Exclusive preshared key authentication
First Claim
1. A non-transitory computer-readable medium including instructions adapted to direct a computer to perform an operation, the operation comprising:
- receiving at an access point (AP) a parameter including a secret shared by the AP and a server, and derived by the server from user credentials;
generating at the AP a set of cryptographic keys such that at least one cryptographic key in the set is generated as a function of the secret, the set of cryptographic keys comprises preshared keys including a preshared key provided to a client device, the preshared key uniquely associated with a specific plurality of client devices including the client device by being uniquely associated with client device identifiers of the specific plurality of client devices to prevent the preshared key from being used with arbitrary client devices;
initiating at the AP a secure network connection with the client device, wherein the client device includes a network configuration based on a client cryptographic key;
receiving at the AP a first message from the client device, wherein the first message includes a client cryptographic checksum based on at least the client cryptographic key and data included in the first message;
selecting at the AP a candidate cryptographic key from the set of cryptographic keys;
determining a validation cryptographic checksum based on at least the candidate cryptographic key and data included in the first message received from the client device;
determining if the candidate cryptographic key matches the client cryptographic key by comparing the validation cryptographic checksum with the client cryptographic checksum and indicating that the candidate cryptographic key matches the client cryptographic key if the validation cryptographic checksum matches the client cryptographic checksum;
in response to the determination that the candidate cryptographic key matches the client cryptographic key, establishing the secure network connection with the client device using the selected candidate cryptographic key; and
in response to the determination that the candidate cryptographic key matches the client cryptographic key, associating a client device identifier with the candidate cryptographic key in a roaming cache that is accessible to the AP and at least one other access point not connected with the client device.
4 Assignments
0 Petitions
Accused Products
Abstract
Preshared keys are assigned to client devices, users, or user groups. The set of valid preshared keys or keys derived therefrom is distributed to network devices such as wireless access points. A client device attempts to establish a secure network connection with a network device using its assigned preshared key. A network device identifies the client device'"'"'s preshared key by selecting a candidate key from its set of valid preshared keys. The network device determines a validation cryptographic checksum based on the selected candidate key. If the validation cryptographic checksum matches the client'"'"'s cryptographic checksum, the network device establishes a secure network connection with the client device using this candidate key. If the validation cryptographic checksum does not match the cryptographic checksum provided by the client device, the network device repeats this comparison using different candidate keys selected from its set of valid preshared keys until a match is found.
-
Citations
21 Claims
-
1. A non-transitory computer-readable medium including instructions adapted to direct a computer to perform an operation, the operation comprising:
-
receiving at an access point (AP) a parameter including a secret shared by the AP and a server, and derived by the server from user credentials; generating at the AP a set of cryptographic keys such that at least one cryptographic key in the set is generated as a function of the secret, the set of cryptographic keys comprises preshared keys including a preshared key provided to a client device, the preshared key uniquely associated with a specific plurality of client devices including the client device by being uniquely associated with client device identifiers of the specific plurality of client devices to prevent the preshared key from being used with arbitrary client devices; initiating at the AP a secure network connection with the client device, wherein the client device includes a network configuration based on a client cryptographic key; receiving at the AP a first message from the client device, wherein the first message includes a client cryptographic checksum based on at least the client cryptographic key and data included in the first message; selecting at the AP a candidate cryptographic key from the set of cryptographic keys; determining a validation cryptographic checksum based on at least the candidate cryptographic key and data included in the first message received from the client device; determining if the candidate cryptographic key matches the client cryptographic key by comparing the validation cryptographic checksum with the client cryptographic checksum and indicating that the candidate cryptographic key matches the client cryptographic key if the validation cryptographic checksum matches the client cryptographic checksum; in response to the determination that the candidate cryptographic key matches the client cryptographic key, establishing the secure network connection with the client device using the selected candidate cryptographic key; and in response to the determination that the candidate cryptographic key matches the client cryptographic key, associating a client device identifier with the candidate cryptographic key in a roaming cache that is accessible to the AP and at least one other access point not connected with the client device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A system comprising:
-
a means for receiving at an access point (AP) a parameter including a secret shared by the AP and a server, and derived by the server from user credentials; a means for generating at the AP a set of cryptographic keys such that at least one cryptographic key in the set is generated as a function of the secret, the set of cryptographic keys comprises preshared keys including a preshared key provided to a client device, the preshared key uniquely associated with a specific plurality of client devices including the client device by being uniquely associated with client device identifiers of the specific plurality of client devices to prevent the preshared key from being used with arbitrary client devices; a means for initiating at the AP a secure network connection with the client device, wherein the client device includes a network configuration based on a client cryptographic key; a means for receiving at the AP a message from the client device, wherein the message includes a client cryptographic checksum based on at least the client cryptographic key and data included in the message; a means for selecting at the AP a candidate cryptographic key from the set of cryptographic keys; a mean for determining a validation cryptographic checksum based on at least the candidate cryptographic key and data included in the message received from the client device; a means for determining if the candidate cryptographic key matches the client cryptographic key by comparing the validation cryptographic checksum with the client cryptographic checksum and indicating that the candidate cryptographic key matches the client cryptographic key if the validation cryptographic checksum matches the client cryptographic checksum; a means for, in response to the determination that the candidate cryptographic key matches the client cryptographic key, establishing the secure network connection with the client device using the selected candidate cryptographic key; and a means for, in response to the determination that the candidate cryptographic key matches the client cryptographic key, associating a client device identifier with the candidate cryptographic key in a roaming cache that is accessible to the AP and at least one other access point not connected with the client device.
-
-
18. A method comprising:
-
receiving at an access point (AP) a parameter including a secret shared by the AP and a server, and derived by the server from user credentials; generating at the AP a set of cryptographic keys such that at least one cryptographic key in the set is generated as a function of the secret, the set of cryptographic keys comprises preshared keys including a preshared key provided to a client device, the preshared key uniquely associated with a specific plurality of client devices including the client device by being uniquely associated with client device identifiers of the specific plurality of client devices to prevent the preshared key from being used with arbitrary client devices; initiating at the AP a secure network connection with the client device, wherein the client device includes a network configuration based on a client cryptographic key; receiving at the AP a message from the client device, wherein the message includes a client cryptographic checksum based on at least the client cryptographic key and data included in the message; selecting at the AP a candidate cryptographic key from the set of cryptographic keys; determining a validation cryptographic checksum based on at least the candidate cryptographic key and data included in the message received from the client device; determining if the candidate cryptographic key matches the client cryptographic key by comparing the validation cryptographic checksum with the client cryptographic checksum and indicating that the candidate cryptographic key matches the client cryptographic key if the validation cryptographic checksum matches the client cryptographic checksum; in response to the determination that the candidate cryptographic key matches the client cryptographic key, establishing the secure network connection with the client device using the selected candidate cryptographic key; and in response to the determination that the candidate cryptographic key matches the client cryptographic key, associating a client device identifier with the candidate cryptographic key in a roaming cache that is accessible to the AP and at least one other access point not connected with the client device.
-
-
19. A non-transitory computer-readable medium including instructions adapted to direct a computer to perform an operation, the operation comprising:
-
receiving at an access point (AP) a secret shared by the AP and a RADIUS server and derived by the RADIUS server from user credentials; generating at the AP a set of cryptographic keys as a function of the secret, the set of cryptographic keys comprises preshared keys including a preshared key provided to a client device, the preshared key uniquely associated with a specific plurality of client devices including the client device by being uniquely associated with client device identifiers of the specific plurality of client devices to prevent the preshared key from being used with arbitrary client devices; initiating at the AP a secure network connection with the client device, wherein the client device includes a network configuration based on a client cryptographic key; receiving at the AP a message from the client device, wherein the message includes a client cryptographic checksum based on at least the client cryptographic key and on data included in the message; selecting at the AP a candidate cryptographic key from the set of cryptographic keys; determining a validation cryptographic checksum based on at least the candidate cryptographic key and data included in the message received from the client device; determining if the candidate cryptographic key matches the client cryptographic key by comparing the validation cryptographic checksum with the client cryptographic checksum and indicating that the candidate cryptographic key matches the client cryptographic key if the validation cryptographic checksum matches the client cryptographic checksum; in response to the determination that the candidate cryptographic key matches the client cryptographic key, establishing the secure network connection with the client device using the selected candidate cryptographic key; and in response to the determination that the candidate cryptographic key matches the client cryptographic key, associating a client device identifier with the candidate cryptographic key in a roaming cache that is accessible to the AP and at least one other access point not connected with the client device.
-
-
20. A non-transitory computer-readable medium including instructions adapted to direct a computer to perform an operation, the operation comprising:
-
receiving at an access point (AP) a secret shared by the AP and a RADIUS server and derived by the RADIUS server from user credentials; generating at the AP a set of cryptographic keys as a function of the secret, the set of cryptographic keys comprises preshared keys including a preshared key provided to a client device, the preshared key uniquely associated with a specific plurality of client devices including the client device by being uniquely associated with client device identifiers of the specific plurality of client devices to prevent the preshared key from being used with arbitrary client devices; initiating at the AP a secure network connection with the client device, wherein the client device includes a network configuration based on a client cryptographic key; receiving at the AP a message from the client device, wherein the message includes a client cryptographic checksum based on at least the client cryptographic key and on data included in the message; selecting at the AP a first candidate cryptographic key from the set of cryptographic keys; determining a first validation cryptographic checksum based on at least the first candidate cryptographic key and data included in the message received from the client device; determining if the first candidate cryptographic key matches the client cryptographic key by comparing the first validation cryptographic checksum with the client cryptographic checksum and indicating that the first candidate cryptographic key matches the client cryptographic key if the validation cryptographic checksum matching the client cryptographic checksum; and in response to the determination that the first candidate cryptographic key does not match the client cryptographic key; selecting at the AP a second candidate cryptographic key from the set of cryptographic keys; determining a second validation cryptographic checksum based on at least the second candidate cryptographic key and data included in the message received from the client device; determining if the second candidate cryptographic key matches the client cryptographic key by comparing the second validation cryptographic checksum with the client cryptographic checksum and indicating that the second candidate cryptographic key matches the client cryptographic key if the second validation cryptographic checksum matches the client cryptographic checksum; in response to the determination that the second candidate cryptographic key matches the client cryptographic key, establishing the secure network connection with the client device using the second candidate cryptographic key; in response to the determination that the second candidate cryptographic key matches the client cryptographic key, associating a client device identifier with the second candidate cryptographic key in a roaming cache that is accessible to the AP and at least one other access point not connected with the client device.
-
-
21. A non-transitory computer-readable medium including instructions adapted to direct a computer to perform an operation, the operation comprising:
-
receiving at an access point (AP) a secret shared by the AP and a network management server and derived by the network management server from user credentials; generating at the AP a set of cryptographic keys as a function of the secret, the set of cryptographic keys comprises preshared keys including a preshared key provided to a client device, the preshared key uniquely associated with a specific plurality of client devices including the client device by being uniquely associated with client device identifiers of the specific plurality of client devices to prevent the preshared key from being used with arbitrary client devices; initiating at the AP a secure network connection with the client device, wherein the client device includes a network configuration based on a client cryptographic key; receiving at the AP a message from the client device, wherein the message includes a client cryptographic checksum based on at least the client cryptographic key and on data included in the message; selecting at the AP a first candidate cryptographic key from the set of cryptographic keys; determining a first validation cryptographic checksum based on at least the first candidate cryptographic key and data included in the message received from the client device; determining if the first candidate cryptographic key matches the client cryptographic key by comparing the first validation cryptographic checksum with the client cryptographic checksum and indicating that the first candidate cryptographic key matches the client cryptographic key if the validation cryptographic checksum matching the client cryptographic checksum; and in response to the determination that the first candidate cryptographic key does not match the client cryptographic key; selecting at the AP a second candidate cryptographic key from the set of cryptographic keys; determining a second validation cryptographic checksum based on at least the second candidate cryptographic key and data included in the message received from the client device; determining if the second candidate cryptographic key matches the client cryptographic key by comparing the second validation cryptographic checksum with the client cryptographic checksum and indicating that the second candidate cryptographic key matches the client cryptographic key if the second validation cryptographic checksum matches the client cryptographic checksum; in response to the determination that the second candidate cryptographic key matches the client cryptographic key, establishing the secure network connection with the client device using the second candidate cryptographic key; in response to the determination that the second candidate cryptographic key matches the client cryptographic key, associating a client device identifier with the second candidate cryptographic key in a roaming cache that is accessible to the AP and at least one other access point not connected with the client device.
-
Specification