Wireless security system and method

US 7,373,508 B1
Filed: 06/04/2002
Issued: 05/13/2008
Est. Priority Date: 06/04/2002
Status: Active Grant

First Claim

Patent Images

1. A method for reauthentication during client roaming in a wireless network system, the network having at least one access server operable to communicate with an a remote authentication server during an initial authentication of the client, and a plurality of access points, the access points being registered with the access server, the method comprising:

receiving a registration request at the access server from a new access point for a roaming client registered with the access server and previously in communication with an old access point, the request including a ticket or authenticator;

authenticating the registration request with an authentication extension generated with a secret session key shared by the new access point and the access server, wherein authenticating the registration request comprises comparing timer values from the client and the new access point; and

sending a client'"'"'s session key from the access server to the new access point in a registration reply upon authentication of the registration request at the access server;

wherein the client'"'"'s session key is configured for use by the new access point to reauthenticate the client and establish encryption keys for the client without contacting the authentication server; and

wherein said at least one access server comprises a central access server at a top level of a hierarchy, and a local access server at a second level of said hierarchy and registered with the central access server, the access points located at a third level of said hierarchy.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for reauthentication during client roaming in a wireless network system. The network has at least one access server and a plurality of access points registered with the access server. The method includes receiving a registration request at the access server from a new access point for a roaming client registered with the access server and sending a client'"'"'s session key to the new access point in a registration reply upon authentication of the registration request. The client'"'"'s session key is configured for use by the new access point to authenticate the client and establish keys for the client. A method for secure context transfer during client roaming is also disclosed.

105 Citations

View as Search Results

27 Claims

1. A method for reauthentication during client roaming in a wireless network system, the network having at least one access server operable to communicate with an a remote authentication server during an initial authentication of the client, and a plurality of access points, the access points being registered with the access server, the method comprising:
- receiving a registration request at the access server from a new access point for a roaming client registered with the access server and previously in communication with an old access point, the request including a ticket or authenticator;
  
  authenticating the registration request with an authentication extension generated with a secret session key shared by the new access point and the access server, wherein authenticating the registration request comprises comparing timer values from the client and the new access point; and
  
  sending a client'"'"'s session key from the access server to the new access point in a registration reply upon authentication of the registration request at the access server;
  
  wherein the client'"'"'s session key is configured for use by the new access point to reauthenticate the client and establish encryption keys for the client without contacting the authentication server; and
  
  wherein said at least one access server comprises a central access server at a top level of a hierarchy, and a local access server at a second level of said hierarchy and registered with the central access server, the access points located at a third level of said hierarchy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method of claim 1 wherein comparing timer values comprises decrypting the client ticket with the client'"'"'s session key.
  - 3. The method of claim 1 wherein authenticating the registration request further comprises comparing a client TSF timer with an access point TSF timer to prevent replays of old registration messages.
  - 4. The method of claim 1 wherein authenticating the registration request further comprises decrypting the client ticket with a secret key known only to the access server.
  - 5. The method of claim 1 wherein sending the registration reply comprises sending access point bindings and context.
  - 6. The method of claim 5 further comprising encrypting the client'"'"'s session key and inserting into the reply.
  - 7. The method of claim 1 further comprising inserting an authentication status in the registration reply.
  - 8. The method of claim 1 further comprising sending a reassociation response from the access point to the client.
  - 9. The method of claim 8 further comprising inserting an authentication status indicator into the reassociation response.
  - 10. The method of claim 1 further comprising sending a success message from the access point to the client if the registration is successful.
  - 11. The method of claim 1 further comprising initiating full higher-layer authentication at the client if authentication is not successful.
  - 12. The method of claim 1 further comprising securely transferring context from an old access point to the new access point.
  - 13. The method of claim 12 comprising sending an old access point ticket and encryption key from the access server to the new access point.
  - 14. The method of claim 12 further comprising sending a binding-update message from the new access point to the old access point.
  - 15. The method of claim 1 further comprising forwarding client session keys from the access server to a second access point if client is expected to roam to the second access point.
  - 16. The method of claim 1 wherein each of the access points shares a secret session key with the access server.
  - 17. The method of claim 1 wherein the access server is configured to operate as a key distribution center.
  - 18. The method of claim 17 wherein each of the access points have a session key configured to access the key distribution center.

19. A wireless security protocol system for reauthentication during client roaming, comprising:
- a central access server at a top level of a hierarchy of the protocol system; and
  
  a plurality of local access servers at a second level of said hierarchy and associated with the central access server, each local access server having at least one access point associated therewith, the access points at a third level of said hierarchy and each being registered with the associated-local-access servers and central access server;
  
  wherein the local access server comprises a processor configured to mutually authenticate and establish a secret session key with the central access server and the access points through an a remote authentication server, and operate as a key distribution center for clients roaming between different access points so that no authentication is required between the client and the authentication server during roaming between an old access point and a new access point, the processor further configured to receive a registration request from the new access point for a roaming client, authenticate the registration request with an authentication extension generated with a secret session key shared by the new access point and the local access server, compare timer values from the client and the new access point during authentication, and send a client'"'"'s session key to the new access point in a registration reply upon authentication of the registration request at the local access server.
- View Dependent Claims (20, 22, 23, 24)
- - 20. The system of claim 19 wherein the local access server comprises a key distribution center.
  - 22. The system of claim 19 wherein each of the access points shares a secret session key with the local access server.
  - 23. The system of claim 20 wherein each of the access points has a session key configured to access the key distribution center.
  - 24. The system of claim 19 wherein the processor is configured to transmit a reassociation response to said roaming clients, said reassociation response comprising an authentication status indicator.

21. A computer-readable storage medium comprising computer readable program codes for reauthentication during client roaming in a wireless network system, the wireless network system comprising at least one access server operable to communicate with an a remote authentication server during an initial authentication of the client, and a plurality of access points, the access points being registered with the access server, the program codes comprising:
- code that receives a registration request at the access server from a new access point for a roaming client registered with the access server and previously in communication with an old access point, the request including a ticket;
  
  code that authenticates the registration request with an authentication extension generated with a secret session key shared by the new access point and access server, wherein authenticating the registration request comprises comparing timer values from the client and the new access point; and
  
  code that sends a client'"'"'s session key from the access server to the new access point in a registration reply upon authentication of the registration request at the access server, wherein the client'"'"'s session key is configured for use by the new access point to reauthenticate the client and establish keys for the client without contacting the authentication server;
  
  wherein said at least one access server comprises a central access server at a top level of a hierarchy, and a local access server at a second level of said hierarchy and registered with the central access server, the access points located at a third level of said hierarchy.
- View Dependent Claims (25, 26, 27)
- - 25. The computer readable storage medium of claim 21 wherein code that sends the registration reply comprises code that sends access point bindings and context.
  - 26. The computer readable storage medium of claim 21 wherein each of the access points shares a secret session key with the access server.
  - 27. The computer readable storage medium of claim 21 wherein the access server is configured to operate as a key distribution center.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Meier, Robert, Griswold, Victor
Primary Examiner(s)
Moazzami; Nasser
Assistant Examiner(s)
ABEDIN, SHANTO

Application Number

US10/161,869
Time in Patent Office

2,170 Days
Field of Search

713/169, 713/155, 713/168, 713/170, 380/270, 455/411, 726/2, 726/4
US Class Current

713/168
CPC Class Codes

H04L 2209/80   Wireless network architectu...

H04L 63/0869   for achieving mutual authen...

H04L 9/08   Key distribution or managem...

H04L 9/0836   using tree structure or hie...

H04L 9/0838   Key agreement, i.e. key est...

H04L 9/32   including means for verifyi...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3273   for mutual authentication n...

H04W 12/065   Continuous authentication

H04W 12/069   using certificates or pre-s...

H04W 36/0038   of security context informa...

H04W 8/20   Transfer of user or subscri...

H04W 92/20   between access points

Wireless security system and method

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

105 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Wireless security system and method

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

105 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links