Method and system for pre-authentication

US 20060013398A1
Filed: 07/15/2004
Published: 01/19/2006
Est. Priority Date: 07/15/2004
Status: Active Grant

First Claim

Patent Images

1. A method for roaming from a parent access point to a neighboring access point by a wireless station, comprising:

sending a rekey request, the rekey request comprises an incremented rekey number;

receiving a rekey response, the rekey response comprises the incremented rekey number;

sending a reassociation request to the neighboring access point, the reassociation request comprising the incremented rekey number; and

receiving a reassociation response from the neighboring access point.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A wireless station prepares to roam by pre-authenticating itself with a neighboring access point. The wireless station sends a rekey request, which can include an incremented rekey number. The wireless station receives a rekey response. The rekey response can include the incremented rekey number. Because the wireless station is pre-authenticated, after it roams it only needs to perform a two-way handshake with a new access point to establish secure communications with the new access point. The two-way handshake starts by the wireless station sending a reassociation request to the neighboring access point, the reassociation request comprising the incremented rekey number established during pre-authentication. The wireless station receives a reassociation response from the neighboring access point. To protect against replay attacks, the neighboring access point can verify the rekey number sent in the reassociation request matches the rekey number sent in the rekey response.

45 Citations

View as Search Results

32 Claims

1. A method for roaming from a parent access point to a neighboring access point by a wireless station, comprising:
- sending a rekey request, the rekey request comprises an incremented rekey number;
  
  receiving a rekey response, the rekey response comprises the incremented rekey number;
  
  sending a reassociation request to the neighboring access point, the reassociation request comprising the incremented rekey number; and
  
  receiving a reassociation response from the neighboring access point.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 2. The method of claim 1, further comprising detecting the neighboring access point.
  - 3. The method of claim 1, further comprising selecting the neighboring access point from a plurality of access points.
  - 4. The method of claim 1, further comprising incrementing the rekey number after establishing a new secure session with the neighboring access point.
  - 5. The method of claim 1, further comprising determining a set of neighboring access points by at least one of monitoring beacon frames, monitoring probe frames and receiving a list of neighboring access points from the parent access point.
  - 6. The method of claim 1, further comprising:
    - comparing the rekey number sent with the reassociation request with the incremented rekey number sent with the rekey request; and
      
      sending the reassociation response when the rekey number, sent during the sending a reassociation request, if the rekey number matches the incremented rekey number sent during the rekey request.
  - 7. The method of claim 1, further comprising:
    - requesting a context server to transfer context information to the neighboring access point while the wireless station is still associated with the parent access point.
  - 8. The method of claim 1, further sending a rekey request further comprises:
    - sending the rekey request to the parent access point wherein the rekey request further comprises the basic service set identifier of the neighboring access point.
  - 9. The method of claim 8, the sending a rekey request further comprising:
    - forwarding the rekey request from the parent access point to an authentication server;
      
      authenticating the rekey request by the authentication server; and
      
      sending a context request message to the neighboring access point;
      
      wherein the context request messages comprises the incremented rekey number.
  - 10. The method of claim 9, the receiving a rekey response further comprising:
    - creating a rekey response by the neighbor access point, the rekey response comprising a one time ticket that is encrypted and authenticated with a secret key known only by the neighbor access point, the one time ticket containing the rekey number, an authenticator value, and the 802.11 address of the wireless station;
      
      sending the rekey response to the parent access point via the authentication server; and
      
      sending the rekey response to the wireless station by the parent access point.
  - 11. The method of claim 10, the sending a reassociation request by the wireless station to the neighboring access point further comprising:
    - receiving the reassocation request having the one time ticket by the neighbor access point;
      
      the neighboring access point decrypting and authenticating the reassociation request one time ticket with the secret key; and
      
      verifying the incremented rekey value matches the incremented rekey value sent in the rekey request.
  - 12. The method in claim 9 further comprising registering a plurality of access points in a wireless domain with an authentication server for the wireless domain, the registration information provided by each access point includes access point identifiers, a wireless station includes at least one of the registered identifiers for the neighboring access point in the rekey request, and the authentication server identifies the neighboring access point by the identifier included in the rekey request.
  - 13. The method in claim 12 further comprising each access point in the wireless domain establishing a secret key with the authentication server, wherein the secret key is known only by the access point and the authentication server.
  - 14. The method as in claim 13 wherein rekey messages exchanged by the authentication server and the parent access point are authenticated with the secret key shared by the parent access point and the authentication server.
  - 15. The method as in claim 13 wherein context messages exchanged by the authentication server and the neighboring access point are authenticated with the secret key shared by the neighboring access point and the authentication server.
  - 16. The method as in claim 12 further comprising a method where the neighboring access point identifier contained in a rekey request generated by a wireless station is an 802.11 Basic Service Set Identifier (BSSID) of the neighboring access point.
  - 17. The method as in claim 9 further wherein the parent access point and the neighbor access point are on different Internet Protocol (IP) subnets, the further comprising relaying pre-authentication information between the access points on different subnets by an intermediate authentication server.
  - 18. The methods as in claim 17, wherein the registration information provided by each access point includes an IP address.
  - 19. The method as in claim 7, further comprising a wireless station requesting that context information is forwarded to at least one neighboring access points of a the wireless station'"'"'s parent access point, while the wireless station is still associated with the parent access point.
  - 20. The method as in claim 19, wherein the set of neighboring access points is restricted to those access points to which the wireless station has an acceptable communications link.
  - 21. The method of claim 1, wherein the rekey request is sent to the neighboring access point and includes the basic service set identifier of the neighboring access point, the method further comprising;
    - receiving the rekey request by the neighboring access point;
      
      sending a pre-registration request to an authentication server by the neighboring access point;
      
      receiving a pre-registration reply from the authentication server by the neighboring access point, the pre-registration reply including the incremented rekey number.
  - 22. The method of claim 21, the receiving a rekey response further comprising:
    - creating a rekey response by the neighbor access point, the rekey response comprising a one time ticket that is encrypted and authenticated with a secret key known only by the neighbor access point, the one time ticket containing the rekey number, an authenticator value, and the 802.11 address of the wireless station;
      
      sending the rekey response to the parent access point via the authentication server; and
      
      sending the rekey response to the wireless station by the parent access point.
  - 23. The method of claim 22, the sending a reassociation request further comprising:
    - receiving the reassocation request having the one time ticket by the neighbor access point;
      
      decrypting and authenticating the reassociation request one time ticket with the secret key; and
      
      verifying the incremented rekey value matches the incremented rekey value sent in the rekey request.

24. A system comprising:
- an authentication server, the authentication server configured to maintain rekey data for a wireless station;
  
  a parent access point; and
  
  a neighboring access point;
  
  wherein the wireless station is assigned to the parent access point and can communicate with the neighboring access, the wireless station configured to send a rekey request, the rekey request comprising an incremented rekey number;
  
  wherein the rekey request is received by one of the parent access point and the neighboring access point, and the rekey request is forwarded to the authentication server for authentication by comparing he incremented rekey number with the rekey data;
  
  wherein the neighboring access point is responsive to the authentication server to create a rekey response, the rekey response comprises the incremented rekey number, the rekey response being sent to the wireless station via the authentication server and the parent access point;
  
  wherein the wireless station is further configured to send a reassociation request to the neighboring access point, the reassociation request containing the rekey number; and
  
  wherein the neighboring access point is further configured to receive the reassociation request, verify the reassociation request contains the incremented rekey number and to send a reassociation response.
- View Dependent Claims (25, 26, 27)
- - 25. The system of claim 24, wherein the wireless station is configured to select the neighboring access point from a plurality of access points.
  - 26. The system of claim 24, further comprising:
    - the wireless station adapted to determine a set of neighboring access points by at least one of monitoring beacon frames, monitoring probe frames and receiving a list of neighboring access points from the parent access point.
  - 27. The system of claim 24, further comprising:
    - the neighboring access point further configured to compare the incremented rekey number sent during the sending the reassociation request with the incremented rekey number sent during the rekey request;
      
      the neighboring access point further configured to send the reassociation response when the incremented rekey number sent during the sending a reassociation request matches the incremented rekey number sent during the rekey request; and
      
      the neighboring access point further configured to forward the reassociation request to the authentication server when the rekey number sent during the reassociation request does not match the incremented rekey number sent during the rekey request.

28. A wireless station, comprising means for communicating with a parent access point;
- means for detecting a neighboring access point;
  
  means for pre-authenticating with the neighboring access point by sending a rekey message directed to the neighboring access point, the rekey message containing an incremented rekey number;
  
  means for receiving a rekey response that contains the incremented rekey number;
  
  means for sending a reassociation request to the neighboring access point, the reassociation request comprising the incremented rekey number; and
  
  means for receiving a reassociation response from the neighboring access point.
- View Dependent Claims (29, 30)
- - 29. The wireless station of claim 28, wherein the means for pre-authenticating sends the rekey message to one of the group consisting of the parent access point and the neighboring access point.
  - 30. The method of claim 28, further comprising means for selecting the neighboring access point from a plurality of access points.

31. An access point, comprising:
- a first transceiver for communicating with a wireless station;
  
  a second transceiver for communicating with an authentication server; and
  
  wherein the access point is responsive to a pre-authentication request containing a rekey number to generate a one time ticket which is encrypted and authenticated with a key known only by the neighboring access point, the one time ticket comprising the rekey number and the 802.11 address of the wireless station, and to send the one way ticket via the second transceiver to the authentication server; and
  
  wherein the access point is configured to receiving a reassociation request from the wireless station via the first transceiver and comparing a rekey number from the reassociation request with the rekey number from the pre-authentication request and responsive to sending a reassociation response when the rekey number from the reassociation request matches the rekey number from the pre-authentication request.
- View Dependent Claims (32)
- - 32. The access point of claim 31 wherein the pre-authentication request is received from one of the group consisting the wireless station and a the authentication server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Meier, Robert C., Cam Winget, Nancy, Halasz, David E.

Granted Patent

US 7,451,316 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/273
CPC Class Codes

H04L 2463/061   applying further key deriva...

H04L 63/067   using one-time keys cryptog...

H04L 63/1466   Active attacks involving in...

H04W 12/04   Key management, e.g. using ...

H04W 12/062   Pre-authentication

H04W 36/0038   of security context informa...

H04W 80/04   Network layer protocols, e....

H04W 84/12   WLAN [Wireless Local Area N...

Method and system for pre-authentication

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

45 Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for pre-authentication

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

45 Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links