Authorizing stations into a centrally managed network

US 9,521,090 B2
Filed: 01/07/2008
Issued: 12/13/2016
Est. Priority Date: 06/04/2007
Status: Expired due to Fees

First Claim

Patent Images

1. A method for authorizing a station, the method comprising:

generating, by a first station, a network membership key request;

communicating, via a first network, the network membership key request to an authorization server, the network membership key request including a unique identifier associated with the first station;

receiving a network membership key based, at least in part, on the network membership key request, wherein the network membership key is received in a first encrypted format based, at least in part, upon a device access key, wherein the network membership key is utilized by the first station to indicate the first station is authorized to join or participate as a member of a sub-network coupled to the first network, wherein the sub-network comprises one of an AV sub-cell or a BPL sub-cell;

communicating, by the first station, a network encryption key request , the network encryption key request encrypted utilizing the network membership key; and

receiving a network encryption key in a second encrypted format, wherein the second encrypted format is based, at least in part, upon the network membership key.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for connecting new stations to a secure network. New stations can send connection requests to a headend device. The headend device can retrieve a device access key associated with the new station and can provide a network membership key to the new station based upon authentication of the new station using the device access key.

Citations

25 Claims

1. A method for authorizing a station, the method comprising:
- generating, by a first station, a network membership key request;
  
  communicating, via a first network, the network membership key request to an authorization server, the network membership key request including a unique identifier associated with the first station;
  
  receiving a network membership key based, at least in part, on the network membership key request, wherein the network membership key is received in a first encrypted format based, at least in part, upon a device access key, wherein the network membership key is utilized by the first station to indicate the first station is authorized to join or participate as a member of a sub-network coupled to the first network, wherein the sub-network comprises one of an AV sub-cell or a BPL sub-cell;
  
  communicating, by the first station, a network encryption key request , the network encryption key request encrypted utilizing the network membership key; and
  
  receiving a network encryption key in a second encrypted format, wherein the second encrypted format is based, at least in part, upon the network membership key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein generating the network membership key request comprises encrypting the network membership key request using the device access key, the device access key being associated with the first station.
  - 3. The method of claim 1, further comprising generating a network identifier based, at least in part, on the network membership key.
  - 4. The method of claim 1, further comprising:
    - determining that the first station has been compromised; and
      
      in response to determining that the first station has been compromised, communicating a new network encryption key to a second station that has not been compromised using a second network membership key associated with the second station.
  - 5. The method of claim 1, wherein the unique identifier comprises a media access control address associated with the first station.
  - 6. The method of claim 1, wherein the network membership key comprises a randomly generated network membership key.
  - 7. The method of claim 1, further comprisingreceiving, at a subsequent time, a rotated network encryption key, wherein the rotated network encryption key is received in the second encrypted format.
  - 8. The method of claim 1,wherein a plurality of stations receive the network encryption key in an encrypted format based, at least in part, on respective network membership keys associated with each of the plurality of stations, and wherein the first station communicates with the plurality of stations using the network encryption key.
  - 9. The method of claim 1, further comprising:
    - updating a previous counter value to determine an updated counter value;
      
      receiving a rotation message including a new network encryption key and a present counter value, wherein the rotation message is in the second encrypted format; and
      
      comparing the updated counter value to the present counter value to authenticate the new network encryption key.
  - 10. The method of claim 9, further comprising:
    - replacing the network encryption key with the new network encryption key; and
      
      utilizing the new network encryption key for communications with at least two other stations.

11. A method for authorizing a station, the method comprising:
- receiving, via a first network, an encrypted network membership key request from a first station, wherein the encrypted network membership key request is associated with an unencrypted unique identifier;
  
  determining whether the encrypted network membership key request is authentic based, at least in part, upon the unencrypted unique identifier;
  
  encrypting a network membership key using a device access key associated with the first station, wherein the network membership key is utilized by the first station to indicate the first station is authorized to join or participate as a member of a sub-network coupled to the first network, wherein the sub-network comprises one of an AV sub-cell or a BPL sub-cell;
  
  communicating the encrypted network membership key to the first station;
  
  receiving a network encryption key request, the network encryption key request encrypted utilizing a key;
  
  encrypting a network encryption key using the network membership key; and
  
  communicating the encrypted network encryption key to the first station.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The method of claim 11, wherein determining whether the encrypted network membership key is authentic comprises:
    - identifying a stored device access key associated with the unencrypted unique identifier;
      
      attempting to decrypt the encrypted network membership key request using the stored device access key; and
      
      authenticating the encrypted network membership key request based, at least in part, on the attempt.
  - 13. The method of claim 11, further comprising generating a network identifier based, at least in part, on the network membership key.
  - 14. The method of claim 11, further comprising:
    - determining that the first station has been compromised; and
      
      in response to determining that the first station has been compromised, communicating a new network encryption key to a second station that has not been compromised using a second network membership key associated with the second station.
  - 15. The method of claim 11, further comprising:
    - in response to determining to send a new network encryption key to the first station,encrypting a rotation message including the new network encryption key and a present counter value, wherein the rotation message is encrypted using the network membership key, andcommunicating the encrypted rotation message to the first station, wherein the encrypted rotation message enables the first station to authenticate the new network encryption key based, at least in part, on comparing the present counter value to an updated counter value.

16. An authentication system comprising:
- a processor; and
  
  a storage medium comprising program instructions that, when executed by the processor, cause the authentication system to;
  
  receive, from a first station via a first network, an encrypted network membership key request;
  
  identify a device access key stored by the authentication system based, at least in part, on an unencrypted unique identifier associated with the encrypted network membership key request;
  
  authenticate the first station based, at least in part, on utilizing the device access key to successfully decrypt the encrypted network membership key request;
  
  encrypt a network membership key for the first station using the device access key, wherein the network membership key is utilized by the first station to indicate the first station is authorized to join or participate as a member of a sub-network coupled to the first network, wherein the sub-network comprises one of an AV sub-cell or a BPL sub-cell;
  
  communicate the encrypted network membership key to the first station based, at least in part, on authenticating the first station;
  
  receive a network encryption key request, the network encryption key request encrypted utilizing the network membership key;
  
  encrypt a network encryption key using the network membership key; and
  
  communicate the encrypted network encryption key to the first station.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 17. The authentication system of claim 16, wherein the first station is a member of the group consisting of a headend unit, a repeater, and a network termination unit.
  - 18. The authentication system of claim 16, further comprising generating a network identifier based, at least in part, on the network membership key.
  - 19. The authentication system of claim 16, wherein the storage medium further comprises program instructions executable by the processor to cause the authentication system to:
    - rotate the network membership key.
  - 20. The authentication system of claim 16, wherein the storage medium further comprises program instructions executable by the processor to cause the authentication system to:
    - rotate the network encryption key; and
      
      communicate the rotated network encryption key to the first station.
  - 21. The authentication system of claim 20,wherein the storage medium further comprises program instructions executable by the processor to cause the authentication system to:
    - include an encrypted counter value with the rotated network encryption key; and
      
      communicate a key rotation message to the first station;
      
      wherein the first station determines whether the rotated network encryption key is authentic based, at least in part, on the encrypted counter value.
  - 22. The authentication system of claim 21,wherein a previous counter value is communicated to the first station prior to communication of the rotated network encryption key;
    - wherein the first station increments the previous counter value to a present counter value, and compares the present counter value to a value obtained after decrypting the encrypted counter value to authenticate the rotated network encryption key.
  - 23. The authentication system of claim 16, wherein the storage medium further comprises program instructions executable by the processor to cause the authentication system to:
    - generate a new network encryption key in response to notification that a second station has been compromised; and
      
      communicate the new network encryption key to the first station using the network membership key.
  - 24. The authentication system of claim 16, wherein the first network comprises a powerline network.
  - 25. The authentication system of claim 16, wherein the storage medium further comprises program instructions executable by the processor to cause the authentication system to:
    - refuse connection to a station in response to determining that the device access key associated with the unencrypted unique identifier of an encrypted network membership key request does not match the device access key used to encrypt the encrypted network membership key request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Qualcomm Atheros Incorporated (Qualcomm, Inc.)
Original Assignee
Qualcomm, Inc.
Inventors
Yonge, Lawrence W. III, Katar, Srinivas, Krishnam, Manjunath
Primary Examiner(s)
Zele, Krista
Assistant Examiner(s)
FORMAN, JAMES Q

Application Number

US11/970,297
Publication Number

US 20080298594A1
Time in Patent Office

3,263 Days
Field of Search

380/278
US Class Current

1/1
CPC Class Codes

H04B 2203/5445   Local network

H04L 12/2801   Broadband local area networks

H04L 12/2856   Access arrangements, e.g. I...

H04L 12/413   with random access, e.g. ca...

H04L 12/44   Star or tree networks

H04L 45/12   Shortest path evaluation

H04L 45/121   by minimising delays

H04L 45/122   by minimising distances, e....

H04L 45/123   Evaluation of link metrics ...

H04L 45/125   based on throughput or band...

H04L 45/16   Multipoint routing

H04L 47/787   Bandwidth trade among domains

Authorizing stations into a centrally managed network

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Authorizing stations into a centrally managed network

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links