System and method for determining leveled security key holder

US 9,084,111 B2
Filed: 02/07/2012
Issued: 07/14/2015
Est. Priority Date: 02/07/2012
Status: Expired due to Fees

First Claim

Patent Images

1. A method comprising:

detecting, by a network device in a wireless network, a roaming or connection pattern of one or more wireless clients in the wireless network based on requests received from the wireless clients;

prioritizing two or more of;

(1) a first selecting rule based on an initial association of a particular wireless client with the wireless network;

(2) a second selecting rule based on at least one of a roaming pattern and a connection pattern of the particular wireless client;

(3) a third selecting rule based on a random election among a plurality of network devices capable of servicing as the appropriate key holder for the particular wireless client;

or (4) a fourth selecting rule based on connectivity of the particular wireless client; and

selecting a key holder for storing a second level key for a particular wireless client among a plurality of network devices based on prioritized rules, wherein the second level key is derived from a first level key which is derived from a pre-configured key, and wherein the second level key is used to generate a derived security key for authenticating the particular wireless client.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present disclosure discloses a network device and/or method for determination of leveled security key holders for a wireless client in a wireless network. The network device detects a roaming or connection pattern of one or more wireless clients in the wireless network based on requests received from the wireless clients. Furthermore, the network device determines one or more selecting rules for selecting an appropriate key holder for the wireless client among a plurality of network devices. Next, the network device prioritizes the one or more selecting rules, and selects the appropriate key holder based on the determined rules and their corresponding prioritization. Through selection of appropriate key holders, the disclosed method provides for better load balancing among possible leveled key holders, and shortens the latencies experienced by wireless clients during fast basic service set transition.

35 Citations

View as Search Results

19 Claims

1. A method comprising:
- detecting, by a network device in a wireless network, a roaming or connection pattern of one or more wireless clients in the wireless network based on requests received from the wireless clients;
  
  prioritizing two or more of;
  
  (1) a first selecting rule based on an initial association of a particular wireless client with the wireless network;
  
  (2) a second selecting rule based on at least one of a roaming pattern and a connection pattern of the particular wireless client;
  
  (3) a third selecting rule based on a random election among a plurality of network devices capable of servicing as the appropriate key holder for the particular wireless client;
  
  or (4) a fourth selecting rule based on connectivity of the particular wireless client; and
  
  selecting a key holder for storing a second level key for a particular wireless client among a plurality of network devices based on prioritized rules, wherein the second level key is derived from a first level key which is derived from a pre-configured key, and wherein the second level key is used to generate a derived security key for authenticating the particular wireless client.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the selected key holder stores security association information for the wireless client upon successful authentication to avoid re-authentication when the wireless client subsequently initiates a fast basic service set transition to another network device in the wireless network coupling to the appropriate key holder.
  - 3. The method of claim 1, wherein the pre-configured key comprises one or more of a master session key received from an authentication server and a pre-shared key pre-established between the wireless client and the wireless network.
  - 4. The method of claim 1, wherein the derived security key comprises a pairwise transient key used for authentication of the wireless client in a fast basic service set transition.
  - 5. The method of claim 1,wherein the second selecting rule is associated with high priority in response to the specific wireless client spending more time near a second key holder than a first key holder based on at least one of the roaming pattern and a connection pattern;
    - wherein the first key holder is near a first location at which the specific wireless client initiates association with the wireless network;
      
      wherein the second key holder is located near a second location different from the first location, the second location being the current location of the specific wireless client; and
      
      wherein selecting the key holder comprises selecting the second key holder as the key holder for the wireless client.
  - 6. The method of claim 1, further comprising:
    - detecting existence of the second key holder near the current location of the specific wireless client;
      
      detecting a capability of the second key holder, wherein the capability comprising serving as the key holder for the specific wireless client; and
      
      removing cached security association information associated with the specific wireless client from the first key holder in response to detecting the existence of the second key holder.
  - 7. The method of claim 1,wherein the plurality of network devices are capable of serving as the key holder for a plurality of wireless clients including the specific wireless client;
    - andwherein the third selecting rule is associated with high priority in response to the plurality of wireless clients initiating association with the wireless network within a predetermined time period.
  - 8. The method of claim 7, further comprising:
    - identifying a subset of possible network devices from the plurality network devices capable of serving as the key holder for the specific wireless client based on one or more of;
      
      a total number of wireless clients serviced by a respective network device, anda current load on the respective network device.
  - 9. The method of claim 8, wherein selecting the key holder comprises selecting a random key holder among the subset of possible network devices capable of serving as the appropriate key holder for the specific client.

10. A network device comprising:
- a processor;
  
  a memory;
  
  a detecting mechanism operating with the processor, the detecting mechanism to detect a roaming or connection pattern of one or more wireless clients in the wireless network based on requests received from the wireless clients;
  
  a prioritizing mechanism operating with the processor, the prioritizing mechanism prioritizing two or more of;
  
  (1) a first selecting rule based on an initial association of a particular wireless client with the wireless network;
  
  (2) a second selecting rule based on at least one of a roaming pattern and a connection pattern of the particular wireless client;
  
  (3) a third selecting rule based on a random election among a plurality of network devices capable of servicing as the appropriate key holder for the particular wireless client;
  
  or (4) a fourth selecting rule based on connectivity of the particular wireless client; and
  
  a selecting mechanism operating with the processor, the selecting mechanism selecting a key holder for storing a second level key for a particular wireless client among a plurality of network devices based on prioritized rules, wherein the second level key is derived from a first level key which is derived from a pre-configured key, and wherein the second level key is used to generate a derived security key for authenticating the particular wireless client.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The network device of claim 10, wherein the selected key holder stores security association information for the wireless client upon successful authentication to avoid re-authentication when the wireless client subsequently initiates a fast basic service set transition to another network device in the wireless network coupling to the appropriate key holder.
  - 12. The network device of claim 10, wherein the pre-configured key comprises one or more of a master session key received from an authentication server and a pre-shared key pre-established between the wireless client and the wireless network.
  - 13. The network device of claim 10, wherein the derived security key comprises a pairwise transient key used for authentication of the wireless client in a fast basic service set transition.
  - 14. The network device of claim 10,wherein the second selecting rule is associated with high priority in response to the specific wireless client spending more time near a second key holder than a first key holder based on at least one of the roaming pattern and a connection pattern;
    - wherein the first key holder is near a first location at which the specific wireless client initiates association with the wireless network;
      
      wherein the second key holder is located near a second location different from the first location, the second location being the current location of the specific wireless client; and
      
      wherein selecting the key holder comprises selecting the second key holder as the key holder for the wireless client.
  - 15. The network device of claim 10,wherein the detecting mechanism further to detect existence of the second key holder near the current location of the specific wireless client, and to detect a capability of the second key holder, the capability comprising serving as the key holder for the specific wireless client;
    - andwherein the network device further comprises a removing mechanism operating with the processor, the removing mechanism to remove cached security association information associated with the specific wireless client from the first key holder in response to the detecting mechanism detects the existence of the second key holder.
  - 16. The network device of claim 10,wherein the plurality of network devices are capable of serving as the key holder for a plurality of wireless clients including the specific wireless client;
    - andwherein the third selecting rule is associated with high priority in response to the plurality of wireless clients initiating association with the wireless network within a predetermined time period.
  - 17. The network device of claim 16, further comprising an identifying mechanism operating with the processor, the identifying mechanism to identify a subset of possible network devices from the plurality network devices capable of serving as the key holder for the specific wireless client based on one or more of:
    - a total number of wireless clients serviced by a respective network device, anda current load on the respective network device.
  - 18. The network device of claim 17, wherein the selecting mechanism selects a random key holder among the subset of possible network devices capable of serving as the key holder for the specific client.

19. A non-transitory computer-readable storage medium storing embedded instructions that are executed by one or more mechanisms implemented within a network device to perform a plurality of operations comprising:
- detecting a roaming or connection pattern of one or more wireless clients in a wireless network based on requests received from the wireless clients;
  
  prioritizing two or more of;
  
  (1) a first selecting rule based on an initial association of a particular wireless client with the wireless network;
  
  (2) a second selecting rule based on at least one of a roaming pattern and a connection pattern of the particular wireless client;
  
  (3) a third selecting rule based on a random election among a plurality of network devices capable of servicing as the appropriate key holder for the particular wireless client;
  
  or (4) a fourth selecting rule based on connectivity of the particular wireless client; and
  
  selecting a key holder for storing a second level key for a particular wireless client among a plurality of network devices based on prioritized rules, wherein the second level key is derived from a first level key which is derived from a pre-configured key, and wherein the second level key is used to generate a derived security key for authenticating the particular wireless client.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Aruba Networks Incorporated (Hewlett-Packard Enterprise Company)
Inventors
Narasimhan, Partha, Joshi, Venkatesh, Lo, Juei-Cheng
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Tran, Tongoc

Application Number

US13/368,212
Publication Number

US 20130203384A1
Time in Patent Office

1,253 Days
Field of Search

726/1, 726/2, 726/7, 380/247, 380/250, 380/270, 380/272, 380/277.278, 380/277, 380/278, 380/45.247, 455/436, 455/432.1, 455/433, 455/439, 455/435.2, 455/435.3, 455/456.1, 455/456.2, 455/411, 455/525
US Class Current

1/1
CPC Class Codes

H04L 2463/061   applying further key deriva...

H04L 63/0227   Filtering policies mail mes...

H04L 63/20   for managing network securi...

H04L 9/0861   Generation of secret inform...

H04W 12/04   Key management, e.g. using ...

H04W 12/71   Hardware identity

H04W 12/73   Access point logical identity

H04W 36/08   Reselecting an access point

H04W 48/20   Selecting an access point

H04W 84/12   WLAN [Wireless Local Area N...

System and method for determining leveled security key holder

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

35 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

System and method for determining leveled security key holder

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

35 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others