Methods and apparatus for authenticating mobility entities using kerberos
First Claim
1. In a Home Agent, a method of authenticating a Mobile Node, comprising:
- establishing by the Home Agent communication with a key distribution center to obtain a first dynamically generated key shared between the Home Agent and the key distribution center;
obtaining by the Home Agent a shared session key from the key distribution center using the first dynamically generated key shared between the Home Agent and the key distribution center, the shared session key being a dynamically generated key to be shared by the Home Agent and the Mobile Node;
receiving by the Home Agent a first registration request from the Mobile Node, wherein the first registration request received from the Mobile Node requests the shared session key to be shared between the Home Agent and the Mobile Node,sending by the Home Agent a first registration reply to the Mobile Node, the first registration reply including the shared session key;
receiving by the Home Agent a second registration request from the Mobile Node, the second registration request identifying a care-of address of the Mobile Node and a home address of the Mobile Node, wherein at least a portion of the second registration request has been encrypted using the shared session key;
authenticating by the Home Agent the second registration request using the shared session key;
if the second registration request is successfully authenticated, registering the Mobile Node with the Home Agent in order to establish a Mobile IP session such that a binding between the care-of address of the Mobile Node and the home address of the Mobile Node is created, thereby enabling the Home Agent to forward packets addressed to the home address to the Mobile Node at the care-of address; and
sending by the Home Agent a second registration reply to the Mobile Node, the second registration reply indicating whether registration of the Mobile Node with the Home Agent is successful.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods and apparatus for generating and transmitting dynamically generated session keys are disclosed. A key distribution center generates a session key between the key distribution center and a first mobility entity (e.g., an access point). Once the session key between the key distribution center and the access point is transmitted to the access point, the access point retrieves a shared session key between the access point and a Mobile Node from the key distribution center, which is then transmitted to the Mobile Node, enabling the Mobile Node to connect to the network. Similarly, either the Mobile Node or its Home Agent retrieves a session key between the key distribution center and the access point from the key distribution center, enabling a shared session key between the Home Agent and the Mobile Node to be obtained from the key distribution center. The Mobile Node (or Home Agent) then transmits the shared session key to the Home Agent (or Mobile Node). Once the shared session key is obtained by both the Home Agent and the Mobile Node, the shared session key is used to authenticate registration messages (e.g., including registration request and reply packets). In this manner, dynamically generated session keys may be used to securely transmit registration messages in a Mobile IP environment.
119 Citations
40 Claims
-
1. In a Home Agent, a method of authenticating a Mobile Node, comprising:
-
establishing by the Home Agent communication with a key distribution center to obtain a first dynamically generated key shared between the Home Agent and the key distribution center; obtaining by the Home Agent a shared session key from the key distribution center using the first dynamically generated key shared between the Home Agent and the key distribution center, the shared session key being a dynamically generated key to be shared by the Home Agent and the Mobile Node; receiving by the Home Agent a first registration request from the Mobile Node, wherein the first registration request received from the Mobile Node requests the shared session key to be shared between the Home Agent and the Mobile Node, sending by the Home Agent a first registration reply to the Mobile Node, the first registration reply including the shared session key; receiving by the Home Agent a second registration request from the Mobile Node, the second registration request identifying a care-of address of the Mobile Node and a home address of the Mobile Node, wherein at least a portion of the second registration request has been encrypted using the shared session key; authenticating by the Home Agent the second registration request using the shared session key; if the second registration request is successfully authenticated, registering the Mobile Node with the Home Agent in order to establish a Mobile IP session such that a binding between the care-of address of the Mobile Node and the home address of the Mobile Node is created, thereby enabling the Home Agent to forward packets addressed to the home address to the Mobile Node at the care-of address; and sending by the Home Agent a second registration reply to the Mobile Node, the second registration reply indicating whether registration of the Mobile Node with the Home Agent is successful. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. In a Mobile Node, a method of registering with a Home Agent, comprising:
-
sending by the Mobile Node a first registration request to the Home Agent indicating a request for a dynamically generated session key between the Mobile Node and the Home Agent; receiving by the Mobile Node a first registration reply from the Home Agent including the dynamically generated session key between the Mobile Node and the Home Agent, wherein the dynamically generated session key has been obtained by the Home Agent from a key distribution center, thereby enabling the Mobile Node to register with the Home Agent by sending a subsequent registration request using the dynamically generated session key; composing by the Mobile Node a second registration request using the shared session key such that at least a portion of the second registration request is encrypted using the shared session key, the second registration request identifying a care-of address of the Mobile Node and a home address of the Mobile Node; sending by the Mobile Node the second registration request to the Home Agent, thereby enabling the Home Agent to authenticate the registration request using the shared session key; and receiving by the Mobile Node a second registration reply from the Home Agent, the second registration reply indicating whether the Home Agent has established a Mobile IP session such that a binding between the care-of address of the Mobile Node and the home address of the Mobile Node is created, thereby enabling the Home Agent to forward packets addressed to the home address to the Mobile Node at the care-of address. - View Dependent Claims (20)
-
-
21. In a Mobile Node, a method of obtaining a shared key shared between the Mobile Node and a Home Agent, comprising:
-
establishing by the Mobile Node communication with a key distribution center to obtain a first dynamically generated key shared between the Mobile Node and the key distribution center; obtaining by the Mobile Node a shared session key from the key distribution center using the first dynamically generated key shared between the Mobile Node and the key distribution center, the shared session key being a dynamically generated key to be shared by the Home Agent and the Mobile Node; providing by the Mobile Node the shared session key to the Home Agent; composing by the Mobile Node a registration request using the shared session key that has been obtained from the key distribution center such that at least a portion of the registration request is encrypted using the shared session key, the registration request identifying a care-of address of the Mobile Node and a home address of the Mobile Node; and sending by the Mobile Node the registration request to the Home Agent, thereby enabling the Home Agent to authenticate the registration request using the shared session key; and receiving by the Mobile Node a registration reply from the Home Agent, the registration reply indicating whether the Home Agent has established a Mobile IP session such that a binding between the care-of address of the Mobile Node and the home address of the Mobile Node is created, thereby enabling the Home Agent to forward packets addressed to the home address to the Mobile Node at the care-of address. - View Dependent Claims (22, 23)
-
-
24. In a first mobility entity, a method of authenticating a second mobility entity, comprising:
-
establishing by the first mobility entity communication with a key distribution center to obtain a first dynamically generated key shared between the first mobility entity and the key distribution center; obtaining by the first mobility entity a shared session key from the key distribution center using the first dynamically generated key shared between the first mobility entity and the key distribution center, the shared session key being a dynamically generated key to be shared by the first mobility entity and the second mobility entity; and providing by the first mobility entity the shared session key to the second mobility entity, wherein the first mobility entity is a Home Agent and the second mobility entity is a Mobile Node; wherein the shared session key is to be used by the Home Agent to authenticate a registration request packet received from the Mobile Node and the shared session key is to be used by the Mobile Node to authenticate a registration reply packet received from the Home Agent, wherein at least a portion of the registration request packet has been encrypted using the shared session key, wherein the registration request packet identifies a home address of the Mobile Node and a care-of address of the Mobile Node; wherein when the registration request packet is successfully authenticated, the Mobile Node is registered with the Home Agent in order to establish a Mobile IP session such that a binding between the care-of address of the Mobile Node and the home address of the Mobile Node is created, thereby enabling the Home Agent to forward packets addressed to the home address to the Mobile Node at the care-of address.
-
-
25. A computer-readable medium storing thereon computer-readable instructions for authenticating a Mobile Node in a Home Agent, comprising:
-
instructions for establishing by the Home Agent communication with a key distribution center to obtain a first dynamically generated key shared between the Home Agent and the key distribution center; instructions for obtaining by the Home Agent a shared session key from the key distribution center using the first dynamically generated key shared between the Home Agent and the key distribution center, the shared session key being a dynamically generated key to be shared by the Home Agent and the Mobile Node; instructions for processing by the Home Agent a first registration request received from the Mobile Node, wherein the first registration request received from the Mobile Node requests the shared session key to be shared between the Home Agent and the Mobile Node, instructions for composing and sending by the Home Agent a first registration reply to the Mobile Node, the first registration reply including the shared session key; instructions for processing by the Home Agent a second registration request received from the Mobile Node, the second registration request identifying a care-of address of the Mobile Node and a home address of the Mobile Node, wherein at least a portion of the second registration request has been encrypted using the shared session key; instructions for authenticating by the Home Agent the second registration request using the shared session key; instructions for registering the Mobile Node with the Home Agent in order to establish a Mobile IP session such that a binding between the care-of address of the Mobile Node and the home address of the Mobile Node is created, thereby enabling the Home Agent to forward packets addressed to the home address to the Mobile Node at the care-of address; and instructions for composing and sending by the Home Agent a second registration reply to the Mobile Node, the second registration reply indicating whether registration of the Mobile Node with the Home Agent is successful.
-
-
26. A Home Agent adapted for authenticating a Mobile Node, comprising:
-
means for establishing by the Home Agent communication with a key distribution center to obtain a first dynamically generated key shared between the Home Agent and the key distribution center; means for obtaining by the Home Agent a shared session key from the key distribution center using the first dynamically generated key shared between the Home Agent and the key distribution center, the shared session key being a dynamically generated key to be shared by the Home Agent and the Mobile Node; means for receiving by the Home Agent a first registration request from the Mobile Node, wherein the first registration request received from the Mobile Node requests the shared session key to be shared between the Home Agent and the Mobile Node, means for sending by the Home Agent a first registration reply to the Mobile Node, the first registration reply including the shared session key; means for receiving by the Home Agent a second registration request from the Mobile Node, the second registration request identifying a care-of address of the Mobile Node and a home address of the Mobile Node, wherein at least a portion of the second registration request has been encrypted using the shared session key; means for authenticating by the Home Agent the second registration request using the shared session key; means for registering the Mobile Node with the Home Agent in order to establish a Mobile IP session such that a binding between the care-of address of the Mobile Node and the home address of the Mobile Node is created, thereby enabling the Home Agent to forward packets addressed to the home address to the Mobile Node at the care-of address; and means for sending by the Home Agent a second registration reply to the Mobile Node, the second registration reply indicating whether registration of the Mobile Node with the Home Agent is successful.
-
-
27. A Home Agent adapted for authenticating a Mobile Node, comprising:
-
a processor; and a memory, at least one of the processor or the memory being adapted for; establishing by the Home Agent communication with a key distribution center to obtain a first dynamically generated key shared between the Home Agent and the key distribution center; obtaining by the Home Agent a shared session key from the key distribution center using the first dynamically generated key shared between the Home Agent and the key distribution center, the shared session key being a dynamically generated key to be shared by the Home Agent and the Mobile Node; receiving by the Home Agent a first registration request from the Mobile Node, wherein the first registration request received from the Mobile Node requests the shared session key to be shared between the Home Agent and the Mobile Node, sending by the Home Agent a first registration reply to the Mobile Node, the first registration reply including the shared session key; receiving by the Home Agent a second registration request from the Mobile Node, the second registration request identifying a care-of address of the Mobile Node and a home address of the Mobile Node, wherein at least a portion of the second registration request has been encrypted using the shared session key; authenticating by the Home Agent the second registration request using the shared session key; if the second registration request is successfully authenticated, registering by the Home Agent the Mobile Node with the Home Agent in order to establish a Mobile IP session such that a binding between the care-of address of the Mobile Node and the home address of the Mobile Node is created, thereby enabling the Home Agent to forward packets addressed to the home address to the Mobile Node at the care-of address; and sending by the Home Agent a second registration reply to the Mobile Node, the second registration reply indicating whether registration of the Mobile Node with the Home Agent is successful. - View Dependent Claims (28, 29, 30, 31)
-
-
32. A computer-readable medium storing thereon computer-readable instructions for registering a Mobile Node with a Home Agent, comprising:
-
instructions for sending by the Mobile Node a first registration request to the Home Agent indicating a request for a dynamically generated session key between the Mobile Node and the Home Agent; instructions for processing by the Mobile Node a first registration reply received from the Home Agent, the first registration reply including the dynamically generated session key between the Mobile Node and the Home Agent, wherein the dynamically generated session key has been obtained by the Home Agent from a key distribution center, thereby enabling the Mobile Node to register with the Home Agent by sending a subsequent registration request using the dynamically generated session key; instructions for composing by the Mobile Node a second registration request using the dynamically generated session key such that at least a portion of the second registration request is encrypted using the dynamically generated session key and sending the second registration request to the Home Agent, thereby enabling the Home Agent to authenticate the second registration request using the dynamically generated session key, wherein the second registration request identifies a care-of address of the Mobile Node and a home address of the Mobile Node; and instructions for processing by the Mobile Node a second registration reply received from the Home Agent, the second registration reply indicating whether the Home Agent has established a Mobile IP session such that a binding between the care-of address of the Mobile Node and the home address of the Mobile Node is created, thereby enabling the Home Agent to forward packets addressed to the home address to the Mobile Node at the care-of address.
-
-
33. A Mobile Node adapted for registering with a Home Agent, comprising:
-
means for sending by the Mobile Node a first registration request to the Home Agent indicating a request for a dynamically generated session key between the Mobile Node and the Home Agent; means for receiving by the Mobile Node a first registration reply from the Home Agent including the dynamically generated session key between the Mobile Node and the Home Agent, wherein the dynamically generated session key has been obtained by the Home Agent from a key distribution center, thereby enabling the Mobile Node to register with the Home Agent by sending a subsequent registration request using the dynamically generated session key; means for composing by the Mobile Node a second registration request using the dynamically generated session key such that at least a portion of the second registration request is encrypted using the dynamically generated session key and sending the second registration request to the Home Agent, thereby enabling the Home Agent to authenticate the second registration request using the dynamically generated session key, wherein the second registration request identifies a care-of address of the Mobile Node and a home address of the Mobile Node; and means for processing by the Mobile Node a second registration reply received from the Home Agent, the second registration reply indicating whether the Home Agent has established a Mobile IP session such that a binding between the care-of address of the Mobile Node and the home address of the Mobile Node is created, thereby enabling the Home Agent to forward packets addressed to the home address to the Mobile Node at the care-of address.
-
-
34. A Mobile Node adapted for registering with a Home Agent, comprising:
-
a processor; and a memory, at least one of the processor or the memory being adapted for; sending by the Mobile Node a first registration request to the Home Agent indicating a request for a dynamically generated session key between the Mobile Node and the Home Agent; receiving by the Mobile Node a first registration reply from the Home Agent including the dynamically generated session key between the Mobile Node and the Home Agent, wherein the dynamically generated session key has been obtained by the Home Agent from a key distribution center, thereby enabling the Mobile Node to register with the Home Agent by sending a subsequent registration request using the dynamically generated session key; composing by the Mobile Node a second registration request using the dynamically generated session key such that at least a portion of the second registration request is encrypted using the dynamically generated session key, wherein the second registration request identifies a care-of address of the Mobile Node and a home address of the Mobile Node; sending by the Mobile Node the second registration request to the Home Agent, thereby enabling the Home Agent to authenticate the second registration request using the dynamically generated session key; and processing by the Mobile Node a second registration reply received from the Home Agent, the second registration reply indicating whether the Home Agent has established a Mobile IP session such that a binding between the care-of address of the Mobile Node and the home address of the Mobile Node is created, thereby enabling the Home Agent to forward packets addressed to the home address to the Mobile Node at the care-of address.
-
-
35. A computer-readable medium storing thereon computer-readable instructions for obtaining a shared key shared between a Mobile Node and a Home Agent in the Mobile Node, comprising:
-
instructions for establishing by the Mobile Node communication with a key distribution center to obtain a first dynamically generated key shared between the Mobile Node and the key distribution center; instructions for obtaining by the Mobile Node a shared session key from the key distribution center using the first dynamically generated key shared between the Mobile Node and the key distribution center, the shared session key being a dynamically generated key to be shared by the Home Agent and the Mobile Node; instructions for providing by the Mobile Node the shared session key to the Home Agent; instructions for composing by the Mobile Node a registration request using the shared session key that has been obtained from the key distribution center such that at least a portion of the registration request is encrypted using the shared session key and sending the registration request to the Home Agent, thereby enabling the Home Agent to authenticate the registration request using the shared session key, the registration request identifying a care-of address of the Mobile Node and a home address of the Mobile Node; and instructions for processing by the Mobile Node a registration reply received from the Home Agent, the registration reply indicating whether the Home Agent has established a Mobile IP session such that a binding between the care-of address of the Mobile Node and the home address of the Mobile Node is created, thereby enabling the Home Agent to forward packets addressed to the home address to the Mobile Node at the care-of address.
-
-
36. A Mobile Node adapted for obtaining a shared key shared between the Mobile Node and a Home Agent, comprising:
-
means for establishing by the Mobile Node communication with a key distribution center to obtain a first dynamically generated key shared between the Mobile Node and the key distribution center; means for obtaining by the Mobile Node a shared session key from the key distribution center using the first dynamically generated key shared between the Mobile Node and the key distribution center, the shared session key being a dynamically generated key to be shared by the Home Agent and the Mobile Node; means for providing by the Mobile Node the shared session key to the Home Agent; means for composing by the Mobile Node a registration request using the shared session key that has been obtained from the key distribution center such that at least a portion of the registration request is encrypted using the shared session key, the registration request identifying a care-of address of the Mobile Node and a home address of the Mobile Node; means for sending by the Mobile Node the registration request to the Home Agent, thereby enabling the Home Agent to authenticate the registration request using the shared session key; and means for processing by the Mobile Node a registration reply received from the Home Agent, the registration reply indicating whether the Home Agent has established a Mobile IP session such that a binding between the care-of address of the Mobile Node and the home address of the Mobile Node is created, thereby enabling the Home Agent to forward packets addressed to the home address to the Mobile Node at the care-of address.
-
-
37. A Mobile Node adapted for obtaining a shared key shared between the Mobile Node and a Home Agent, comprising:
-
a processor; and a memory, at least one of the processor or the memory being adapted for; establishing by the Mobile Node communication with a key distribution center to obtain a first dynamically generated key shared between the Mobile Node and the key distribution center; obtaining by the Mobile Node a shared session key from the key distribution center using the first dynamically generated key shared between the Mobile Node and the key distribution center, the shared session key being a dynamically generated key to be shared by the Home Agent and the Mobile Node; providing by the Mobile Node the shared session key to the Home Agent; composing a registration request using the shared session key that has been obtained from the key distribution center such that at least a portion of the registration request is encrypted using the shared session key, the registration request identifying a care-of address of the Mobile Node and a home address of the Mobile Node; sending by the Mobile Node the registration request to the Home Agent, thereby enabling the Home Agent to authenticate the registration request using the shared session key; and processing by the Mobile Node a registration reply received from the Home Agent, the registration reply indicating whether the Home Agent has established a Mobile IP session such that a binding between the care-of address of the Mobile Node and the home address of the Mobile Node is created, thereby enabling the Home Agent to forward packets addressed to the home address to the Mobile Node at the care-of address.
-
-
38. A computer-readable medium storing thereon computer-readable instructions for authenticating a second mobility entity in a first mobility entity, comprising:
-
instructions for establishing by the first mobility entity communication with a key distribution center to obtain a first dynamically generated key shared between the first mobility entity and the key distribution center; instructions for obtaining by the first mobility entity a shared session key from the key distribution center using the first dynamically generated key shared between the first mobility entity and the key distribution center, the shared session key being a dynamically generated key to be shared by the first mobility entity and the second mobility entity; and instructions for providing by the first mobility entity the shared session key to the second mobility entity, wherein the first mobility entity is a Home Agent and the second mobility entity is a Mobile Node; wherein the shared session key is to be used by the Home Agent to authenticate a registration request packet received from the Mobile Node and the shared session key is to be used by the Mobile Node to authenticate a registration reply packet received from the Home Agent, wherein at least a portion of the registration request packet has been encrypted using the shared session key, wherein the registration request packet identifies a home address of the Mobile Node and a care-of address of the Mobile Node; wherein when the registration request packet is successfully authenticated, the Mobile Node is registered with the Home Agent in order to establish a Mobile IP session such that a binding between the care-of address of the Mobile Node and the home address of the Mobile Node is created, thereby enabling the Home Agent to forward packets addressed to the home address to the Mobile Node at the care-of address.
-
-
39. A first mobility entity adapted for authenticating a second mobility entity, comprising:
-
means for establishing by the first mobility entity communication with a key distribution center to obtain a first dynamically generated key shared between the first mobility entity and the key distribution center; means for obtaining by the first mobility entity a shared session key from the key distribution center using the first dynamically generated key shared between the first mobility entity and the key distribution center, the shared session key being a dynamically generated key to be shared by the first mobility entity and the second mobility entity; and means for providing by the first mobility entity the shared session key to the second mobility entity, wherein the first mobility entity is a Home Agent and the second mobility entity is a Mobile Node; wherein the shared session key is to be used by the Home Agent to authenticate a registration request packet received from the Mobile Node and the shared session key is to be used by the Mobile Node to authenticate a registration reply packet received from the Home Agent, wherein at least a portion of the registration request packet has been encrypted using the shared session key, wherein the registration request packet identifies a home address of the Mobile Node and a care-of address of the Mobile Node; wherein when the registration request packet is successfully authenticated, the Mobile Node is registered with the Home Agent in order to establish a Mobile IP session such that a binding between the care-of address of the Mobile Node and the home address of the Mobile Node is created, thereby enabling the Home Agent to forward packets addressed to the home address to the Mobile Node at the care-of address.
-
-
40. A first mobility entity adapted for authenticating a second mobility entity, comprising:
-
a processor; and a memory, at least one of the processor or the memory being adapted for; establishing by the first mobility entity communication with a key distribution center to obtain a first dynamically generated key shared between the first mobility entity and the key distribution center; obtaining by the first mobility entity a shared session key from the key distribution center using the first dynamically generated key shared between the first mobility entity and the key distribution center, the shared session key being a dynamically generated key to be shared by the first mobility entity and the second mobility entity; and providing by the first mobility entity the shared session key to the second mobility entity, wherein the first mobility entity is a Home Agent and the second mobility entity is a Mobile Node; wherein the shared session key is to be used by the Home Agent to authenticate a registration request packet received from the Mobile Node and the shared session key is to be used by the Mobile Node to authenticate a registration reply packet received from the Home Agent, wherein at least a portion of the registration request packet has been encrypted using the shared session key, wherein the registration request packet identifies a home address of the Mobile Node and a care-of address of the Mobile Node; wherein when the registration request packet is successfully authenticated, the Mobile Node is registered with the Home Agent in order to establish a Mobile IP session such that a binding between the care-of address of the Mobile Node and the home address of the Mobile Node is created, thereby enabling the Home Agent to forward packets addressed to the home address to the Mobile Node at the care-of address.
-
Specification