Scheme for authentication and dynamic key exchange
First Claim
Patent Images
1. A method for generating a security key for a mobile node in communication with an access point of a foreign network, the method comprising:
- generating at the mobile node a first authenticator using a group of parameters comprising;
a first random number provided to the mobile node by the access point,a second random number generated by the mobile node,a network access identifier of the mobile node,a predetermined security key shared by the mobile node and the home network of the mobile node,an identifier of the access point of the foreign network, anda randomly generated session identifier of a communications session;
providing the first authenticator to a home network of the mobile node;
validating at the mobile node a second authenticator received from the home network via the access point of the foreign network, wherein the second authenticator is generated by the home network upon validating the first authenticator, the first and second authenticators are generated according to a Keyed Message Authorization Code (KMAC) using each of the above listed parameters; and
generating at the mobile node a security key using the predetermined security key and the second authenticator, wherein the security key generated by the mobile node is provided to the access point.
3 Assignments
0 Petitions
Accused Products
Abstract
A scheme for authentication, dynamic key generation and exchange provides means for authentication of mobile nodes and networks, and for generation of per session, per node, security association and encryption keys for encrypting/decrypting communications between a mobile node and an access point in wireless local area networks. The scheme utilizes the same infrastructure and authentication information for both data link layers (layer 2) and network layers (layer 3). This scheme is particularly applicable to networks adhering to the IEEE 802 LAN family of standards.
67 Citations
20 Claims
-
1. A method for generating a security key for a mobile node in communication with an access point of a foreign network, the method comprising:
-
generating at the mobile node a first authenticator using a group of parameters comprising; a first random number provided to the mobile node by the access point, a second random number generated by the mobile node, a network access identifier of the mobile node, a predetermined security key shared by the mobile node and the home network of the mobile node, an identifier of the access point of the foreign network, and a randomly generated session identifier of a communications session; providing the first authenticator to a home network of the mobile node; validating at the mobile node a second authenticator received from the home network via the access point of the foreign network, wherein the second authenticator is generated by the home network upon validating the first authenticator, the first and second authenticators are generated according to a Keyed Message Authorization Code (KMAC) using each of the above listed parameters; and generating at the mobile node a security key using the predetermined security key and the second authenticator, wherein the security key generated by the mobile node is provided to the access point. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method for generating a security key for an access point of a foreign network, the method comprising:
-
challenging a mobile node to authenticate itself, wherein the mobile node seeks to establish a communications session with a home network of the mobile node via the foreign access point; providing to the home network a first authenticator received from the mobile node, wherein the first authenticator is generated at the mobile node using a group of parameters comprising; a first random number provided to the mobile node by the access point; a second random number generated by the mobile node, a network access identifier of the mobile node, a predetermined security key shared by the mobile node and the home network of the mobile node, an access point identifier of the access point of the foreign network, and a randomly generated session identifier of the communications session; providing the first authenticator to a home network of the mobile node; receiving a second authenticator and the security key from the home network, the second authenticator and the security key generated by the home network upon validating the first authenticator, wherein the second authenticator is generated using the group of parameters and the security key is generated using the predetermined security key and the second authenticator, the first and second authenticators are generated according to a Keyed Message Authorization Code (KMAC) using each of the above listed parameters; and providing the second authenticator to the mobile node for validating. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A mobile node for generating a security key, the mobile node comprising:
-
a mobile node transmitter/receiver portion configured to; generate a first authenticator, wherein the first authenticator is calculated using a group of parameters comprising; a first random number provided to the mobile node by an access point of a foreign network, a second random number generated by the mobile node, a network access identifier of the mobile node, a predetermined security key shared by the mobile node and a home network of the mobile node, an access point identifier of the access point of the foreign network, and a randomly generated session identifier of a communications session; provide the first authenticator to the home network of the mobile node via the access point; and validate a second authenticator received from the home network via the access point of the foreign network, wherein the second authenticator is generated by the home network upon validating the first authenticator, the first and second authenticators are generated according to a Keyed Message Authorization Code (KMAC) using each of the above listed parameters; and a mobile node key generator configured to generate the security key using the predetermined security key and the second authenticator.
-
-
14. A network for generating a security key, the network comprising:
-
a network transmitter/receiver portion configured to receive from an access point a first authentication, wherein the first authenticator is generated at a mobile node attempting to establish a communications session with the network via the access point; a network authenticator processor configured to; validate the received first authenticator using a group of parameters comprising; a first random number, a second random number, a network access identifier of the mobile node, an access point identifier of the access point of the foreign network, a randomly generated session identifier of the communications session, a predetermined security key; and generate, upon the validation of the first authenticator, a second authenticator using the group of parameters, the first and second authenticators are generated according to a Keyed Message Authorization Code (KMAC) using above listed parameters; and a network key generator configured to generate the security key using the predetermined security key and the second authenticator, wherein the network transmitter/receiver portion is further configured to provide the security key to the access point and wherein the security key is an ephemeral security key configured for encrypting and decrypting communications between the mobile node and the access point during the communications session. - View Dependent Claims (15)
-
-
16. A method generating a security key by a network, the method comprising:
-
receiving, from an access point, a first authenticator, wherein the first authenticator is generated at a mobile node attempting to establish a communications session with the network via the access point; validating the received first authenticator using a group of parameters comprising; a first random number, a second random number, a network access identifier of the mobile node, a predetermined security key, an access point identifier of the access point of the foreign network, a randomly generated session identifier of the communications session, and a predetermined security key; generating, upon successful validation of the first authenticator, a second authenticator using the group of parameters, the first and second authenticators are generated according to a Keyed Message Authorization Code (KMAC) using each of the above listed parameters; generating the security key using the predetermined security key and the second authenticator, if said second authenticator matches said interim second authenticator; and providing the security key to the access point, wherein the security key is configured to be used for encrypting and decrypting communications between the mobile node and the access point during the communications session upon the second authenticator being validated by the mobile node. - View Dependent Claims (17)
-
-
18. A computer non-transitory readable storage medium encoded with a computer program code, wherein when the computer program code is executed by a processor, the processor performs a method for generating a security key for a mobile node, the method comprising:
-
providing a first authenticator to a home network of the mobile node via an access point of the foreign network, wherein the first authenticator is generated at the mobile node using a group of parameters comprising; a first random number provided to the mobile node by the access point, a second random number generated by the mobile node, a network access identifier of mobile node, an access point identifier of the of the foreign network, a randomly generated session identifier of the communications session, and a predetermined security key shared by the mobile node and the home network of the mobile node validating at the mobile node a second authenticator received from the home network via the access point of the foreign network, wherein the second authenticator is generated by the home network upon validating the first second authenticator, the first and second authenticators are generated according to a Keyed Message Authorization Code (KMAC) using each of the above listed parameters; and generating at the mobile node the security key using the predetermined security key and the second authenticator, wherein the security key generated by the home network is provided to the access point.
-
-
19. A computer non-transitory readable storage medium encoded with a computer program code, wherein when the computer program code is executed by a processor, the processor performs a method for generating a security key for an access point, the method comprising:
-
challenging a mobile node to authenticate itself, wherein the mobile nodes seeks to establish a communications session with a home network of the mobile node via the access point of a foreign network; providing to the home network a first authenticator received from the mobile node, wherein the first authenticator is generated at the mobile node using a group of parameters comprising; a first random number provided to the mobile node by the access point; a second random number generated by the mobile node, a network access identifier of the foreign network, a predetermined security key shared by the mobile node and the home network of the mobile node, an access point identifier of the access point, and a randomly generated session identifier of the communications session; receiving a second authenticator and the security key from the home network, the second authenticator and the security key generated by the home network upon validating the first authenticator, wherein the second authenticator is generated using the group of parameters, an order of using the parameters of the group of parameters being different between the generation of the second authenticator and the generation of the first authenticator and wherein the security key is generated using the predetermined security key and the second authenticator, the first and second authenticators are generated according to a Keyed Message Authorization Code (KMAC) using each of the above listed parameters; and providing the second authenticator to the mobile node for validating.
-
-
20. A computer non-transitory readable storage medium encoded with a computer program code, wherein when the computer program code is executed by a processor, the processor performs a method for generating a security key by a network, the method comprising:
-
receiving, from an access point, a first authenticator, wherein the first authenticator is generated at a mobile node attempting to establish a communications session with the network via the access point; validating the received first authenticator using a group of parameters comprising;
a first random number, a second random number, a network access identifier of the mobile node, a predetermined security key, an access point identifier of the access point, and a randomly generated session identifier of the communications session;generating, upon successful validation of the first authenticator, a second authenticator using the group of parameters, wherein an order of using the parameters of the group of parameters differs between the generation of the second authenticator and the generation of the first authenticator; generating the security key using the predetermined security key and the second authenticator, if said second authenticator matches said interim second authenticator, the first and second authenticators are generated according to a Keyed Message Authorization Code (KMAC) using each of the above listed parameters; and providing the security key to the access point, wherein the security key is configured to be used for encrypting and decrypting communications between the mobile node and the access point during the communications session upon the second authenticator being validated by the mobile node.
-
Specification