Method and arrangement for providing a wireless mesh network

US 8,495,360 B2
Filed: 08/01/2007
Issued: 07/23/2013
Est. Priority Date: 08/17/2006
Status: Active Grant

First Claim

Patent Images

1. A method for providing a wireless network comprising:

a first communication device communicating with an authentication server in accordance with Extensible Authentication Protocol (“

EAP”

) in a first authentication communication, the first communication device communicating with the authentication server in the first authentication communication as an authenticator defined according to EAP protocol;

the authentication server generating first encryption information, first policy information and second policy information in response to the first authentication communication and transmitting the first encryption information, first policy information and second policy information to the first communication device;

the first communication device sending the second policy information to a second communication device, at least the second policy information being protected by a cryptographic checksum;

the first communication device communicating with the second communication device in accordance with EAP in a second authentication communication, the second authentication communication being based on the second policy information, the first communication device communicating with the second communication device in the second authentication communication as a supplicant defined according to EAP and the second communication device communicating with the first communication device during the second authentication communication as an authenticator defined according to EAP and the second communication device not communicating with the authentication sever during the second authentication communication such that the second communication device does not have a link with the authentication server during the second authentication communication, the second authentication communication being processed based on at least a portion of the first encryption information; and

the first and second communication devices exchanging communication information via a protected communication after the first and second authentication communications are completed; and

wherein the first encryption information is transmitted to the first communication device via a first EAP success message that comprises the first encryption information and wherein the second communication device receives a second EAP success message that comprises second encryption information.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and an arrangement are provided wherein a newly added mesh node does not require a link to the AAA server for the purpose of authentication. Authentication is carried out using a node which is already present in the mesh network and which has a link to the AAA server.

Citations

19 Claims

1. A method for providing a wireless network comprising:
- a first communication device communicating with an authentication server in accordance with Extensible Authentication Protocol (“
  
  EAP”
  
  ) in a first authentication communication, the first communication device communicating with the authentication server in the first authentication communication as an authenticator defined according to EAP protocol;
  
  the authentication server generating first encryption information, first policy information and second policy information in response to the first authentication communication and transmitting the first encryption information, first policy information and second policy information to the first communication device;
  
  the first communication device sending the second policy information to a second communication device, at least the second policy information being protected by a cryptographic checksum;
  
  the first communication device communicating with the second communication device in accordance with EAP in a second authentication communication, the second authentication communication being based on the second policy information, the first communication device communicating with the second communication device in the second authentication communication as a supplicant defined according to EAP and the second communication device communicating with the first communication device during the second authentication communication as an authenticator defined according to EAP and the second communication device not communicating with the authentication sever during the second authentication communication such that the second communication device does not have a link with the authentication server during the second authentication communication, the second authentication communication being processed based on at least a portion of the first encryption information; and
  
  the first and second communication devices exchanging communication information via a protected communication after the first and second authentication communications are completed; and
  
  wherein the first encryption information is transmitted to the first communication device via a first EAP success message that comprises the first encryption information and wherein the second communication device receives a second EAP success message that comprises second encryption information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The method of claim 1 further comprising:
    - the first communication device and the second communication device executing a first EAP four way handshake prior to the second authentication communication; and
      
      the first communication device and the second communication device executing a second EAP four way handshake after the second authentication communication.
  - 3. The method of claim 2 wherein the first encryption information comprises a mesh access key and the second encryption information comprises a mesh access key.
  - 4. The method of claim 3 wherein the first encryption information further comprises network attribute data and the second encryption information comprises the network attribute data.
  - 5. The method of claim 2 wherein the first encryption information comprises a first session key and the second encryption information comprises a second session key.
  - 6. The method of claim 5 wherein the first EAP four way handshake is executed using the first session key and the second EAP four way handshake is executed using the second encryption key.
  - 7. The method of claim 6 further comprising the first communication device sending an encrypted message having network attributes to the second communication device prior to the first EAP four way handshake being executed.
  - 8. The method of claim 1 wherein the authentication server is an authentication proxy and the second authentication communication occurs without any involvement of the authentication proxy and without involvement of another authentication server.
  - 9. The method of claim 8 wherein the network attribute data comprises data selected from the group consisting of maximum bandwidth, quality of service reservations, validity period, traffic filter rules, and user related account data.
  - 10. The method of claim 9 wherein the first encryption information comprises a first encryption key.
  - 11. The method of claim 10 wherein the first encryption key is formed based on a formula, the formula being:
    - MA-Key=HMAC-SHA1(MSK,Mesh-Access-Key)wherein MA-Key designates an associated key, HMAC-SHA1 is a keyed hash function using hash function SHA-1, MSK designates a master session key according to EAP protocol and Mesh-Access-Key is a string identifying a purpose of the key.
  - 12. The method of claim 10 wherein the first encryption key is formed based on a formula, the formula being:
    - MA-Key=HMAC-SHA1(EMSK,Mesh-Access-Key)wherein MA-Key denotes the assigned key, HMAC-SHA1 denotes a keyed hash function HMAC using hash function SHA-1, EMSK denotes Extended Master Session Key determined in accordance with the EAP protocol, and Mesh-Access-Key denotes a character string expressing a purpose of the key.
  - 13. The method of claim 1 wherein the first encryption information comprises a first encryption key and the method further comprising the first communication device saving the first encryption information.
  - 14. The method of claim 13 further comprising the authentication sever and the second communication device deriving an encryption key for protecting communications between the second communication device and the authentication server that take place after the second authentication communication.
  - 15. The method of claim 14 wherein the authentication server communicates with the first communication device via a proxy device.
  - 16. The method of claim 14 wherein the first encryption key for protecting communications between the second communication device and the authentication server is based on a formula, the formula being:
    - AAA-Key=HMAC-SHA1(EMSK,Mesh-AAA-Key)wherein AAA-Key denotes the assigned key, HMAC-SHA1 denotes a keyed hash function HMAC using hash function SHA-1, EMSK denotes Extended Master Session Key determined in accordance with the EAP protocol, and Mesh-AAA-Key denotes a character string expressing a purpose of the key.
  - 17. The method of claim 14 wherein another encryption key is derived to protect communications between the second communication device and a proxy of the authentication server based on a formula, the formula being:
    - GW-Key=HMAC-SHA1(EMSK,Mesh-GW-Key)wherein GW-Key denotes the assigned key, HMAC-SHA1 denotes a keyed hash function HMAC using hash function SHA-1, EMSK denotes Extended Master Session Key determined in accordance with the EAP protocol, and Mesh-GW-Key denotes a character string expressing a purpose of the key.
  - 18. The method of claim 1 wherein the first encryption information comprises parameters associated with the second communication device and network attribute data protected by a second encryption key, and wherein the second encryption information comprises the second encryption key, and the method further comprising:
    - the first communication device communicating the parameters to the second communication device.
  - 19. The method of claim 18 wherein the second encryption key is formed based on a formula, the formula being:
    - PP-Key=HMAC-SHA1(EMSK,Mesh-Access-Key)wherein PP-Key denotes the assigned key, HMAC-SHA1 denotes a keyed hash function HMAC using hash function SHA-1, EMSK denotes Extended Master Session Key determined in accordance with the EAP protocol, and Mesh-Access-Key denotes a character string expressing a purpose of the key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Unify Patente GmbH & Co. KG (Atos SE)
Original Assignee
Siemens Enterprise Communications GmbH and Co KG (Mitel Networks Corporation)
Inventors
Falk, Rainer, Kohlmayer, Florian
Primary Examiner(s)
Patel, Ashok
Assistant Examiner(s)
GRACIA, GARY S

Application Number

US12/223,203
Publication Number

US 20100228980A1
Time in Patent Office

2,183 Days
Field of Search

713/155
US Class Current

713/155
CPC Class Codes

H04L 2209/80   Wireless

H04L 2463/061   applying further key deriva...

H04L 63/062   for key distribution, e.g. ...

H04L 63/0869   for achieving mutual authen...

H04L 63/0892   by using authentication-aut...

H04L 63/162   at the data link layer

H04L 9/083   involving central third par...

H04L 9/321   involving a third party or ...

H04W 12/06   Authentication

H04W 12/50   Secure pairing of devices

Method and arrangement for providing a wireless mesh network

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Method and arrangement for providing a wireless mesh network

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links