Scheme for authentication and dynamic key exchange

US 8,140,845 B2
Filed: 09/10/2002
Issued: 03/20/2012
Est. Priority Date: 09/13/2001
Status: Expired due to Fees

First Claim

Patent Images

1. A method for generating a security key for a mobile node in communication with an access point of a foreign network, the method comprising:

generating at the mobile node a first authenticator using a group of parameters comprising;

a first random number provided to the mobile node by the access point,a second random number generated by the mobile node,a network access identifier of the mobile node,a predetermined security key shared by the mobile node and the home network of the mobile node,an identifier of the access point of the foreign network, anda randomly generated session identifier of a communications session;

providing the first authenticator to a home network of the mobile node;

validating at the mobile node a second authenticator received from the home network via the access point of the foreign network, wherein the second authenticator is generated by the home network upon validating the first authenticator, the first and second authenticators are generated according to a Keyed Message Authorization Code (KMAC) using each of the above listed parameters; and

generating at the mobile node a security key using the predetermined security key and the second authenticator, wherein the security key generated by the mobile node is provided to the access point.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A scheme for authentication, dynamic key generation and exchange provides means for authentication of mobile nodes and networks, and for generation of per session, per node, security association and encryption keys for encrypting/decrypting communications between a mobile node and an access point in wireless local area networks. The scheme utilizes the same infrastructure and authentication information for both data link layers (layer 2) and network layers (layer 3). This scheme is particularly applicable to networks adhering to the IEEE 802 LAN family of standards.

67 Citations

View as Search Results

20 Claims

1. A method for generating a security key for a mobile node in communication with an access point of a foreign network, the method comprising:
- generating at the mobile node a first authenticator using a group of parameters comprising;
  
  a first random number provided to the mobile node by the access point,a second random number generated by the mobile node,a network access identifier of the mobile node,a predetermined security key shared by the mobile node and the home network of the mobile node,an identifier of the access point of the foreign network, anda randomly generated session identifier of a communications session;
  
  providing the first authenticator to a home network of the mobile node;
  
  validating at the mobile node a second authenticator received from the home network via the access point of the foreign network, wherein the second authenticator is generated by the home network upon validating the first authenticator, the first and second authenticators are generated according to a Keyed Message Authorization Code (KMAC) using each of the above listed parameters; and
  
  generating at the mobile node a security key using the predetermined security key and the second authenticator, wherein the security key generated by the mobile node is provided to the access point.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the second authenticator is generated using the first random number, the second random number, the network access identifier of mobile node, the predetermined security key, the access point identifier of the mobile node, and the session identifier.
  - 3. The method of claim 2, wherein an order of using the first random number, the second random number, the network access identifier, the predetermined security key, the access point identifier, and the session identifier differs between the generation of the second authenticator and the generation of the first authenticator.
  - 4. The method of claim 2, wherein the validating of the second authenticator by the mobile node, comprises:
    - applying a function, used by the home network to generate the second authenticator, to the first random number, the second random number, the network access identifier, the predetermined security key, the access point identifier, and the session identifier in an order used by the home network in the generating of the second authenticator to calculate an interim second authenticator; and
      
      comparing the second authenticator with the interim second authenticator to determine whether the interim second authenticator matches the second authenticator.
  - 5. The method of claim 1, wherein the security key is an ephemeral security key configured to encrypt and decrypt communications with the mobile node for a current session.
  - 6. The method of claim 1, wherein the security key is an ephemeral security key configured to derive other ephemeral security keys for generating a temporary security association with the mobile node.

7. A method for generating a security key for an access point of a foreign network, the method comprising:
- challenging a mobile node to authenticate itself, wherein the mobile node seeks to establish a communications session with a home network of the mobile node via the foreign access point;
  
  providing to the home network a first authenticator received from the mobile node, wherein the first authenticator is generated at the mobile node using a group of parameters comprising;
  
  a first random number provided to the mobile node by the access point;
  
  a second random number generated by the mobile node,a network access identifier of the mobile node,a predetermined security key shared by the mobile node and the home network of the mobile node,an access point identifier of the access point of the foreign network, anda randomly generated session identifier of the communications session;
  
  providing the first authenticator to a home network of the mobile node;
  
  receiving a second authenticator and the security key from the home network, the second authenticator and the security key generated by the home network upon validating the first authenticator, wherein the second authenticator is generated using the group of parameters and the security key is generated using the predetermined security key and the second authenticator, the first and second authenticators are generated according to a Keyed Message Authorization Code (KMAC) using each of the above listed parameters; and
  
  providing the second authenticator to the mobile node for validating.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The method of claim 7, wherein the security key is an ephemeral security key configured to encrypt and decrypt communications between the access point and the mobile node for a current session.
  - 9. The method of claim 7, wherein the security key is an ephemeral security key configured to derive other ephemeral security keys for generating a temporary security association with the access point.
  - 10. The method of claim 7, wherein an order of using parameters of the group of parameters differs between the generation of the second authenticator and the generation of the first authenticator.
  - 11. The method of claim 7, wherein the home network validates the first authenticator by:
    - calculating an interim first authenticator by applying a function, used by the mobile node to generate the first authenticator, to the parameters of the group of parameters in an order that the mobile node applied the function to the parameters; and
      
      comparing the first authenticator and the interim first authenticator to determine whether the first second authenticator matches the first authenticator.
  - 12. The method of claim 7, wherein the mobile node validates the second authenticator by:
    - calculating an interim second authenticator by applying a function, used by the home network to generate the second authenticator, to the parameters of the group of parameters in an order that home network applied the function to the parameters; and
      
      comparing the second authenticator with the interim second authenticator to determine whether the interim second authenticator matches the second authenticator.

13. A mobile node for generating a security key, the mobile node comprising:
- a mobile node transmitter/receiver portion configured to;
  
  generate a first authenticator, wherein the first authenticator is calculated using a group of parameters comprising;
  
  a first random number provided to the mobile node by an access point of a foreign network,a second random number generated by the mobile node,a network access identifier of the mobile node,a predetermined security key shared by the mobile node and a home network of the mobile node,an access point identifier of the access point of the foreign network, anda randomly generated session identifier of a communications session;
  
  provide the first authenticator to the home network of the mobile node via the access point; and
  
  validate a second authenticator received from the home network via the access point of the foreign network, wherein the second authenticator is generated by the home network upon validating the first authenticator, the first and second authenticators are generated according to a Keyed Message Authorization Code (KMAC) using each of the above listed parameters; and
  
  a mobile node key generator configured to generate the security key using the predetermined security key and the second authenticator.

14. A network for generating a security key, the network comprising:
- a network transmitter/receiver portion configured to receive from an access point a first authentication, wherein the first authenticator is generated at a mobile node attempting to establish a communications session with the network via the access point;
  
  a network authenticator processor configured to;
  
  validate the received first authenticator using a group of parameters comprising;
  
  a first random number,a second random number,a network access identifier of the mobile node,an access point identifier of the access point of the foreign network,a randomly generated session identifier of the communications session,a predetermined security key; and
  
  generate, upon the validation of the first authenticator, a secondauthenticator using the group of parameters, the first and second authenticators are generated according to a Keyed Message Authorization Code (KMAC) using above listed parameters; and
  
  a network key generator configured to generate the security key using the predetermined security key and the second authenticator, wherein the network transmitter/receiver portion is further configured to provide the security key to the access point and wherein the security key is an ephemeral security key configured for encrypting and decrypting communications between the mobile node and the access point during the communications session.
- View Dependent Claims (15)
- - 15. The network of claim 14, wherein said security key is an ephemeral security key configured to derive other ephemeral security keys for generating a temporary security association with the mobile node.

16. A method generating a security key by a network, the method comprising:
- receiving, from an access point, a first authenticator, wherein the first authenticator is generated at a mobile node attempting to establish a communications session with the network via the access point;
  
  validating the received first authenticator using a group of parameters comprising;
  
  a first random number,a second random number,a network access identifier of the mobile node,a predetermined security key,an access point identifier of the access point of the foreign network,a randomly generated session identifier of the communications session, anda predetermined security key;
  
  generating, upon successful validation of the first authenticator, a second authenticator using the group of parameters, the first and second authenticators are generated according to a Keyed Message Authorization Code (KMAC) using each of the above listed parameters;
  
  generating the security key using the predetermined security key and the second authenticator, if said second authenticator matches said interim second authenticator; and
  
  providing the security key to the access point, wherein the security key is configured to be used for encrypting and decrypting communications between the mobile node and the access point during the communications session upon the second authenticator being validated by the mobile node.
- View Dependent Claims (17)
- - 17. The method of claim 16, wherein the security key is an ephemeral security key configured to derive other ephemeral security keys for generating a temporary security association between the mobile node and the network.

18. A computer non-transitory readable storage medium encoded with a computer program code, wherein when the computer program code is executed by a processor, the processor performs a method for generating a security key for a mobile node, the method comprising:
- providing a first authenticator to a home network of the mobile node via an access point of the foreign network, wherein the first authenticator is generated at the mobile node using a group of parameters comprising;
  
  a first random number provided to the mobile node by the access point,a second random number generated by the mobile node,a network access identifier of mobile node,an access point identifier of the of the foreign network,a randomly generated session identifier of the communications session, anda predetermined security key shared by the mobile node and the home network of the mobile nodevalidating at the mobile nodea second authenticator received from the home network via the access point of the foreign network, wherein the second authenticator is generated by the home network upon validating the first second authenticator, the first and second authenticators are generated according to a Keyed Message Authorization Code (KMAC) using each of the above listed parameters; and
  
  generating at the mobile node the security key using the predetermined security key and the second authenticator, wherein the security key generated by the home network is provided to the access point.

19. A computer non-transitory readable storage medium encoded with a computer program code, wherein when the computer program code is executed by a processor, the processor performs a method for generating a security key for an access point, the method comprising:
- challenging a mobile node to authenticate itself, wherein the mobile nodes seeks to establish a communications session with a home network of the mobile node via the access point of a foreign network;
  
  providing to the home network a first authenticator received from the mobile node, wherein the first authenticator is generated at the mobile node using a group of parameters comprising;
  
  a first random number provided to the mobile node by the access point;
  
  a second random number generated by the mobile node,a network access identifier of the foreign network,a predetermined security key shared by the mobile node and the home network of the mobile node,an access point identifier of the access point, anda randomly generated session identifier of the communications session;
  
  receiving a second authenticator and the security key from the home network, the second authenticator and the security key generated by the home network upon validating the first authenticator, wherein the second authenticator is generated using the group of parameters, an order of using the parameters of the group of parameters being different between the generation of the second authenticator and the generation of the first authenticator and wherein the security key is generated using the predetermined security key and the second authenticator, the first and second authenticators are generated according to a Keyed Message Authorization Code (KMAC) using each of the above listed parameters; and
  
  providing the second authenticator to the mobile node for validating.

20. A computer non-transitory readable storage medium encoded with a computer program code, wherein when the computer program code is executed by a processor, the processor performs a method for generating a security key by a network, the method comprising:
- receiving, from an access point, a first authenticator, wherein the first authenticator is generated at a mobile node attempting to establish a communications session with the network via the access point;
  
  validating the received first authenticator using a group of parameters comprising;
  
  a first random number, a second random number, a network access identifier of the mobile node, a predetermined security key, an access point identifier of the access point, and a randomly generated session identifier of the communications session;
  
  generating, upon successful validation of the first authenticator, a second authenticator using the group of parameters, wherein an order of using the parameters of the group of parameters differs between the generation of the second authenticator and the generation of the first authenticator;
  
  generating the security key using the predetermined security key and the second authenticator, if said second authenticator matches said interim second authenticator, the first and second authenticators are generated according to a Keyed Message Authorization Code (KMAC) using each of the above listed parameters; and
  
  providing the security key to the access point, wherein the security key is configured to be used for encrypting and decrypting communications between the mobile node and the access point during the communications session upon the second authenticator being validated by the mobile node.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Alcatel-Lucent SA (Nokia Corporation)
Original Assignee
Alcatel-Lucent SA (Nokia Corporation)
Inventors
Buddhikot, Milind M, Miller, Scott C, Salgarelli, Luca, Garay, Juan A
Primary Examiner(s)
Shiferaw, Eleni
Assistant Examiner(s)
WILLIAMS, JEFFERY L

Application Number

US10/238,373
Publication Number

US 20030051140A1
Time in Patent Office

3,479 Days
Field of Search

726/3
US Class Current

713/168
CPC Class Codes

H04L 2209/80   Wireless network architectu...

H04L 63/062   for key distribution, e.g. ...

H04L 63/068   using time-dependent keys, ...

H04L 63/08   for authentication of entit...

H04L 9/0838   Key agreement, i.e. key est...

H04L 9/3273   for mutual authentication n...

H04W 12/0431   Key distribution or pre-dis...

H04W 12/06   Authentication

H04W 84/12   WLAN [Wireless Local Area N...

Scheme for authentication and dynamic key exchange

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

67 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Scheme for authentication and dynamic key exchange

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

67 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links