Method for ensuring security and privacy in a wireless cognitive network

US 8,898,468 B2
Filed: 12/03/2010
Issued: 11/25/2014
Est. Priority Date: 12/08/2009
Status: Active Grant

First Claim

Patent Images

1. A method for ensuring security and privacy of communications over a wireless network of cognitive radios (“

CRN”

), the CRN including a managing base station in communication with at least one candidate node, the method comprising;

the managing base station receiving from the candidate node a request to join the CRN;

the managing base station transmitting to the candidate node a temporary node identifier;

the managing base station establishing encrypted communication with the candidate node using the temporary node identifier;

the managing base station authorizing the candidate node to join the CRN;

the managing base station conveying to the candidate node by encrypted transmission a permanent node identifier in replacement of the temporary node identifier; and

the candidate node joining the CRN using the permanent node identifier,wherein establishing encrypted communication and authorizing the candidate node to join the CRN includes;

receiving a registration request from the candidate node, the registration request including a subscriber digital certificate and a subscriber public key;

determining an authenticity of the subscriber digital certificate;

if the subscriber digital certificate is authentic, applying authorization criteria to the candidate node;

if the authorization criteria are met, authorizing participation of the candidate node in the CRN;

using the subscriber public key, encrypting an authorization key and transmitting the encrypted authorization key to the candidate node, the candidate node being able to derive therefrom a key-encryption-key (“

KEK”

), and a “

management-message-protection-key (“

MMP”

), an MMP expiration criterion being associated with the MMP so as to cause the MMP to expire when the MMP expiration criterion is met;

generating a transmission-encryption-key (“

TEK”

), encrypting the TEK using the KEK, and transmitting the encrypted TEK to the candidate node, a TEK expiration criterion being associated with the TEK so as to cause the TEK to expire when the TEK expiration criterion is met;

using the TEK, encrypting all data communication with the candidate node over the CRN;

using the MMP, encrypting all management and control communication with the candidate node over the CRN;

using the KEK, encrypting a replacement TEK and transmitting the encrypted replacement TEK to the candidate node before the TEK expiration criterion is met;

using the KEK, encrypting a replacement MMP and transmitting the encrypted replacement MMP to the candidate node before the MMP expiration criterion is met; and

so long as the candidate node continues to participate in the CRN, repeating the encrypting of a replacement TEK and of a replacement MMP, and the transmitting the encrypted replacement TEK and the encrypted replacement MMP to the candidate node before the TEK and MMP expiration criteria are met.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In some embodiments, authentication, confidentiality, and privacy are enhanced for a wireless network of cognitive radios by encryption of network management and control messages as well as data traffic, thereby protecting information pertaining to node identification, node location, node-sensed incumbent transmissions, CRN frequency channel selections, and such like. During initial network registration, a temporary ID can be issued to a node, and then replaced once encrypted communication has been established. This prevents association of initial, clear-text messages with later encrypted transmissions. Elliptic curve cryptography can be used for mutual authentication between subscribers and the base station. ECC-based implicit digital certificates can be embedded in co-existence beacons used by CRN nodes to coordinate use of frequency channels, thereby preventing denial of service attacks due to transmitting of falsified beacons. Similar certificates can be embedded within identity beacons used to protect certain incumbents from interference by the CRN.

Citations

13 Claims

1. A method for ensuring security and privacy of communications over a wireless network of cognitive radios (“
- CRN”
  
  ), the CRN including a managing base station in communication with at least one candidate node, the method comprising;
  
  the managing base station receiving from the candidate node a request to join the CRN;
  
  the managing base station transmitting to the candidate node a temporary node identifier;
  
  the managing base station establishing encrypted communication with the candidate node using the temporary node identifier;
  
  the managing base station authorizing the candidate node to join the CRN;
  
  the managing base station conveying to the candidate node by encrypted transmission a permanent node identifier in replacement of the temporary node identifier; and
  
  the candidate node joining the CRN using the permanent node identifier,wherein establishing encrypted communication and authorizing the candidate node to join the CRN includes;
  
  receiving a registration request from the candidate node, the registration request including a subscriber digital certificate and a subscriber public key;
  
  determining an authenticity of the subscriber digital certificate;
  
  if the subscriber digital certificate is authentic, applying authorization criteria to the candidate node;
  
  if the authorization criteria are met, authorizing participation of the candidate node in the CRN;
  
  using the subscriber public key, encrypting an authorization key and transmitting the encrypted authorization key to the candidate node, the candidate node being able to derive therefrom a key-encryption-key (“
  
  KEK”
  
  ), and a “
  
  management-message-protection-key (“
  
  MMP”
  
  ), an MMP expiration criterion being associated with the MMP so as to cause the MMP to expire when the MMP expiration criterion is met;
  
  generating a transmission-encryption-key (“
  
  TEK”
  
  ), encrypting the TEK using the KEK, and transmitting the encrypted TEK to the candidate node, a TEK expiration criterion being associated with the TEK so as to cause the TEK to expire when the TEK expiration criterion is met;
  
  using the TEK, encrypting all data communication with the candidate node over the CRN;
  
  using the MMP, encrypting all management and control communication with the candidate node over the CRN;
  
  using the KEK, encrypting a replacement TEK and transmitting the encrypted replacement TEK to the candidate node before the TEK expiration criterion is met;
  
  using the KEK, encrypting a replacement MMP and transmitting the encrypted replacement MMP to the candidate node before the MMP expiration criterion is met; and
  
  so long as the candidate node continues to participate in the CRN, repeating the encrypting of a replacement TEK and of a replacement MMP, and the transmitting the encrypted replacement TEK and the encrypted replacement MMP to the candidate node before the TEK and MMP expiration criteria are met.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein the base station is able to withdraw authorization from an authorized candidate node so as to remove the candidate node from the CRN.
  - 3. The method of claim 2, wherein the method further comprises withdrawing of authorization by the managing base station from the candidate node due to at least one of:
    - transmitting of spurious noise by the candidate node; and
      
      determining by the managing base station that the subscriber is within a protected zone surrounding a known incumbent.
  - 4. The method of claim 2, wherein receiving from the candidate node a request to join the CRN includes receiving from the candidate node information specifying ID information, location information, configuration information, and capability information of the candidate node.
  - 5. The method of claim 1, wherein elliptic curve cryptography (ECC) is applied in encrypting at least one of:
    - an authorization key;
      
      the TEK;
      
      all data communication with the candidate node over the CRN;
      
      all management and control communication with the candidate node over the CRN;
      
      a replacement TEK; and
      
      a replacement MMP.
  - 6. The method of claim 1, wherein receiving from the candidate node a request to join the CRN includes receiving from the candidate node information specifying a location of the candidate node.
  - 7. The method of claim 1, wherein the authorization criteria include a requirement that the candidate node is not located within a protected region assigned to a valid incumbent using a frequency that is in use by the CRN.
  - 8. The method of claim 1, wherein the application of authorization criteria includes collaborative sensing by nodes in the CRN of spurious signals, and the authorization criteria include a requirement that the candidate node is not a source of spurious signals that might interfere with the CRN.
  - 9. The method of claim 1, wherein receiving from the candidate node a registration request includes receiving information from the candidate node specifying compliance of the candidate node with at least one of specified security protocols and specified regulatory protocols.
  - 10. The method of claim 9, wherein the authorization criteria include a requirement that the candidate node comply with at least one of the specified security protocols and the specified regulatory protocols.
  - 11. The method of claim 1, wherein the expiration criterion is an elapsing of a time interval.
  - 12. The method of claim 1, wherein the expiration criterion is the encryption of a specified number of data packets using the TEK.
  - 13. The method of claim 1, further comprising after a specified re-authorization criterion is met, requiring re-authorization of the candidate node, and only permitting continued participation by the candidate node in the CRN if the re-authorization is successful.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
BAE Systems Information and Electronic Systems Integration Incorporated (BAE Systems Plc)
Original Assignee
BAE Systems Information and Electronic Systems Integration Incorporated (BAE Systems Plc)
Inventors
Reddy, Ranga, Kiernan, Thomas, Mody, Apurva N.
Primary Examiner(s)
Rashid, Harunur

Application Number

US12/959,732
Publication Number

US 20110138183A1
Time in Patent Office

1,453 Days
Field of Search

713/168, 713/169, 713/171, 713/175, 380/270
US Class Current

713/169
CPC Class Codes

H04K 2203/18   for wireless local area net...

H04K 3/25   based on characteristics of...

H04K 3/65   using deceptive jamming or ...

H04L 2209/80   Wireless

H04L 2463/062   applying encryption of the ...

H04L 63/0457   wherein the sending and rec...

H04L 63/0823   using certificates cryptogr...

H04L 9/0822   using key encryption key

H04L 9/0891   Revocation or update of sec...

H04L 9/3066   involving algebraic varieti...

H04L 9/3247   involving digital signatures

H04L 9/3263   involving certificates, e.g...

H04W 12/02   Protecting privacy or anony...

H04W 12/037   of the control plane, e.g. ...

H04W 12/06   Authentication

H04W 12/08   Access security

H04W 16/14   Spectrum sharing arrangemen...

Method for ensuring security and privacy in a wireless cognitive network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Method for ensuring security and privacy in a wireless cognitive network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links