PANA for roaming Wi-Fi access in fixed network architectures
First Claim
1. A network component comprising:
- a memory comprising computer readable instructions that when implemented by a processor cause the processor to;
derive a Master Session Key (MSK) using a secret key and at least one parameter obtained from an Extensible Authentication Protocol (EAP) sequence;
derive a first Pairwise Master Key (PMK) and a second PMK from the MSK;
establish a first authentication between a user equipment (UE) and a home gateway (HG) using the first PMK, wherein the first authentication allows the establishment of a first secure tunnel that extends between the UE and the HG; and
establish a second authentication between the UE and an end point using the second PMK,wherein the second authentication allows the establishment of a second secure tunnel that extends between the UE and the end point and through the HG,wherein the end point is not part of the HG,wherein the HG and the end point are located in separate nodes,wherein the HG does not have access to the second PMK or any encryption keys derived therefrom,wherein communications are exchanged between the UE and the end point over the second secure tunnel via the first secure tunnel with the HG,wherein the communications are encrypted/decrypted for the second secure tunnel using an encryption key derived from the second PMK,wherein the communications are further encrypted/decrypted for the first secure tunnel using an encryption key derived from the first PMK, andwherein by virtue of not having access to the second PMK or any encryption keys derived therefrom, the HG cannot completely decrypt the encrypted communications.
1 Assignment
0 Petitions
Accused Products
Abstract
A network component comprising at least one processor configured to implement a method comprising deriving a Master Session Key (MSK) using a secret key and at least one parameter obtained from an Extensible Authentication Protocol (EAP) sequence, deriving a first Pairwise Master Key (PMK) and a second PMK from the MSK, authenticating with a home gateway (HG) using the first PMK, and authenticating with an end point using the second PMK. Included is an apparatus comprising a node comprising an access controller (AC) and a protocol for carrying authentication for network access (PANA) Authentication Agent (PAA), wherein the AC is configured to manage authentication for a UE, and wherein the PAA is configured to implement a PANA to forward authentication information related to the UE.
-
Citations
14 Claims
-
1. A network component comprising:
-
a memory comprising computer readable instructions that when implemented by a processor cause the processor to; derive a Master Session Key (MSK) using a secret key and at least one parameter obtained from an Extensible Authentication Protocol (EAP) sequence; derive a first Pairwise Master Key (PMK) and a second PMK from the MSK; establish a first authentication between a user equipment (UE) and a home gateway (HG) using the first PMK, wherein the first authentication allows the establishment of a first secure tunnel that extends between the UE and the HG; and establish a second authentication between the UE and an end point using the second PMK, wherein the second authentication allows the establishment of a second secure tunnel that extends between the UE and the end point and through the HG, wherein the end point is not part of the HG, wherein the HG and the end point are located in separate nodes, wherein the HG does not have access to the second PMK or any encryption keys derived therefrom, wherein communications are exchanged between the UE and the end point over the second secure tunnel via the first secure tunnel with the HG, wherein the communications are encrypted/decrypted for the second secure tunnel using an encryption key derived from the second PMK, wherein the communications are further encrypted/decrypted for the first secure tunnel using an encryption key derived from the first PMK, and wherein by virtue of not having access to the second PMK or any encryption keys derived therefrom, the HG cannot completely decrypt the encrypted communications. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method comprising:
-
receiving a Master Session Key (MSK); deriving a first Pairwise Master Key (PMK) and a second PMK from the MSK; sending the first PMK to a home gateway (HG); and sending the second PMK to an end point, but not to the HG, wherein the first PMK is used for establishing a first authentication between a user equipment (UE) and the HG, wherein the first authentication allows the establishment of a first secure tunnel that extends between the UE and the HG, wherein the second PMK is used for establishing a second authentication between the UE and the end point, wherein the second authentication allows the establishment of a second secure tunnel that extends between the UE and the end point and through the HG, wherein the HG and the end point are located in separate nodes, wherein the HG does not have access to the second PMK or any encryption keys derived therefrom, wherein communications are exchanged between the UE and the end point over the second secure tunnel via the first secure tunnel with the HG, wherein the communications are encrypted for the second secure tunnel by the UE and decrypted by the end point using an encryption key derived from the second PMK, wherein the communications are encrypted for the first secure tunnel by the UE and decrypted by the HG using an encryption key derived from the first PMK, and wherein by virtue of not having access to the second PMK or any encryption keys derived therefrom, the HG cannot completely decrypt the encrypted communications. - View Dependent Claims (10, 11, 12, 13, 14)
-
Specification