Wireless device and method for rekeying with reduced packet loss for high-throughput wireless communications
First Claim
1. A method performed by an authenticator for toggling between keys during an established secure communication session with a supplicant, the established secure communication session using a current pair-wise key for unicast communications, the method comprising:
- installing a new pair-wise key for reception prior to receipt of a rekeying confirmation message;
continuing to use the current pair-wise key for transmission and delaying use of the new pair-wise key for transmission until after receipt of the rekeying confirmation message,wherein after installing the new pair-wise key for reception and prior to receipt of the rekeying confirmation message, the method further comprises;
receiving a unicast packet that includes a key ID field, the key ID field including a key ID portion and an Extended Key ID bit, the key ID portion identifying one of a plurality of keys, the Extended Key ID bit indicating whether to toggle between the current pair-wise key and the new pair-wise key;
reading the Extended Key ID bit in the key ID field of the received unicast packet to determine whether to decrypt the received unicast packet using the installed current pair-wise key or the installed new pair-wise key;
continuing to use the current pair-wise key for transmission;
the authenticator installing the new pair-wise key for use in decrypting received packets after receipt of a second message of the four-way handshake and prior to transmission of a third message of the four-way handshake; and
the authenticator delaying use of the new pair-wise key for use in encrypting packets for transmission until after receipt of the fourth message andwherein the installing is performed by processing circuitry of the authenticator and the current and new pair-wise keys are stored in unicast key ID space of a memory; and
further whereinthe rekeying confirmation message is a fourth message of a four-way handshake for rekeying; and
further whereinthe supplicant is to install the new pair-wise key for reception prior to transmission of the rekeying confirmation message and is to delay using the new pair-wise key for transmission until after the transmission of the rekeying confirmation message; and
further whereinthe supplicant is to delay using the new pair-wise key for transmission until immediately after sending the rekeying confirmation message or a predetermined period of time after sending the rekeying confirmation message; and
further whereinafter installing the new pair-wise key for reception prior to receipt of the rekeying confirmation message, the method includes selecting either the new pair-wise key or the current pair-wise key for decrypting received unicast packets based on a key identifier carried in the received unicast packets; and
further whereinthe supplicant installs the new pair-wise key for use in decrypting received messages after receipt of the third message and prior to transmission of the fourth message, andwherein the supplicant delays installing the new pair-wise key for use in encrypting packets for transmission until either immediately after transmission of the fourth message or a predetermined period of time after transmission of the fourth message.
1 Assignment
0 Petitions
Accused Products
Abstract
Embodiments of a wireless device and methods for rekeying with reduced packet loss in a wireless network are generally described herein. In some embodiments, during rekeying operations a new key for reception may be installed early (i.e., prior to receipt of a rekeying confirmation message). The use of the new key for transmission may be delayed until after receipt of the rekeying confirmation message. The early installation of the new key for reception may allow both the new key and old key to be active at the same time for use decrypting received packets to reduce packet loss during rekeying operations. The rekeying confirmation message may be the fourth message of a four-way handshake for rekeying. In some embodiments, two key identifiers may be alternated between four-way handshakes to prevent deletion of the old key.
-
Citations
24 Claims
-
1. A method performed by an authenticator for toggling between keys during an established secure communication session with a supplicant, the established secure communication session using a current pair-wise key for unicast communications, the method comprising:
-
installing a new pair-wise key for reception prior to receipt of a rekeying confirmation message; continuing to use the current pair-wise key for transmission and delaying use of the new pair-wise key for transmission until after receipt of the rekeying confirmation message, wherein after installing the new pair-wise key for reception and prior to receipt of the rekeying confirmation message, the method further comprises; receiving a unicast packet that includes a key ID field, the key ID field including a key ID portion and an Extended Key ID bit, the key ID portion identifying one of a plurality of keys, the Extended Key ID bit indicating whether to toggle between the current pair-wise key and the new pair-wise key; reading the Extended Key ID bit in the key ID field of the received unicast packet to determine whether to decrypt the received unicast packet using the installed current pair-wise key or the installed new pair-wise key; continuing to use the current pair-wise key for transmission; the authenticator installing the new pair-wise key for use in decrypting received packets after receipt of a second message of the four-way handshake and prior to transmission of a third message of the four-way handshake; and the authenticator delaying use of the new pair-wise key for use in encrypting packets for transmission until after receipt of the fourth message and wherein the installing is performed by processing circuitry of the authenticator and the current and new pair-wise keys are stored in unicast key ID space of a memory; and
further whereinthe rekeying confirmation message is a fourth message of a four-way handshake for rekeying; and
further whereinthe supplicant is to install the new pair-wise key for reception prior to transmission of the rekeying confirmation message and is to delay using the new pair-wise key for transmission until after the transmission of the rekeying confirmation message; and
further whereinthe supplicant is to delay using the new pair-wise key for transmission until immediately after sending the rekeying confirmation message or a predetermined period of time after sending the rekeying confirmation message; and
further whereinafter installing the new pair-wise key for reception prior to receipt of the rekeying confirmation message, the method includes selecting either the new pair-wise key or the current pair-wise key for decrypting received unicast packets based on a key identifier carried in the received unicast packets; and
further whereinthe supplicant installs the new pair-wise key for use in decrypting received messages after receipt of the third message and prior to transmission of the fourth message, and wherein the supplicant delays installing the new pair-wise key for use in encrypting packets for transmission until either immediately after transmission of the fourth message or a predetermined period of time after transmission of the fourth message. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method performed by a supplicant for toggling between keys during an established secure communication session with an authenticator, the established secure communication session using a current pair-wise key for unicast communications, the method comprising:
-
installing a new pair-wise key for reception prior to transmission of a rekeying confirmation message to the authenticator; continuing to use the current pair-wise key for transmission and delaying using the new pair-wise key for transmission until after the transmission of the rekeying confirmation message; and supporting use of both the current pair-wise key for reception and the new pair-wise key for reception after the rekeying confirmation message, wherein after installing the new pair-wise key for reception and prior to receipt of the rekeying confirmation message, the method further comprises using the current pair-wise key or the new pair-wise key based on a key ID field in a received unicast packet for reception while continuing to use the current pair-wise for transmission, wherein the key ID field includes a key ID portion and an Extended Key ID bit, the key ID portion identifying one of a plurality of keys, the Extended Key ID bit indicating whether to toggle between presently installed keys, wherein the installing is performed by processing circuitry of the supplicant and the current and new pair-wise keys are stored in unicast key ID space of a memory, and wherein the method further includes reading the Extended Key ID bit in the key ID field of a received unicast packet to determine whether to toggle between the current pair-wise key and the new pair-wise key to decrypt the received unicast packet. - View Dependent Claims (12, 13, 14, 15)
-
-
16. A wireless device comprising:
-
processing circuitry to perform rekeying operations during an established secure communication session which uses a current pair-wise key for unicast communications; and memory having unicast key ID space to store at least two unicast keys for use in encrypting and decrypting packets comprising unicast traffic, wherein when the wireless device operates as an authenticator, the processing circuitry is to install a new pair-wise key for reception prior to receipt of a rekeying confirmation message, continue to use the current pair-wise key for transmission, and delay use of the new pair-wise key for transmission until after receipt of the rekeying confirmation message, wherein when the wireless device operates as an authenticator, the authenticator continues to support the use of the current pair-wise key for reception and the new pair-wise key for reception for a predetermined period of time after receipt of the rekeying confirmation message, wherein after installing the new pair-wise key for reception and prior to receipt of the rekeying confirmation message, the processing circuitry is configured to use the current pair-wise key or the new pair-wise key based on a key ID field in a received unicast packet for reception while continuing to use the current pair-wise key for transmission, wherein the key ID field includes a key ID portion and an Extended Key ID bit, the key ID portion identifying one of a plurality of keys, the Extended Key ID bit indicating whether to toggle between presently installed keys, and wherein the processing circuitry is configured to read the Extended Key ID bit in the key ID field of the received unicast packet to determine whether to toggle between the current pair-wise key and the new pair-wise key to decrypt the received unicast packet. - View Dependent Claims (17, 18, 19)
-
-
20. A method of rekeying performed by a supplicant during a secure video-streaming session that uses a first pair-wise key for unicast communications, the method comprising:
-
receiving unicast packets that comprise streamed video, the unicast packets being encrypted with the first pair-wise key; receiving a rekeying initiation message to initiate rekeying operations; installing a second pair-wise key for reception prior to transmission of a rekeying confirmation message to an authenticator; continuing to use the first pair-wise key for transmission and delaying use of the second pair-wise key for transmission until after receipt of a rekeying confirmation message; reading an Extended Key ID bit in a key ID field of received unicast packets to determine whether to toggle between the first and second pair-wise keys to decrypt each received unicast packet, the key ID field including a key ID portion and the Extended Key ID bit, the key ID portion identifying one of a plurality of keys, the Extended Key ID bit indicating whether to toggle between presently installed keys; and supporting reception of the unicast packets with both the first key and the second key until a predetermined period of time after transmission of the rekeying confirmation message, wherein the installing is performed by processing circuitry of the supplicant and the current and new pair-wise keys are stored in unicast key ID space of a memory. - View Dependent Claims (21, 22, 23, 24)
-
Specification