basic encryption information to a station that is uniquely assignable to the subnetwork; and

the station assigned to the subnetwork;

storing the basic encryption information,assigning the basic encryption to the first identity information specified by the first communication device; and

handling subsequent authentication attempts of the first communication device vis-à

-vis a second communication device of the subnetwork with specification of second identity information in the manner of a proxy server while omitting the AAA server on the basis of the basic encryption information determined from the specified identity information using the EAP protocol; and

a station of the second communication device;

providing a key determined for the second communication device using the stored basic encryption information for the purpose of cryptographically secure communication with the first communication device.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided are a method and an arrangement for creating a wireless mesh network in which a new node is provided that is connected between mesh nodes and an AAA server located in an infrastructure network. Based on basic encoding data that is available to the new node following successful initial authentication of a first mesh node, the new node performs the authentication similar to a proxy server instead of an AAA server, particularly for a limited time, during subsequent authentication attempts.

Citations

25 Claims

1. A method for providing a wireless local area network, having stationary communication devices and mobile communication devices embodied according to the IEEE 802.11 standard and its derivatives and belonging to a mesh subnetwork which is connected to an infrastructure network in such a way that it can exchange authentication messages via a station assigned to the subnetwork with an Authentication, Authorization, Accounting (AAA) server disposed in the infrastructure network using the Extensible Authentication Protocol (EAP) protocol comprising:
- the AAA server;
  
  generating basic encryption information valid for the subnetwork precisely once within a first validity period, the generating being performed after a successful first-time authentication of a first communication device of the subnetwork with specification of first identity information vis-à
  
  -vis a communication device of the subnetwork fulfilling a role of an authenticator defined in accordance with the EAP protocol, andtransmitting the basic encryption information to a station that is uniquely assignable to the subnetwork; and
  
  the station assigned to the subnetwork;
  
  storing the basic encryption information,assigning the basic encryption to the first identity information specified by the first communication device; and
  
  handling subsequent authentication attempts of the first communication device vis-à
  
  -vis a second communication device of the subnetwork with specification of second identity information in the manner of a proxy server while omitting the AAA server on the basis of the basic encryption information determined from the specified identity information using the EAP protocol; and
  
  a station of the second communication device;
  
  providing a key determined for the second communication device using the stored basic encryption information for the purpose of cryptographically secure communication with the first communication device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 2. The method as claimed in claim 1, wherein the basic encryption information includes an encryption key.
  - 3. The method as claimed in claim 2, wherein the station assigned to the subnetwork stores the encryption key as a key assigned to the first communication device.
  - 4. The method as claimed in claim 3, wherein the stored encryption key is used for handling the subsequent authentication attempts.
  - 5. The method as claimed in claim 2, wherein the station assigned to the subnetwork derives a key from the encryption key and stores it as a key assigned to the first communication device.
  - 6. The method as claimed in claim 2, wherein the AAA server derives a key from the encryption key and stores it as a key assigned to the first communication device and transmits it as part of the basic encryption information in the course of the first-time authentication.
  - 7. The method as claimed in claim 2, wherein an assigned key is transmitted with a message embodied as an EAP success message in accordance with the EAP protocol.
  - 8. The method as claimed in claim 5, wherein the derivation is performed in such a way that the assigned key is generated using a key derivation function on the basis of a master session key formed in accordance with the EAP protocol, or the derivation is performed in such a way that the assigned key is generated using a key derivation function on the basis of an extended master session key formed in accordance with the EAP protocol.
  - 9. The method as claimed in claim 5, wherein the derivation is performed by the AAA server.
  - 10. The method as claimed in claim 5, wherein the derivation is performed by the station assigned to the subnetwork.
  - 11. The method as claimed in claim 8, wherein a function conforming to a cryptographic hash function according to SHA-1, SHA256 or MD5 is used as the key derivation function of the assigned key.
  - 12. The method as claimed in claim 8, wherein the key derivation function of the assigned key is based on keyed hash functions according to HMAC.
  - 13. The method as claimed in claim 8, wherein the assigned key is formed in accordance with the following formula based on key derivation functions
    M-AAA-KEY=HMAC-SHA1(MSK, Mesh-AAA-Key),wherein M-AAA-KEY denotes the assigned key,wherein HMAC-SHA1 denotes a keyed hash function HMAC using the hash function SHA-1,wherein MSK denotes the master session key determined in accordance with the EAP protocol, andwherein Mesh-AAA-Key denotes a character string which in particular expresses an intended purpose of the key.
  - 14. The method as claimed in claim 8, wherein the derivation is performed in such a way that the assigned key is identical to the master session key or extended master session key formed in accordance with the EAP protocol.
  - 15. The method as claimed in claim 8, wherein that the first validity period corresponds to a period of validity of the master session key and/or the extended master session key formed in accordance with the EAP protocol.
  - 16. The method as claimed in claim 8, wherein a second validity period determining a period of validity of the assigned key corresponds to a period of validity of a master session key formed in accordance with the EAP protocol.
  - 17. The method as claimed in claim 1, wherein a second validity period determining a period of validity of the assigned key is determined by a specified number of allowed authentications.
  - 18. The method as claimed in claim 1, wherein a converter connecting the subnetwork to the infrastructure network is used as a station.
  - 19. The method as claimed in claim 1, wherein parameters determining policy network attributes are appended to the basic encryption information.
  - 20. The method as claimed in claim 1, wherein authentications following the first authentication are performed based on a EAP-PSK method specified according to the EAP protocol.
  - 21. The method as claimed in claim 1, wherein the handling in the manner of a proxy server is performed in such a way that after the first-time authentication has been completed, the AAA server is omitted by terminating messages formed in accordance with the EAP protocol in the station assigned to the subnetwork, the termination being performed based on information correlating with the messages.
  - 22. The method as claimed in claim 1, wherein a type of the EAP protocol method used is detected as correlating information.
  - 23. The method as claimed in claim 21, wherein the identity information has the form user@realm;
    - andwherein user designates a message-sending station; and
      
      wherein realm designates a domain provided in particular by the AAA server is manipulated as correlating information in such a way that the message-sending station is yielded as addressee from the information correlating with the messages.
  - 24. The method as claimed in claim 1, wherein after expiration of the first validity period further authentications are only successful following a new first-time authentication with the AAA server performed in particular before the expiration of the first validity period.
  - 25. The method as claimed in claim 1, wherein the basic encryption information includes as information at least one AKA authentication vector formed in the manner of that formed according to RFC4187 Section 1.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Unify Patente GmbH & Co. KG (Atos SE)
Original Assignee
Siemens Enterprise Communications GmbH and Co KG (Mitel Networks Corporation)
Inventors
Falk, Rainer, Kohlmayer, Florian
Primary Examiner(s)
Shiferaw, Eleni
Assistant Examiner(s)
Teslovich, Tamara

Application Number

US12/087,620
Publication Number

US 20090172398A1
Time in Patent Office

1,665 Days
Field of Search

713/168
US Class Current

713/168
CPC Class Codes

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 2209/80   Wireless

H04L 2463/061   applying further key deriva...

H04L 63/062   for key distribution, e.g. ...

H04L 63/0869   for achieving mutual authen...

H04L 63/0884   by delegation of authentica...

H04L 63/0892   by using authentication-aut...

H04L 63/162   at the data link layer

H04L 9/083   involving central third par...

H04L 9/3236   using cryptographic hash fu...

H04W 12/0431   Key distribution or pre-dis...

H04W 12/06   Authentication

H04W 84/18   Self-organising networks, e...

Method and arrangement for providing a wireless mesh network

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Method and arrangement for providing a wireless mesh network

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links