Method and system for key distribution and authentication in a data communication network
First Claim
Patent Images
1. A method for key distribution and authentication for enabling secure data traffic in a data transmission network wherein remote stations are to be attached to a network manager via at least one base station, said method including for network installation:
- installing a common hidden key Km and a unique individual identifier UA in each station to be used in the network;
installing a first base station, said installation including;
generating, in said network manager, a preliminary key K1 and installing said K1 key in said first base station;
using said preliminary key installation to trigger the selection, within said first base station, of a network key Knet and of a derived backbone key Kb, therefrom;
forwarding said Kb to the network manager andstoring said Kb therein;
optionally installing "another" base station, said another base installation including;
reading the said another base station identifier UA;
forwarding said another base station identifier UA to said network manager;
said network manager searching an installed base station and providing said installed base station with said another base station identifier UA;
computing within said installed base station a parameter Knet'"'"' as a predefined logic function of Knet, Km and said another base station identifier UA;
providing said another base station with said Knet'"'"';
said another optional base station extracting said network key Knet from said Knet'"'"' based on the knowledge of said predefined logic function and storing said network key within said another base station;
deriving Kb from Knet in the new base station;
installing a remote station, said remote station installation including;
reading said remote station identifier UA;
choosing a "name" for said remote station;
providing both said remote station identifier UAand said name to said network manager;
said network manager searching an installed base station and providing said installed base station with said remote station identifier UA and said chosen name;
encrypting within said installed base station, said name with said network key Knet, and computing a name'"'"' parameter as a predefined logic function of encrypted name, Km and said remote station identifier UA;
providing said name'"'"' to said remote station, said remote station deriving the encrypted name therefrom, based on the knowledge of said predefined function, and storing said encrypted name into said remote station.
1 Assignment
0 Petitions
Accused Products
Abstract
This invention deals with a safe key distribution and authentication in a data communication network (e.g. wireless LAN type of network).
The network includes a network manager to which are connected, via a LAN wired circuit, one or more base stations. Individual remote stations are, in turn, wirelessly connected to an installed base station.
One essential function for achieving security in such a network, is a mechanism to reliably authenticate the exchanges of data between communicating parties. This involves the establishment of session keys, which keys need to be distributed safely to the network components. An original and safe method is provided with this invention for key distribution and authentication during network installation, said method including using the first installed base station for generating a network key and a backbone key, and then using said first installed base station for subsequent remote station or additional base station installations while avoiding communicating said network key.
128 Citations
9 Claims
-
1. A method for key distribution and authentication for enabling secure data traffic in a data transmission network wherein remote stations are to be attached to a network manager via at least one base station, said method including for network installation:
-
installing a common hidden key Km and a unique individual identifier UA in each station to be used in the network; installing a first base station, said installation including; generating, in said network manager, a preliminary key K1 and installing said K1 key in said first base station; using said preliminary key installation to trigger the selection, within said first base station, of a network key Knet and of a derived backbone key Kb, therefrom; forwarding said Kb to the network manager and storing said Kb therein; optionally installing "another" base station, said another base installation including; reading the said another base station identifier UA; forwarding said another base station identifier UA to said network manager; said network manager searching an installed base station and providing said installed base station with said another base station identifier UA; computing within said installed base station a parameter Knet'"'"' as a predefined logic function of Knet, Km and said another base station identifier UA; providing said another base station with said Knet'"'"'; said another optional base station extracting said network key Knet from said Knet'"'"' based on the knowledge of said predefined logic function and storing said network key within said another base station; deriving Kb from Knet in the new base station; installing a remote station, said remote station installation including; reading said remote station identifier UA; choosing a "name" for said remote station; providing both said remote station identifier UA and said name to said network manager; said network manager searching an installed base station and providing said installed base station with said remote station identifier UA and said chosen name; encrypting within said installed base station, said name with said network key Knet, and computing a name'"'"' parameter as a predefined logic function of encrypted name, Km and said remote station identifier UA; providing said name'"'"' to said remote station, said remote station deriving the encrypted name therefrom, based on the knowledge of said predefined function, and storing said encrypted name into said remote station. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system for key distribution and authentication for enabling secure data traffic in a so-called wireless LAN network wherein remote mobile stations are to be connected through wireless links to a so-called network or wireless manager, via so-called base stations connected to said network manager via a backbone network including a wired LAN, said system being characterized in that it includes:
-
read-only storage means within each mobile station and base station adapter unit, with a common hidden key Km and an individual identifier UA stored therein during manufacturing; means for installing a first base station, said means for installing a first base station including; a random generator for generating within said network manager adapter, a random preliminary key K1; means for forwarding K1 to said first base station adapter; means, within said first base adapter, triggered by said K1 key for generating a random network key Knet, and for deriving a Kb parameter therefrom; means, within said base station for encrypting Kb with the K1 key, for embedding said encrypted Kb within base authentication parameters known to both the base station and the network manager, and for transmitting said encrypted Kb and authentication parameters to said network manager; and
,means, within said network manager for extracting and storing Kb after authenticating the originating base station, and subsequently installing any remote station or any additional or so-called "another" base station by using means for addressing the already installed base station for computing therein a predefined function of, inter alia, network key Knet, and for forwarding the so computed data to the network manager and said any remote station or said "another" base station.
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeInternational Business Machines Corporation
-
Original AssigneeInternational Business Machines Corporation
-
InventorsWetterwald, Michele M., Bjorklund, Ronald E., Bauchot, Frederic, Herzberg, Amir, Kutten, Shay
-
Primary Examiner(s)Barron, Jr., Gilberto
-
Application NumberUS08/348,656Time in Patent Office599 DaysField of Search380/21, 380/23, 380/25, 380/30US Class Current380/249CPC Class CodesH04L 2209/80 Wireless network architectu...H04L 9/0836 using tree structure or hie...H04L 9/321 involving a third party or ...
