Using information in a digital certificate to authenticate a network of a wireless access point

US 9,197,420 B2
Filed: 01/06/2010
Issued: 11/24/2015
Est. Priority Date: 01/06/2010
Status: Expired due to Fees

First Claim

Patent Images

1. A method for authenticating a network of a wireless access point, the method comprising:

obtaining, by one or more processors, a digital certificate of a server from the wireless access point in response to identifying the network of the wireless access point, the digital certificate comprising a public key for the network, the wireless access point sending and receiving the digital certificate between one or more processors and the server for the authenticating of the network;

determining, by one or more processors, whether a digital signature in the digital certificate is signed by a trusted certificate authority;

determining, by one or more processors, whether a domain name for the network in the digital certificate matches a service set identifier broadcast by the wireless access point;

determining, by one or more processors, whether the network is known to be trusted based on one of user input identifying the domain name for the network in the digital certificate as trusted and presence of the public key for the network in a database of public keys for networks that are known to be trusted;

establishing, by one or more processors, a session for a wireless connection to the wireless access point for communicating with the network through the wireless access point in response to a determination that the digital signature in the digital certificate is signed by the trusted certificate authority, a determination that the domain name for the network in the digital certificate matches the service set identifier broadcast by the wireless access point, and a determination that the network is known to be trusted; and

blocking, by one or more processors, communications with the network through the wireless access point in response to a determination that the digital signature in the digital certificate is not signed by the trusted certificate authority, a determination that the domain name for the network in the digital certificate does not match the service set identifier broadcast by the wireless access point, and a determination that the network is not known to be trusted.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for establishing a wireless connection. A digital certificate having a second name is obtained by a processor unit in response to receiving a selection of a network using a first name broadcast by a wireless access point. A determination is made by the processor unit as to whether the digital certificate is valid. A determination is made by the processor unit as to whether the second name in the digital certificate matches the first name broadcast by the wireless access point. The processor unit establishes the wireless connection to the wireless access point in response to the digital certificate being valid and the second name in the digital certificate matching the first name broadcast by the wireless access point.

22 Citations

View as Search Results

17 Claims

1. A method for authenticating a network of a wireless access point, the method comprising:
- obtaining, by one or more processors, a digital certificate of a server from the wireless access point in response to identifying the network of the wireless access point, the digital certificate comprising a public key for the network, the wireless access point sending and receiving the digital certificate between one or more processors and the server for the authenticating of the network;
  
  determining, by one or more processors, whether a digital signature in the digital certificate is signed by a trusted certificate authority;
  
  determining, by one or more processors, whether a domain name for the network in the digital certificate matches a service set identifier broadcast by the wireless access point;
  
  determining, by one or more processors, whether the network is known to be trusted based on one of user input identifying the domain name for the network in the digital certificate as trusted and presence of the public key for the network in a database of public keys for networks that are known to be trusted;
  
  establishing, by one or more processors, a session for a wireless connection to the wireless access point for communicating with the network through the wireless access point in response to a determination that the digital signature in the digital certificate is signed by the trusted certificate authority, a determination that the domain name for the network in the digital certificate matches the service set identifier broadcast by the wireless access point, and a determination that the network is known to be trusted; and
  
  blocking, by one or more processors, communications with the network through the wireless access point in response to a determination that the digital signature in the digital certificate is not signed by the trusted certificate authority, a determination that the domain name for the network in the digital certificate does not match the service set identifier broadcast by the wireless access point, and a determination that the network is not known to be trusted.
- View Dependent Claims (2, 3, 4, 5, 6, 14, 15, 16, 17)
- - 2. The method of claim 1 further comprising:
    - exchanging, by one or more processors, information with the network using the session for the wireless connection established with the wireless access point.
  - 3. The method of claim 1, wherein the step of determining, by one or more processors, whether the network is known to be trusted includes:
    - determining, by one or more processors, whether the digital certificate matches one of a number of digital certificates previously identified as being valid.
  - 4. The method of claim 1, wherein the step of establishing, by one or more processors, the session for the wireless connection to the wireless access point comprises:
    - generating a session key for the wireless connection using the digital certificate; and
      
      exchanging information with the server using the session key to encrypt and decrypt the information.
  - 5. The method of claim 1, wherein the wireless connection is an encrypted wireless connection, and wherein the digital certificate is sent and received by the wireless access point using a standard authentication protocol of extensible authentication protocol-transport layer security (EAP-TLS).
  - 6. The method of claim 1, wherein the network is a wireless network specified by IEEE 802.11 standards.
  - 14. The method of claim 1, wherein the step of one or more processors determining that network is known to be trusted based on the presence of the public key for the network in the database is further based on a collective opinion of users of the database that the network is to be trusted.
  - 15. The method of claim 1, wherein the database is a local copy of the database.
  - 16. The method of claim 1, wherein prior to the step of one or more processors determining whether the domain name for the network in the digital certificate matches the service set identifier broadcast by the wireless access point, one or more processors determine if an extended service set identifier is in the digital certificate, and in response modify the service set identifier by adding the extended service set identifier to the service set identifier.
  - 17. The method of claim 1, wherein one or more processors, the wireless access point, and the server use an authentication protocol to send and receive the digital certificate.

7. A data processing system for authenticating a network of a wireless access point, the data processing system comprising:
- one or more processors, a computer-readable memory, a computer-readable storage device;
  
  first program code to obtain a digital certificate of a server from the wireless access point in response to identifying the network of the wireless access point, the digital certificate comprising a public key for the network, the wireless access point sending and receiving the digital certificate between the one or more processors and the server for the authenticating of the network;
  
  second program code to determine whether a digital signature in the digital certificate is signed by a trusted certificate authority;
  
  third program code to determine whether a domain name for the network in the digital certificate matches a service set identifier broadcast by the wireless access point;
  
  fourth program code to determine whether the network is known to be trusted based on one of user input identifying the domain name for the network in the digital certificate as trusted and presence of the public key for the network in a database of public keys for networks that are known to be trusted;
  
  fifth program code to establish a session for a wireless connection to the wireless access point for communicating with the network through the wireless access point in response to a determination that the digital signature in the digital certificate is signed by the trusted certificate authority, a determination that the domain name for the network in the digital certificate matches the service set identifier broadcast by the wireless access point, and a determination that the network is known to be trusted; and
  
  sixth program code to block communications with the network through the wireless access point in response to a determination that the digital signature in the digital certificate is not signed by the trusted certificate authority, a determination that the domain name for the network in the digital certificate does not match the service set identifier broadcast by the wireless access point, and a determination that the network is not known to be trusted, wherein the first program code, the second program code, the third program code, the fourth program code, the fifth program code, and the sixth program code are stored in the computer-readable storage device for execution by at least one of the one or more processors via the computer-readable memory.
- View Dependent Claims (8, 9, 10)
- - 8. The data processing system of claim 7, further comprising:
    - seventh program code to exchange information with the network using the session for the wireless connection established with the wireless access point, wherein the seventh program code is stored in the computer-readable storage device for execution by at least one of the one or more processors via the computer-readable memory.
  - 9. The data processing system of claim 7, wherein the fourth program code to determine whether the network is known to be trusted is further based on determining whether the digital certificate matches one of a number of digital certificates previously identified as being valid.
  - 10. The data processing system of claim 7, wherein the fifth program code establishes the wireless connection to the wireless access point by generating a session key for the wireless connection using the digital certificate and exchanging information with the server using the session key to encrypt and decrypt the information.

11. A computer program product for authenticating a network of a wireless access point, the computer program product comprising:
- a computer-readable storage device;
  
  program code, stored on the computer-readable storage device, for obtaining a digital certificate of a server from the wireless access point in response to identifying the network of the wireless access point, the digital certificate comprising a public key for the network;
  
  program code, stored on the computer-readable storage device, for determining whether a digital signature in the digital certificate is signed by a trusted certificate authority;
  
  program code, stored on the computer-readable storage device, for determining whether a domain name for the network in the digital certificate matches a service set identifier broadcast by the wireless access point;
  
  program code, stored on the computer-readable storage device, for determining whether the network is known to be trusted based on one of user input identifying the domain name for the network in the digital certificate as trusted and on presence of the public key for the network in a database of public keys for networks that are known to be trusted;
  
  program code, stored on the computer-readable storage device, responsive to a determination that the digital signature in the digital certificate is signed by the trusted certificate authority, a determination that the domain name for the network in the digital certificate matches the service set identifier broadcast by the wireless access point, and a determination that the network is known to be trusted, for establishing a session for a wireless connection to the wireless access point for communicating with the network through the wireless access point; and
  
  program code, stored on the computer-readable storage device, for blocking communications with the network through the wireless access point responsive to a determination that the digital signature in the digital certificate is not signed by the trusted certificate authority, a determination that the domain name for the network in the digital certificate does not match the service set identifier broadcast by the wireless access point, and a determination that the network is not known to be trusted.
- View Dependent Claims (12, 13)
- - 12. The computer program product of claim 11 further comprising:
    - program code, stored on the computer-readable storage device, for exchanging information with the network using the session for the wireless connection established with the wireless access point.
  - 13. The computer program product of claim 11, wherein the program code for determining whether the network is known to be trusted is further based on determining whether the digital certificate matches one of a number of digital certificates previously identified as being valid.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kyndryl Incorporated
Original Assignee
International Business Machines Corporation
Inventors
Cross, Thomas J., Dewey, David B., Takahashi, Takehiro
Primary Examiner(s)
Pham, Luu
Assistant Examiner(s)
Le, Canh

Application Number

US12/652,973
Publication Number

US 20110167263A1
Time in Patent Office

2,148 Days
Field of Search

713/168
US Class Current

1/1
CPC Class Codes

H04L 2209/80   Wireless network architectu...

H04L 63/0428   wherein the data content is...

H04L 63/06   for supporting key manageme...

H04L 63/0823   using certificates cryptogr...

H04L 9/3247   involving digital signatures

H04L 9/3263   involving certificates, e.g...

H04L 9/3268   using certificate validatio...

H04W 12/04   Key management, e.g. using ...

H04W 12/0431   Key distribution or pre-dis...

H04W 12/06   Authentication

H04W 84/12   WLAN [Wireless Local Area N...

Using information in a digital certificate to authenticate a network of a wireless access point

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

22 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Using information in a digital certificate to authenticate a network of a wireless access point

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links