PANA for roaming Wi-Fi access in fixed network architectures

US 8,509,440 B2
Filed: 08/15/2008
Issued: 08/13/2013
Est. Priority Date: 08/24/2007
Status: Active Grant

First Claim

Patent Images

1. A network component comprising:

a memory comprising computer readable instructions that when implemented by a processor cause the processor to;

derive a Master Session Key (MSK) using a secret key and at least one parameter obtained from an Extensible Authentication Protocol (EAP) sequence;

derive a first Pairwise Master Key (PMK) and a second PMK from the MSK;

establish a first authentication between a user equipment (UE) and a home gateway (HG) using the first PMK, wherein the first authentication allows the establishment of a first secure tunnel that extends between the UE and the HG; and

establish a second authentication between the UE and an end point using the second PMK,wherein the second authentication allows the establishment of a second secure tunnel that extends between the UE and the end point and through the HG,wherein the end point is not part of the HG,wherein the HG and the end point are located in separate nodes,wherein the HG does not have access to the second PMK or any encryption keys derived therefrom,wherein communications are exchanged between the UE and the end point over the second secure tunnel via the first secure tunnel with the HG,wherein the communications are encrypted/decrypted for the second secure tunnel using an encryption key derived from the second PMK,wherein the communications are further encrypted/decrypted for the first secure tunnel using an encryption key derived from the first PMK, andwherein by virtue of not having access to the second PMK or any encryption keys derived therefrom, the HG cannot completely decrypt the encrypted communications.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network component comprising at least one processor configured to implement a method comprising deriving a Master Session Key (MSK) using a secret key and at least one parameter obtained from an Extensible Authentication Protocol (EAP) sequence, deriving a first Pairwise Master Key (PMK) and a second PMK from the MSK, authenticating with a home gateway (HG) using the first PMK, and authenticating with an end point using the second PMK. Included is an apparatus comprising a node comprising an access controller (AC) and a protocol for carrying authentication for network access (PANA) Authentication Agent (PAA), wherein the AC is configured to manage authentication for a UE, and wherein the PAA is configured to implement a PANA to forward authentication information related to the UE.

17 Citations

View as Search Results

14 Claims

1. A network component comprising:
- a memory comprising computer readable instructions that when implemented by a processor cause the processor to;
  
  derive a Master Session Key (MSK) using a secret key and at least one parameter obtained from an Extensible Authentication Protocol (EAP) sequence;
  
  derive a first Pairwise Master Key (PMK) and a second PMK from the MSK;
  
  establish a first authentication between a user equipment (UE) and a home gateway (HG) using the first PMK, wherein the first authentication allows the establishment of a first secure tunnel that extends between the UE and the HG; and
  
  establish a second authentication between the UE and an end point using the second PMK,wherein the second authentication allows the establishment of a second secure tunnel that extends between the UE and the end point and through the HG,wherein the end point is not part of the HG,wherein the HG and the end point are located in separate nodes,wherein the HG does not have access to the second PMK or any encryption keys derived therefrom,wherein communications are exchanged between the UE and the end point over the second secure tunnel via the first secure tunnel with the HG,wherein the communications are encrypted/decrypted for the second secure tunnel using an encryption key derived from the second PMK,wherein the communications are further encrypted/decrypted for the first secure tunnel using an encryption key derived from the first PMK, andwherein by virtue of not having access to the second PMK or any encryption keys derived therefrom, the HG cannot completely decrypt the encrypted communications.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The network component of claim 1, wherein the first PMK is sent to the HG and the second PMK is sent to the end point using a protocol for carrying authentication for network access (PANA).
  - 3. The network component of claim 1, wherein establishing the first authentication between the UE and the HG comprises an 802.11 wireless link exchange.
  - 4. The network component of claim 3, wherein the 802.11 wireless link exchange is performed with a wireless termination point (WTP) at the HG.
  - 5. The network component of claim 1, wherein establishing the second authentication between the UE and the end point comprises an Internet Key Exchange (IKE).
  - 6. The network component of claim 5, wherein the end point is part of an Internet Protocol (IP) Edge.
  - 7. The network component of claim 1, wherein the second PMK cannot be derived from the first PMK.
  - 8. The network component of claim 7, wherein the first PMK cannot be derived from the second PMK.

9. A method comprising:
- receiving a Master Session Key (MSK);
  
  deriving a first Pairwise Master Key (PMK) and a second PMK from the MSK;
  
  sending the first PMK to a home gateway (HG); and
  
  sending the second PMK to an end point, but not to the HG,wherein the first PMK is used for establishing a first authentication between a user equipment (UE) and the HG,wherein the first authentication allows the establishment of a first secure tunnel that extends between the UE and the HG,wherein the second PMK is used for establishing a second authentication between the UE and the end point,wherein the second authentication allows the establishment of a second secure tunnel that extends between the UE and the end point and through the HG,wherein the HG and the end point are located in separate nodes,wherein the HG does not have access to the second PMK or any encryption keys derived therefrom,wherein communications are exchanged between the UE and the end point over the second secure tunnel via the first secure tunnel with the HG,wherein the communications are encrypted for the second secure tunnel by the UE and decrypted by the end point using an encryption key derived from the second PMK,wherein the communications are encrypted for the first secure tunnel by the UE and decrypted by the HG using an encryption key derived from the first PMK, andwherein by virtue of not having access to the second PMK or any encryption keys derived therefrom, the HG cannot completely decrypt the encrypted communications.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The method of claim 9, wherein the first PMK is sent using a Control and Provisioning of Wireless Access Points (CAPWAP).
  - 11. The method of claim 9, wherein the second PMK is sent using Remote Authentication Dial In User Service (RADIUS) or DIAMETER, and wherein the end point is part of an Internet Protocol (IP) Edge.
  - 12. The method of claim 9, wherein the MSK is received using Remote Authentication Dial In User Service (RADIUS) or DIAMETER.
  - 13. The method of claim 9, wherein the second PMK cannot be derived from the first PMK.
  - 14. The method of claim 13, wherein the first PMK cannot be derived from the second PMK.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Futurewei Technologies Incorporated (Huawei Investment & Holding Co., Ltd.)
Original Assignee
Futurewei Technologies Incorporated (Huawei Investment & Holding Co., Ltd.)
Inventors
Kaippallimalil, John
Primary Examiner(s)
Orgad, Edan
Assistant Examiner(s)
Tolentino, Roderick

Application Number

US12/192,486
Publication Number

US 20090055898A1
Time in Patent Office

1,824 Days
Field of Search

726/3, 380247-250, 380255-270, 713155-159, 713/168, 705/67
US Class Current

380/270
CPC Class Codes

H04L 63/162   at the data link layer

H04L 63/164   at the network layer

H04W 12/069   using certificates or pre-s...

PANA for roaming Wi-Fi access in fixed network architectures

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

17 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

PANA for roaming Wi-Fi access in fixed network architectures

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

17 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links