Exclusive preshared key authentication

US 9,674,892 B1
Filed: 06/16/2009
Issued: 06/06/2017
Est. Priority Date: 11/04/2008
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer-readable medium including instructions adapted to direct a computer to perform an operation, the operation comprising:

receiving at an access point (AP) a parameter including a secret shared by the AP and a server, and derived by the server from user credentials;

generating at the AP a set of cryptographic keys such that at least one cryptographic key in the set is generated as a function of the secret, the set of cryptographic keys comprises preshared keys including a preshared key provided to a client device, the preshared key uniquely associated with a specific plurality of client devices including the client device by being uniquely associated with client device identifiers of the specific plurality of client devices to prevent the preshared key from being used with arbitrary client devices;

initiating at the AP a secure network connection with the client device, wherein the client device includes a network configuration based on a client cryptographic key;

receiving at the AP a first message from the client device, wherein the first message includes a client cryptographic checksum based on at least the client cryptographic key and data included in the first message;

selecting at the AP a candidate cryptographic key from the set of cryptographic keys;

determining a validation cryptographic checksum based on at least the candidate cryptographic key and data included in the first message received from the client device;

determining if the candidate cryptographic key matches the client cryptographic key by comparing the validation cryptographic checksum with the client cryptographic checksum and indicating that the candidate cryptographic key matches the client cryptographic key if the validation cryptographic checksum matches the client cryptographic checksum;

in response to the determination that the candidate cryptographic key matches the client cryptographic key, establishing the secure network connection with the client device using the selected candidate cryptographic key; and

in response to the determination that the candidate cryptographic key matches the client cryptographic key, associating a client device identifier with the candidate cryptographic key in a roaming cache that is accessible to the AP and at least one other access point not connected with the client device.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Preshared keys are assigned to client devices, users, or user groups. The set of valid preshared keys or keys derived therefrom is distributed to network devices such as wireless access points. A client device attempts to establish a secure network connection with a network device using its assigned preshared key. A network device identifies the client device'"'"'s preshared key by selecting a candidate key from its set of valid preshared keys. The network device determines a validation cryptographic checksum based on the selected candidate key. If the validation cryptographic checksum matches the client'"'"'s cryptographic checksum, the network device establishes a secure network connection with the client device using this candidate key. If the validation cryptographic checksum does not match the cryptographic checksum provided by the client device, the network device repeats this comparison using different candidate keys selected from its set of valid preshared keys until a match is found.

Citations

21 Claims

1. A non-transitory computer-readable medium including instructions adapted to direct a computer to perform an operation, the operation comprising:
- receiving at an access point (AP) a parameter including a secret shared by the AP and a server, and derived by the server from user credentials;
  
  generating at the AP a set of cryptographic keys such that at least one cryptographic key in the set is generated as a function of the secret, the set of cryptographic keys comprises preshared keys including a preshared key provided to a client device, the preshared key uniquely associated with a specific plurality of client devices including the client device by being uniquely associated with client device identifiers of the specific plurality of client devices to prevent the preshared key from being used with arbitrary client devices;
  
  initiating at the AP a secure network connection with the client device, wherein the client device includes a network configuration based on a client cryptographic key;
  
  receiving at the AP a first message from the client device, wherein the first message includes a client cryptographic checksum based on at least the client cryptographic key and data included in the first message;
  
  selecting at the AP a candidate cryptographic key from the set of cryptographic keys;
  
  determining a validation cryptographic checksum based on at least the candidate cryptographic key and data included in the first message received from the client device;
  
  determining if the candidate cryptographic key matches the client cryptographic key by comparing the validation cryptographic checksum with the client cryptographic checksum and indicating that the candidate cryptographic key matches the client cryptographic key if the validation cryptographic checksum matches the client cryptographic checksum;
  
  in response to the determination that the candidate cryptographic key matches the client cryptographic key, establishing the secure network connection with the client device using the selected candidate cryptographic key; and
  
  in response to the determination that the candidate cryptographic key matches the client cryptographic key, associating a client device identifier with the candidate cryptographic key in a roaming cache that is accessible to the AP and at least one other access point not connected with the client device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The non-transitory computer-readable medium of claim 1, wherein the client device identifier includes a MAC address.
  - 3. The non-transitory computer-readable medium of claim 1, wherein the client device identifier includes a user name.
  - 4. The non-transitory computer-readable medium of claim 1, wherein selecting the candidate cryptographic key from the set of cryptographic keys comprises:
    - determining a client identifier associated with the client device;
      
      searching the roaming cache for the client identifier;
      
      in response to the roaming cache including the client identifier, selecting a cryptographic key associated by the roaming cache with the client identifier as the candidate cryptographic key; and
      
      in response to the roaming cache not including the client identifier, selecting the candidate cryptographic key from a subset of valid cryptographic keys of the set of cryptographic keys.
  - 5. The non-transitory computer-readable medium of claim 1, wherein the candidate cryptographic key is a second cryptographic key, the operation comprising, prior to selecting the second cryptographic key, repeating one or more times:
    - selecting a first candidate cryptographic key from the set of cryptographic keys;
      
      determining that the first candidate cryptographic key does not match the client cryptographic key.
  - 6. The non-transitory computer-readable medium of claim 1, wherein establishing the secure network connection comprises:
    - sending at least a second message to the client device including a portion encrypted using the selected candidate cryptographic key.
  - 7. The non-transitory computer-readable medium of claim 1, wherein the set of cryptographic keys comprises derived keys determined from the preshared keys and including at least a first derived key determined from the preshared key previously provided to the client device.
  - 8. The non-transitory computer-readable medium of claim 1, wherein the client cryptographic key is associated only with the client device.
  - 9. The non-transitory computer-readable medium of claim 1, wherein the client cryptographic key is associated only with a user of the client device.
  - 10. The non-transitory computer-readable medium of claim 1, wherein the client cryptographic key is associated only with a group of users of client devices including a first user of the client device.
  - 11. The non-transitory computer-readable medium of claim 1, the operation further comprising:
    - receiving at the AP an algorithm for generating the set of cryptographic keys.
  - 12. The non-transitory computer-readable medium of claim 11, wherein the algorithm is received from a network device management application.
  - 13. The non-transitory computer-readable medium of claim 1, wherein establishing the secure network connection with the client device comprises:
    - providing user credentials associated with the selected candidate cryptographic key to an authentication server;
      
      receiving an authentication response from the authentication server;
      
      in response to the authentication response including an indicator of successful authentication, completing the initiation of the secure network connection with the client device; and
      
      in response to the authentication response not including an indicator of successful authentication, rejecting the initiation of the secure network connection with the client device.
  - 14. The non-transitory computer-readable medium of claim 1, the operation further comprising:
    - sending a second message to an accounting server upon completion of the establishment of the secure connection with the client device, wherein the second message is adapted to initiate usage tracking of the secure connection with the client device.
  - 15. The non-transitory computer-readable medium of claim 1, wherein establishing the secure network connection with the client device includes using a handshake protocol of a secure communications standard.
  - 16. The non-transitory computer-readable medium of claim 1, wherein the computer-readable medium includes a firmware image adapted to be stored in a memory of a wireless network interface device.

17. A system comprising:
- a means for receiving at an access point (AP) a parameter including a secret shared by the AP and a server, and derived by the server from user credentials;
  
  a means for generating at the AP a set of cryptographic keys such that at least one cryptographic key in the set is generated as a function of the secret, the set of cryptographic keys comprises preshared keys including a preshared key provided to a client device, the preshared key uniquely associated with a specific plurality of client devices including the client device by being uniquely associated with client device identifiers of the specific plurality of client devices to prevent the preshared key from being used with arbitrary client devices;
  
  a means for initiating at the AP a secure network connection with the client device, wherein the client device includes a network configuration based on a client cryptographic key;
  
  a means for receiving at the AP a message from the client device, wherein the message includes a client cryptographic checksum based on at least the client cryptographic key and data included in the message;
  
  a means for selecting at the AP a candidate cryptographic key from the set of cryptographic keys;
  
  a mean for determining a validation cryptographic checksum based on at least the candidate cryptographic key and data included in the message received from the client device;
  
  a means for determining if the candidate cryptographic key matches the client cryptographic key by comparing the validation cryptographic checksum with the client cryptographic checksum and indicating that the candidate cryptographic key matches the client cryptographic key if the validation cryptographic checksum matches the client cryptographic checksum;
  
  a means for, in response to the determination that the candidate cryptographic key matches the client cryptographic key, establishing the secure network connection with the client device using the selected candidate cryptographic key; and
  
  a means for, in response to the determination that the candidate cryptographic key matches the client cryptographic key, associating a client device identifier with the candidate cryptographic key in a roaming cache that is accessible to the AP and at least one other access point not connected with the client device.

18. A method comprising:
- receiving at an access point (AP) a parameter including a secret shared by the AP and a server, and derived by the server from user credentials;
  
  generating at the AP a set of cryptographic keys such that at least one cryptographic key in the set is generated as a function of the secret, the set of cryptographic keys comprises preshared keys including a preshared key provided to a client device, the preshared key uniquely associated with a specific plurality of client devices including the client device by being uniquely associated with client device identifiers of the specific plurality of client devices to prevent the preshared key from being used with arbitrary client devices;
  
  initiating at the AP a secure network connection with the client device, wherein the client device includes a network configuration based on a client cryptographic key;
  
  receiving at the AP a message from the client device, wherein the message includes a client cryptographic checksum based on at least the client cryptographic key and data included in the message;
  
  selecting at the AP a candidate cryptographic key from the set of cryptographic keys;
  
  determining a validation cryptographic checksum based on at least the candidate cryptographic key and data included in the message received from the client device;
  
  determining if the candidate cryptographic key matches the client cryptographic key by comparing the validation cryptographic checksum with the client cryptographic checksum and indicating that the candidate cryptographic key matches the client cryptographic key if the validation cryptographic checksum matches the client cryptographic checksum;
  
  in response to the determination that the candidate cryptographic key matches the client cryptographic key, establishing the secure network connection with the client device using the selected candidate cryptographic key; and
  
  in response to the determination that the candidate cryptographic key matches the client cryptographic key, associating a client device identifier with the candidate cryptographic key in a roaming cache that is accessible to the AP and at least one other access point not connected with the client device.

19. A non-transitory computer-readable medium including instructions adapted to direct a computer to perform an operation, the operation comprising:
- receiving at an access point (AP) a secret shared by the AP and a RADIUS server and derived by the RADIUS server from user credentials;
  
  generating at the AP a set of cryptographic keys as a function of the secret, the set of cryptographic keys comprises preshared keys including a preshared key provided to a client device, the preshared key uniquely associated with a specific plurality of client devices including the client device by being uniquely associated with client device identifiers of the specific plurality of client devices to prevent the preshared key from being used with arbitrary client devices;
  
  initiating at the AP a secure network connection with the client device, wherein the client device includes a network configuration based on a client cryptographic key;
  
  receiving at the AP a message from the client device, wherein the message includes a client cryptographic checksum based on at least the client cryptographic key and on data included in the message;
  
  selecting at the AP a candidate cryptographic key from the set of cryptographic keys;
  
  determining a validation cryptographic checksum based on at least the candidate cryptographic key and data included in the message received from the client device;
  
  determining if the candidate cryptographic key matches the client cryptographic key by comparing the validation cryptographic checksum with the client cryptographic checksum and indicating that the candidate cryptographic key matches the client cryptographic key if the validation cryptographic checksum matches the client cryptographic checksum;
  
  in response to the determination that the candidate cryptographic key matches the client cryptographic key, establishing the secure network connection with the client device using the selected candidate cryptographic key; and
  
  in response to the determination that the candidate cryptographic key matches the client cryptographic key, associating a client device identifier with the candidate cryptographic key in a roaming cache that is accessible to the AP and at least one other access point not connected with the client device.

20. A non-transitory computer-readable medium including instructions adapted to direct a computer to perform an operation, the operation comprising:
- receiving at an access point (AP) a secret shared by the AP and a RADIUS server and derived by the RADIUS server from user credentials;
  
  generating at the AP a set of cryptographic keys as a function of the secret, the set of cryptographic keys comprises preshared keys including a preshared key provided to a client device, the preshared key uniquely associated with a specific plurality of client devices including the client device by being uniquely associated with client device identifiers of the specific plurality of client devices to prevent the preshared key from being used with arbitrary client devices;
  
  initiating at the AP a secure network connection with the client device, wherein the client device includes a network configuration based on a client cryptographic key;
  
  receiving at the AP a message from the client device, wherein the message includes a client cryptographic checksum based on at least the client cryptographic key and on data included in the message;
  
  selecting at the AP a first candidate cryptographic key from the set of cryptographic keys;
  
  determining a first validation cryptographic checksum based on at least the first candidate cryptographic key and data included in the message received from the client device;
  
  determining if the first candidate cryptographic key matches the client cryptographic key by comparing the first validation cryptographic checksum with the client cryptographic checksum and indicating that the first candidate cryptographic key matches the client cryptographic key if the validation cryptographic checksum matching the client cryptographic checksum; and
  
  in response to the determination that the first candidate cryptographic key does not match the client cryptographic key;
  
  selecting at the AP a second candidate cryptographic key from the set of cryptographic keys;
  
  determining a second validation cryptographic checksum based on at least the second candidate cryptographic key and data included in the message received from the client device;
  
  determining if the second candidate cryptographic key matches the client cryptographic key by comparing the second validation cryptographic checksum with the client cryptographic checksum and indicating that the second candidate cryptographic key matches the client cryptographic key if the second validation cryptographic checksum matches the client cryptographic checksum;
  
  in response to the determination that the second candidate cryptographic key matches the client cryptographic key, establishing the secure network connection with the client device using the second candidate cryptographic key;
  
  in response to the determination that the second candidate cryptographic key matches the client cryptographic key, associating a client device identifier with the second candidate cryptographic key in a roaming cache that is accessible to the AP and at least one other access point not connected with the client device.

21. A non-transitory computer-readable medium including instructions adapted to direct a computer to perform an operation, the operation comprising:
- receiving at an access point (AP) a secret shared by the AP and a network management server and derived by the network management server from user credentials;
  
  generating at the AP a set of cryptographic keys as a function of the secret, the set of cryptographic keys comprises preshared keys including a preshared key provided to a client device, the preshared key uniquely associated with a specific plurality of client devices including the client device by being uniquely associated with client device identifiers of the specific plurality of client devices to prevent the preshared key from being used with arbitrary client devices;
  
  initiating at the AP a secure network connection with the client device, wherein the client device includes a network configuration based on a client cryptographic key;
  
  receiving at the AP a message from the client device, wherein the message includes a client cryptographic checksum based on at least the client cryptographic key and on data included in the message;
  
  selecting at the AP a first candidate cryptographic key from the set of cryptographic keys;
  
  determining a first validation cryptographic checksum based on at least the first candidate cryptographic key and data included in the message received from the client device;
  
  determining if the first candidate cryptographic key matches the client cryptographic key by comparing the first validation cryptographic checksum with the client cryptographic checksum and indicating that the first candidate cryptographic key matches the client cryptographic key if the validation cryptographic checksum matching the client cryptographic checksum; and
  
  in response to the determination that the first candidate cryptographic key does not match the client cryptographic key;
  
  selecting at the AP a second candidate cryptographic key from the set of cryptographic keys;
  
  determining a second validation cryptographic checksum based on at least the second candidate cryptographic key and data included in the message received from the client device;
  
  determining if the second candidate cryptographic key matches the client cryptographic key by comparing the second validation cryptographic checksum with the client cryptographic checksum and indicating that the second candidate cryptographic key matches the client cryptographic key if the second validation cryptographic checksum matches the client cryptographic checksum;
  
  in response to the determination that the second candidate cryptographic key matches the client cryptographic key, establishing the secure network connection with the client device using the second candidate cryptographic key;
  
  in response to the determination that the second candidate cryptographic key matches the client cryptographic key, associating a client device identifier with the second candidate cryptographic key in a roaming cache that is accessible to the AP and at least one other access point not connected with the client device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Extreme Networks, Inc.
Original Assignee
Aerohive Networks Incorporated (Extreme Networks, Inc.)
Inventors
Li, Mingliang, Liu, Changming
Primary Examiner(s)
GEORGANDELLIS, ANDREW C

Application Number

US12/485,041
Time in Patent Office

2,912 Days
Field of Search

713176
US Class Current
CPC Class Codes

H04L 2209/80   Wireless

H04L 63/0428   wherein the data content is...

H04L 63/104   Grouping of entities

H04L 63/123   received data contents, e.g...

H04W 12/04   Key management, e.g. using ...

H04W 12/06   Authentication

H04W 12/082   using revocation of authori...

H04W 12/50   Secure pairing of devices

H04W 88/08   Access point devices

Exclusive preshared key authentication

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Exclusive preshared key authentication

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links