Method and apparatus for security configuration and verification of wireless devices in a fixed/mobile convergence environment

US 9,319,879 B2
Filed: 01/21/2008
Issued: 04/19/2016
Est. Priority Date: 05/30/2007
Status: Expired due to Fees

First Claim

Patent Images

1. A handoff server comprising:

at least one network interface; and

at least one hardware processor coupled to the at least one network interface, wherein the at least one hardware processor is configured to;

register one or more event notifications with a mobile device via the at least one network interface, wherein the one or more event notifications comprise at least one of an application change, a link degradation, a discovery of a new network interface, and an occurrence of a reportable event;

pre-authenticate the mobile device by validating at least one of reachability of the mobile device and a token of the mobile device;

in response to an event notification from a mobile device, determine that the mobile device should transition to a new network and retrieve security configuration information from an information server via the at least one network interface, wherein the information server stores network and related security configuration information for a plurality of networks;

selectively forward, based on said retrieving, connectivity information and security configuration information for a selected access point of a selected network to the mobile device for connection of the mobile device to the access point of the selected network; and

authenticate the mobile device with the selected network by monitoring the mobile device to determine that the mobile device has connected to the selected access point within a selected amount of time and validating the token of the mobile device.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method is described that enables autonomic discovery of wireless network security mechanisms by mobile devices. Stateful monitoring of wireless devices facilitates identification of pending network connectivity loss, enabling a handoff server to proactively advertise new points of access and their associated security mechanisms to devices before connectivity is lost. As a result, devices may seamlessly transition between secure networks. Stateful monitoring of device reachability may be used together with device certificates and/or tokens to decrease the potential of MAC spoofing and further secure the network. Stateful monitoring of device connectivity status during network transitions facilitates the identification of rogue access points. The token or certificate on the device may be used to authenticate the device while transitioning between networks by a centralized entity, managing the initiation and the execution of the handover for the device.

Citations

20 Claims

1. A handoff server comprising:
- at least one network interface; and
  
  at least one hardware processor coupled to the at least one network interface, wherein the at least one hardware processor is configured to;
  
  register one or more event notifications with a mobile device via the at least one network interface, wherein the one or more event notifications comprise at least one of an application change, a link degradation, a discovery of a new network interface, and an occurrence of a reportable event;
  
  pre-authenticate the mobile device by validating at least one of reachability of the mobile device and a token of the mobile device;
  
  in response to an event notification from a mobile device, determine that the mobile device should transition to a new network and retrieve security configuration information from an information server via the at least one network interface, wherein the information server stores network and related security configuration information for a plurality of networks;
  
  selectively forward, based on said retrieving, connectivity information and security configuration information for a selected access point of a selected network to the mobile device for connection of the mobile device to the access point of the selected network; and
  
  authenticate the mobile device with the selected network by monitoring the mobile device to determine that the mobile device has connected to the selected access point within a selected amount of time and validating the token of the mobile device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The handoff server of claim 1, wherein the event notification is a notification of the occurrence of an event trigger, and wherein events associated with event triggers are defined by the handoff server.
  - 3. The handoff server of claim 1, wherein monitoring comprises active stateful monitoring of the mobile device.
  - 4. The handoff server of claim 3, wherein the at least one hardware processor is further configured to forward a request to the information server for a list of networks satisfying at least one predetermined criteria.
  - 5. The handoff server of claim 4, wherein the predetermined criteria is selected from a group including a roaming agreement, an application service and a security mechanism.
  - 6. The handoff server of claim 1, wherein the handoff server is configured as a proxy gateway for the mobile device using the security configuration information.
  - 7. The handoff server of claim 1, wherein the at least one hardware processor is further configured to obtain the mobile device token from a third party certification authority.
  - 8. The handoff server of claim 1, wherein the at least one hardware processor is further configured to selectively forward connectivity information and security configuration information to the mobile device prior to the mobile device connecting to the access point.
  - 9. The handoff server of claim 1, wherein at least one of the event triggers identifies one or more configurable event triggers of the mobile device.

10. A method for autonomously deploying security configuration information to a mobile device comprising:
- by a handoff server,registering one or more event notifications with the mobile device, wherein the one or more event notifications comprise at least one of an application change, a link degradation, a discovery of a new network interface, and an occurrence of a reportable event;
  
  pre-authenticating a mobile device by validating at least one of reachability of the mobile device and a token of the mobile device;
  
  receiving notification of an event trigger from the mobile device;
  
  determining that the mobile device should transition to another network;
  
  retrieving, from an information server that stores network and related security configuration parameters, a point of access to a new network and security information associated with the new network;
  
  forwarding the selected point of access and related security information to the mobile device; and
  
  authenticating the mobile device with the selected network by monitoring the mobile device to determine that the mobile device has connected to the selected access point within a selected amount of time and validating the token of the mobile device.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 11. The method of claim 10, wherein said retrieving comprises determining whether the new network satisfies a criteria of the handoff server and forwarding the point of access to the new network only if the new network satisfies the criteria.
  - 12. The method of claim 10, wherein said retrieving comprises determining, by the handoff server, whether the mobile device is configured to implement a security mechanism associated with the security information.
  - 13. The method of claim 12, wherein, responsive to a determination that the mobile device is configured to implement the security mechanism, forwarding, by the handoff server, the security information to the mobile device.
  - 14. The method of claim 12, wherein, responsive to a determination that the mobile device is not configured to implement the security mechanism, providing, by the handoff server, a proxy gateway to act as a supplicant for the mobile device.
  - 15. The method of claim 10, further comprising quarantining, by the handoff server, the mobile device if it has not connected to the new network in the selected amount time period.
  - 16. The method of claim 10, wherein said monitoring comprises performing, by the handoff server, active, stateful monitoring of the mobile device connection status to identify potential rogue access points during mobile device transition between networks.
  - 17. The method of claim 10, wherein said monitoring comprises performing, by the handoff server, active, stateful monitoring of a reachability of the mobile device to identify potential MAC spoofing.
  - 18. The method of claim 10, wherein said retrieving from the information server comprises providing, by the handoff server, at least one network criteria to the information server, the at least one network criteria describing a characteristic of a desired network, the characteristic selected from a group including a roaming agreement, a security mechanism, an application service, a location and a security level.
  - 19. The method of claim 10, further comprising obtaining, by the handoff server, the mobile device token from a third party certification authority.
  - 20. The method of claim 10, wherein at least one of the event triggers identifies one or more configurable event triggers of the mobile device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Apple Inc.
Original Assignee
Apple Inc.
Inventors
Achtari, Guyves, Plante, Denis, Bernier, Eric
Primary Examiner(s)
SCHMIDT, KARI L

Application Number

US12/017,181
Publication Number

US 20080301773A1
Time in Patent Office

3,011 Days
Field of Search

726/3, 726/30, 370/241, 370/331, 370/332, 370/338, 455/173, 455/436, 455/439, 455/440
US Class Current

1/1
CPC Class Codes

G06F 15/16   Combinations of two or more...

G06F 21/35   communicating wirelessly

H04L 63/0876   based on the identity of th...

H04L 63/164   at the network layer

H04L 63/20   for managing network securi...

H04W 12/06   Authentication

H04W 12/08   Access security

H04W 12/086   using security domains

H04W 12/12   Detection or prevention of ...

H04W 12/122   Counter-measures against at...

H04W 36/0038   of security context informa...

Method and apparatus for security configuration and verification of wireless devices in a fixed/mobile convergence environment

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for security configuration and verification of wireless devices in a fixed/mobile convergence environment

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links