WO2006129287A1 - Method and devices for wireless network access management - Google Patents

Method and devices for wireless network access management Download PDF

Info

Publication number
WO2006129287A1
WO2006129287A1 PCT/IB2006/051752 IB2006051752W WO2006129287A1 WO 2006129287 A1 WO2006129287 A1 WO 2006129287A1 IB 2006051752 W IB2006051752 W IB 2006051752W WO 2006129287 A1 WO2006129287 A1 WO 2006129287A1
Authority
WO
WIPO (PCT)
Prior art keywords
psk
skt
sta
mac address
mac
Prior art date
Application number
PCT/IB2006/051752
Other languages
French (fr)
Inventor
Bozena Erdmann
Ventzislav Nikov
Philippe Teuwen
Original Assignee
Koninklijke Philips Electronics N.V.
Philips Intellectual Property & Standards Gmbh
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Koninklijke Philips Electronics N.V., Philips Intellectual Property & Standards Gmbh filed Critical Koninklijke Philips Electronics N.V.
Publication of WO2006129287A1 publication Critical patent/WO2006129287A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/50Secure pairing of devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/30Connection release
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/10Small scale networks; Flat hierarchical networks
    • H04W84/12WLAN [Wireless Local Area Networks]

Definitions

  • the invention relates to a method for wireless network access management, and in particular for IEEE 802.11 Wireless Local Area Network (WLAN) access management.
  • the invention relates furthermore to devices arranged for wireless network access management.
  • Wireless networks e.g. the IEEE 802.11 -based WLANs
  • easy and secure configuration methods such as SKT (Short-range Key Transmission) described in e.g. WO 2004/014040 Al (Applicant's reference PHDE020188), WO 2004/014039 Al (Applicant's reference PHDE020273) and WO 2004/014038 Al
  • the current enterprise-oriented state-of-the-art solution for configuring wireless devices with individual credentials uses IEEE 802. IX authentication, based on an authentication server such as a RADIUS server, an Extensible Authentication Protocol (EAP) and a Public Key Infrastructure (PKI).
  • EAP Extensible Authentication Protocol
  • PKI Public Key Infrastructure
  • the need for 802. IX, EAP and PKI support increases device cost, and required capabilities, as well as the implementation effort for device manufacturers.
  • For an end-user it also increases the configuration and maintenance effort in respect of the infrastructure, e.g. for an Access Point (AP) and RADIUS server, and the to- be-authenticated devices.
  • AP Access Point
  • RADIUS server Remote Authentication Protocol
  • the resulting network management complexity requires a rich User Interface (UI), where all items to be managed and all management options/actions are listed.
  • UI User Interface
  • the current state-of-the-art solution for configuring personal (home) wireless networks is based on a single Pre-shared Key (PSK), shared by all devices in the network.
  • PSK Pre-shared Key
  • any user of the network can impersonate any other user, join at any time, or snoop and successfully decode any traffic of any one of the other users. This does not allow for sufficient cryptographic separation of devices on the same network.
  • Applications like guest access are thereby complicated as they presently require reconfiguration of the entire network before and after a guest visit, or are even completely prevented.
  • the current home-oriented state-of-the-art solution for configuring wireless devices with different credentials is based on PSKs with some modifications of the Access Point (AP) internal implementation to allow multiple concurrent PSKs.
  • the PSKs can be either bound to a specific client station, and identified by its MAC address, or used by any client. Such PSKs are later referred to as "unassigned" or "common" PSKs.
  • An example is the open-source HostAP software (http://hostap.epitest.fi). Usage requires considerable Information Technology (IT) skills, as the current implementations are limited to PC software and are not yet available as standalone Access Point devices.
  • IT Information Technology
  • UI-less wireless Access Point a typical example is the UI-less wireless Access Point (AP).
  • AP UI-less wireless Access Point
  • PC in the network, e.g. to manage a RADIUS server;
  • RADIUS server a typical example is the UI-less wireless Access Point (AP).
  • PC in the network, e.g. to manage a RADIUS server;
  • IT skills for example for installing additional software, e.g. by way of configuration wizards, manually reconfiguring a PC and the like;
  • MAC Media Access Control
  • IP Internet Protocol
  • the method is based on the multiple- PSK (Pre-Shared Key) concept, extending the Wi-Fi WPA (Wi-Fi Protected Access) and WP A2 (Wi-Fi Protected Access version 2) Personal standard. This object is achieved by the independent method claim.
  • the dependent method claims provide advantageous embodiments.
  • STA wireless station
  • AP access point
  • the invention is based on a multiple-PSK concept, which requires the AP to be able to store and handle multiple Pre-Shared Keys in parallel, but is completely transparent to the STAs.
  • the invention provides methods of addressing and managing the devices individually in an easy way. It also assures optimal performance of the AP, capable of supporting multiple PSKs, by specifying methods of binding each PSK to an individual device and thus enabling simple key search and smooth association.
  • the basic assumption is that the procedure for wireless network configuration uses a portable unit called Short-range Key Transmitter (SKT) item, and that the to-be- configured devices (AP and STAs) are equipped with an appropriate interface to communicate with the SKT, as defined by WO 2004/014040 Al . Furthermore, it is assumed that every home network will be equipped with two SKT items: a so-called “home SKT” (HSKT), used for configuration of home devices, and a Guest SKT (GSKT), used for configuration of guest devices. For example, the Access Point could be sold pre-packaged with HSKT and GSKT. It is further assumed that the wireless Access Point (AP) can support multiple SKT items: a so-called "home SKT" (HSKT), used for configuration of home devices, and a Guest SKT (GSKT), used for configuration of guest devices. For example, the Access Point could be sold pre-packaged with HSKT and GSKT. It is further assumed that the wireless Access Point (AP) can support multiple
  • Pre-Shared Keys in parallel and that the AP is capable of randomly generating fresh network access credentials, as and when required, per-device or, in the case of guest devices, per-visit.
  • the present invention provides an easy user interaction for creating and managing individual device credentials, using the same easy, secure and intuitive step of touching the devices with SKT as proposed by WO 2004/014040 Al. Unless otherwise stated in method descriptions, all methods apply to managing both home devices (HD) and guest device (GD), which are jointly referred to as client stations (STA).
  • HD home devices
  • GD guest device
  • STA client stations
  • the invention provides a method of generating a unique PSK for every individual wireless client station (STA) and of sharing the PSK between the target client station and the Access Point, optionally resulting in binding a particular PSK to the STA's MAC address in the Access Point, in order to prevent that other potential STAs use the same PSK and simplify the PSK lookup process on the AP for smooth association.
  • PSK is not the only parameter needed for successful authentication; however, all other parameters are either equal for all STAs, e.g. the authentication methods, the encryption algorithm or the network identifier, i.e. SSID, or can be derived automatically, e.g. channel number.
  • this invention focuses mainly on configuration of multiple PSKs.
  • the credentials PSK and MAC, if used
  • the credentials can be overwritten in the first step of a new configuration procedure or automatically by the SKT item (if capable).
  • the credentials are removed in the last SKT step of the configuration procedure.
  • the credential removal feature especially influences the methods' security.
  • the AP In order to support the multiple PSK functionality, the AP must implement at least a list of PSKs (psklist). If only multiple PSKs (without unique STA identifier) were stored in a psklist, this would force the AP to search the entire list on every STA (re-)association. Therefore, to optimize the association process, the psklist may be further extended by a particular embodiment. In a further improvement, the AP could start the PSK lookup from the recently added PSK or PSK-MAC binding, instead of starting from the beginning of the psklist.
  • Fig. 1 shows a block diagram illustrating the architecture of a wireless communication system whereto embodiments of the present invention are to be applied;
  • Fig. 2 shows a block diagram of two short-range key transmission items, an access point and a wireless station in accordance with an embodiment of the present invention
  • Fig. 3 shows a flow chart illustrating the operation steps of wireless network access management according to an embodiment of the present invention.
  • Fig. 1 illustrates a representative wireless network 100 whereto embodiments of the present invention are to be applied.
  • an access point (AP) 101 is coupled to a plurality of wireless stations (STAs) 102, 103 and 104, which, through a wireless link, are communicating with each other and to the AP via a plurality of wireless channels.
  • STAs wireless stations
  • a further wireless station (STA) 110 for which it is required that it be granted access to the wireless network 100 too, thereby becoming part of the wireless network 100.
  • the wireless station 110 could for example be a device newly bought by the owner of the wireless network 100, or it could be a "guest" device, temporarily brought in by a friend of the owner.
  • a short-range key transmission item (SKT) 120 for configuring the access point 101 and the wireless station 110 in accordance with the invention.
  • Fig. 2 shows a first portable, short-range key transmission item (SKT) 1, a second portable, short-range key transmission item (SKT) 2, an access point (AP) 3 and a wireless station (STA) 4.
  • the STA 4 is new in the home network.
  • the SKT 1 comprises a memory 5 for storing access data 6, such as a pre- shared key (PSK) or a Media Access Control (MAC) address of a wireless device, an optional button 7 for triggering a transmission or reception of access data 6, and a transmitter/receiver (transceiver) 8 used as a wireless interface for transmitting/receiving (transceiving) access data 6.
  • access data 6 such as a pre- shared key (PSK) or a Media Access Control (MAC) address of a wireless device
  • PSK pre- shared key
  • MAC Media Access Control
  • transmitter/receiver 8 used as a wireless interface for transmitting/receiving (transceiving) access data 6.
  • the SKT 1 has a short range of maximally about 50 cm.
  • the SKT 2 comprises, like the SKT 1, a memory 9 for storing access data 10, such as a pre-shared key (PSK) or a Media Access Control (MAC) address of a wireless device, an optional button 11 for triggering a transmission or reception of access data 10, and a transceiver 12 used as a wireless interface for transceiving access data 10.
  • access data 10 such as a pre-shared key (PSK) or a Media Access Control (MAC) address of a wireless device
  • PSK pre-shared key
  • MAC Media Access Control
  • the SKT 2 also has a short range of maximally about 50 cm.
  • the SKTs 1 and 2 may be different in that for example the SKT 1 is preconfigured with access data 6 pertaining to the STA 4. Then the SKT 1 would not require the receiver function 8 for receiving access data. In particular, this may be the case if the SKT 1 would be an SKT that was manufactured and sold together with the STA 4.
  • the AP 3 is an apparatus equipped with a radio interface 12 operating in accordance with the IEEE 802.11 standard.
  • This radio interface 12 is controlled by a component denoted as driver software 13 and is used for transceiving useful data (music, video, general data, but also control data).
  • the driver software 13 may be operated by other software components via standardized software interfaces (APIs).
  • the AP 3 is also equipped with a transceiving unit 14.
  • the transceiving unit 14 comprises a transceiver 15 provided as an interface for transceiving access data, for example the access data 6 transceived by transceiver 8.
  • the transceiving unit 14 is provided with transceiver software 16 as both a generation and an evaluation component.
  • the software 16 may generate a pre-shared key (PSK), for example as defined in the IEEE 802.11 standard, and transmit this PSK as part of access data 6 to the SKT 1.
  • PSK pre-shared key
  • the software 16 may extract a PSK 17 therefrom, for example as defined in the IEEE 802.11 standard, and pass on this PSK 17 via a standardized management interface to the driver software 13.
  • the AP 3 is furthermore provided with application software 18, required for operating the AP 3.
  • the STA 4 is, like the AP 3, an apparatus equipped with a radio interface 18 operating in accordance with the IEEE 802.11 standard.
  • This radio interface 18 is controlled by a component denoted as driver software 19 and is used for transceiving useful data (music, video, general data, but also control data).
  • the driver software 19 may be operated by other software components via standardized software interfaces (APIs).
  • the STA 4 is also equipped with a transceiving unit 20.
  • the transceiving unit 20 comprises a transceiver 21 provided as an interface for transceiving access data, for example the access data 10 transceived by transceiver 12.
  • the transceiving unit 20 is provided with transceiver software 22 as both a generation and an evaluation component.
  • the software 22 may generate a pre- shared key (PSK), for example as defined in the IEEE 802.11 standard, and transmit this PSK as part of access data 10 to the SKT 2.
  • PSK pre- shared key
  • the software 22 may extract a PSK 23 therefrom, for example as defined in the IEEE 802.11 standard, and pass on this PSK 23 via a standardized management interface to the driver software 19.
  • the STA 4 is furthermore provided with application software 24, required for operating the STA 4.
  • the AP 2 and the STA 4 will be different devices, pertaining to their respective functions in the wireless network in which they are used. Additionally, and complementary to any differences that may exist for the SKTs 1 and 2, also the AP 3 and the STA 4 may differ in the functionality provided by the respective transceiver units 14 and 20.
  • the STA 4 may be equipped with a transceiver unit 20 that does not comprise a PSK generation component. It may even be the case, for example when the SKT 1 is sold preconfigured with access data 6 pertaining to the STA 4, that STA 4 does not comprise a transceiving unit 20 at all.
  • a user would like to install the STA 4 in the home network and radio-connect it to the AP 3 and other wireless stations in the home network in order that the user can exchange useful data between STA 4 and the other wireless stations.
  • the user approaches the AP 3 and/or the STA 4 with an SKT, such as one of the SKTs 1 or 2, for the exchange of access data, and more in particular a PSK, according to one of the below embodiments of the invention.
  • an AP such as the AP 3 in Fig. 2 is able to bind/attribute a PSK to a particular STA, such as the STA 4 in Fig. 2, thanks to a triple-touch user interaction.
  • Fig. 3 shows a flow chart 300 illustrating the operation steps of wireless network access management according to this embodiment.
  • the AP After being touched with an SKT (further referred to as "SKT step"), such as the SKT 1 in Fig. 2, the AP generates a fresh unique PSK and stores it on the SKT (step 301). Subsequently, while being touched with the SKT, the station (STA) reads the PSK (along with other necessary configuration parameters) and stores its MAC address on the SKT (step 302). Touching the AP with the SKT again provides the AP with the MAC address of the willing-to-join STA, and the AP can therefore associate the newly generated PSK with this MAC address (step 303). This allows the AP to select the proper PSK when the STA initiates the association process (steps 304 and 305).
  • the user action can be described as follows:
  • step 301 AP generates fresh PSK - AP caches the fresh PSK (temporarily)
  • step 302 STA reads and stores PSK
  • STA stores its MAC address on SKT 3.
  • Touch home AP with SKT step 303):
  • AP reads STA MAC address from SKT and stores it in the list of PSK-MAC bindings along with the previously saved PSK optionally, AP deletes both PSK and MAC from the SKT
  • STA starts the state-of-the-art IEEE 802.1 Ii association procedure with the AP: an Association Request frame, followed by an Open System Authentication and a 4-way handshake (step 304). Based on the STA MAC address, present in the MAC frames, the AP can identify which PSK to use for the 4-way handshake and the authentication is successful (step 305).
  • the AP could be sold pre-packaged with a HSKT and a GSKT.
  • STA is touched with an SKT; and stores its MAC on the SKT.
  • AP is touched with the SKT; AP reads out the MAC, generates a fresh PSK, stores the PSK-MAC binding locally and stores the PSK on the SKT.
  • STA is touched again with the SKT; checks the MAC, reads the PSK and optionally cleans the SKT.
  • STA immediately starts an association. Based on the STA MAC address the AP can identify which PSK to use for the authentication.
  • This embodiment offers the advantage that the AP can immediately store the PSK-MAC binding. Furthermore, the STA can start a successful association as soon as it is touched for the second time. The previously described embodiment required the STA to wait for step 3 to be performed on the AP before trying to associate. In a further embodiment, the STA is assumed to have the capabilities to generate its PSK itself. In this case, the procedure is simplified to touching the to-be- configured devices once each, i.e. double-touch user interaction, in the following manner:
  • STA is touched with an SKT, and writes its MAC and freshly generated PSK on the SKT.
  • AP is touched with the SKT, reads out the MAC and PSK, stores the PSK- MAC binding and cleans the SKT.
  • STA starts an association. Based on the STA MAC address the AP can identify which PSK to use for the authentication. The applicability of this method may be limited to trusted home devices only.
  • the binding/attribution of an individual PSK to a particular STA could be executed automatically by an AP on the STA's first association.
  • a fresh PSK which is initially treated as a "common PSK", i.e. one not yet bound to a MAC address. If thereafter a STA successfully associates, using this PSK, within a pre-defined timeout period, the PSK becomes assigned to this STA, i.e. bound to its MAC address, and no other STA with a different MAC address can associate using the same PSK. If no STA associates, using the common PSK, before a timeout, set to some reasonable value, e.g. 2 minutes, the AP removes the common PSK.
  • the user action can be described as follows:
  • MAC - AP stores the fresh PSK as a common PSK, i.e. usable PSK but not yet bound to a MAC - AP stores the fresh PSK on the SKT
  • the AP Since the AP does not yet have a PSK associated with the STA MAC present in the MAC frames, it will use the common PSK if still valid for a 4-way handshake.
  • the AP associates the STA MAC with the common PSK, creating a PSK-MAC binding.
  • the association fails.
  • two SKTs should be used, one for home devices (Home SKT) and one for guest devices (Guest SKT).
  • the AP could be sold pre-packaged with a HSKT and a GSKT.
  • the user interaction for configuring individual PSKs can be further simplified to a single SKT touch only.
  • the devices are sold with individual SKT items, which are pre-configured with the read only MAC address of the STA and the rewritable STA's individual PSK. Then, to configure the STA, only touching the AP with the SKT would be necessary.
  • the user action can be described as follows: 1. Touch home AP with STA's SKT:
  • STA starts the association procedure with the AP. Based on the STA MAC address, present in the MAC frames, the AP can find which PSK to use for the 4-way handshake, and the authentication is successful.
  • This embodiment offers a simplified user interaction; in order to add the STA to the network, only touching the home AP with STA's SKT is needed.
  • the devices should be sold with two SKTs, i.e. a HSKT and a GSKT, both pre-configured with an STA MAC address. While the HSKT may contain a pre-configured individual STA PSK, the STA's guest PSK will be generated and stored on the STA's GSKT per visit by either the STA or the AP. In this case, the user interaction is modified as follows:
  • STA Touch new STA with its SKT: STA reads and stores PSK Optionally, STA removes PSK from SKT 3. STA immediately starts the association procedure with the AP. Based on the
  • the AP can find which PSK to use for the 4- way handshake, and the authentication is successful.
  • PMKID Packewise Master Key Identifier
  • PMKID is used for authentication of the devices.
  • PMKID is an 802.1 Ii construct, which allows already successfully 802. IX authenticated stations to avoid repeated authentication. Therefore, after disassociation, both the AP and the STA can cache the 802. IX authentication outcome, i.e. the PMK (Pairwise Master Key), and a (re-)associating STA can place the PMKID (being the PMK hashed with the SSID and the AP's MAC address) in the Association Request, so that the AP can resume the previous session and find the appropriate PMK.
  • PMKID can be applied to PSKs, in order to simplify the initial multiple PSK lookup on the AP, as the PMKID can be used as an index to search the psklist.
  • the user interaction can be described as follows: 1. Touch home AP with its SKT:
  • AP stores the fresh PSK on the SKT, optionally along with the AP's MAC
  • STA removes PSK from SKT
  • STA immediately starts the association procedure with the AP: STA calculates PMKID from PSK, SSID and AP's MAC
  • STA attaches the PMKID - For all stored PSKs (and PMKs), AP calculates the associated PMKID and compares it with the PMKID sent by the STA
  • the AP places the same PMKID in message 1 of 4 of the 4-way handshake
  • PSK-MAC binding is created to be used for lookup on later (re-)association.
  • the AP starts the PSK lookup from the recently added PSK, instead of starting from the beginning of the PSK list.
  • the procedure for configuring the shared PSK on the AP and the STA, which precedes the actual association, could be modified as described in any other points, i.e. the PSK could be already stored on the SKT or generated by one of the peers (AP or STA); the sequence of the steps can be changed accordingly.
  • the multiple PSK methods provided by the invention allow the user to configure every single device, i.e. home or guest, with an individual PSK. Said methods can be also creatively combined with a basic SKT configuration method, as defined in WO 2004/014040 Al, WO 2004/014039 Al and WO 2004/014038 Al, allowing some of the home devices, or e.g. a group of guest devices, to share a common PSK, which simplifies user interaction if network reconfiguration is necessary, while guest devices, as well as some home devices, e.g.
  • those prone to being lost, e.g. portables, or those subject to special security considerations, are configured with individual PSKs.
  • Individual credentials allow for individual management of every station and, e.g. for easier key revocation, for example in case a device is stolen, since reconfiguration of an entire network, as in the case of a shared PSK, is no longer necessary.
  • All of the above-described multiple PSK configuration and management methods are equally applicable for the configuration of home as well as guest devices into a wireless network.
  • the possibility to differentiate between home and guest status can be useful.
  • MAC-related parameters e.g. session keys lifetimes etc.
  • home devices are assumed to have long-term, if not constant, access to a home network, a guest visit is definitely time-limited, thus differentiation between home and guest (device) status allows for applying some automated guest removal procedures, e.g. duration based, like for example after 2 hours of access, timer based, like for example always at 8 p.m., event based, like for example when a certain user logs out/in, or user action based, like for example on a button press.
  • duration based like for example after 2 hours of access
  • timer based like for example always at 8 p.m.
  • event based like for example when a certain user logs out/in, or user action based, like for example on a button press.
  • this link-layer differentiation may allow for the implementation of access control mechanisms on higher layers, e.g. providing guest devices with DHCP leases for IP addresses from a pool different than the one for home devices or limiting guest access to certain resources.
  • This differentiation may also be of benefit to the STAs, e.g. to tell the STA whether to switch the personal firewall off or not.
  • the devices can differentiate between home and guest status, based on the following parameters: - The type of SKT item used for configuration, being either a home SKT or a guest SKT;
  • SKT/PSK set dynamically by configured devices, e.g. depending on user interaction (e.g. if STA is touched first, SKT carries guest configuration) or on which of the peers generates the credentials (e.g. STAs are allowed only to generate home configuration credentials, whereas APs should generate guest credentials);
  • SKT identifier being a unique SKT number, which allows the devices to differentiate between their own SKT (if paired with the device) or an already known SKT (e.g. one already used for home configuration) and an unknown SKT;
  • SKT capabilities e.g. a guest SKT should typically be (from a security point of view) rewritable, whereas a home SKT should be read only (if per- STA).
  • home/guest status of certain credentials can be represented e.g. by Home/Guest bits, stored for each PSK (or PSK-MAC binding).
  • PSK home/guest status of certain credentials
  • AP can implement separate psklists, for home and guest PSKs and STAs.
  • the SKT item could be integrated into one of the to-be-configured devices, i.e. the AP or preferably the STA.
  • the SKT unit can alternatively be replaced by establishing a direct connection between the two to-be-configured devices (e.g. AP, STA).
  • the user will be required to touch both devices, in order to enable direct Short-range Transmission between AP and STA. In this case the number of connection steps as described hereinbefore could be reduced.
  • the generation of a PSK may be automatically triggered by the SKT step or by other user interaction.
  • an additional user interaction e.g. a button or a switch
  • one of the to-be- configured devices could be used to inform this device about what type of PSK (home or guest) is to be generated.
  • the methods provided by the invention offer a plurality of advantages as compared to state-of-the-art configuration methods. Neither a GUI nor a PC is required. There is no installation of a management wizard. This management solution is applicable to all kinds of CE devices: headless, GUI-less, portable, small form factor, since the user does not need to find, remember or type in parameters. Furthermore, there is no struggling with MAC/IP addresses, and no naming of devices is required. The name or
  • MAC/IP address-based identification is replaced with an intuitive pointing action (with the SKT). Beside the optional capabilities of generating PSKs and differentiating between home/guest status, no changes are required to a STAs' wireless stack w.r.t. standard PSK solutions. A fast, easy and secure, intuitive and not error-prone configuration and management method for the user is provided.
  • the multiple PSK extension to IEEE 802. Hi together with intuitive management methods, allows for a flexible and more secure configuration of devices and networks than plain WPA-PSK, without the hassles of a full IEEE 802. IX solution.
  • a RFID/NFC card/tag is one prominent example of a SKT, but the applicability of the solution proposed by the invention is not limited to RFID/NFC.
  • SKT i.e. a contact SKT, e.g. USB, or a contactless SKT, e.g. IR, may be employed.

Abstract

The invention relates to a method for wireless network home/guest access management, especially for 802.11 WLAN, wherein Short-range Key Transmission (SKT) items are used for configuring a plurality of home/guest wireless client stations (STA) with multiple pre-shared keys (PSKs). The invention relates furthermore to devices arranged for wireless network access account management.

Description

Method and devices for wireless network access management
The invention relates to a method for wireless network access management, and in particular for IEEE 802.11 Wireless Local Area Network (WLAN) access management. The invention relates furthermore to devices arranged for wireless network access management.
Wireless networks, e.g. the IEEE 802.11 -based WLANs, become more and more ubiquitous. As easy and secure configuration methods such as SKT (Short-range Key Transmission) described in e.g. WO 2004/014040 Al (Applicant's reference PHDE020188), WO 2004/014039 Al (Applicant's reference PHDE020273) and WO 2004/014038 Al
(Applicant's reference PHDE030047) will allow for fast, smooth and reliable wireless setup, users will get accustomed to the freedom of location and movement given by wireless technologies, and will add more and more devices to their wireless network, while possibly wanting to give their home devices different credentials, e.g. for security reasons. Thus, the complexity of the system will grow.
As already described in WO 2004/014040 Al, after being able to "lock" the wireless network from unwanted access by unknown devices/people, by applying (advanced) wireless security standards for authentication and encryption, the users will also want to open their protected wireless network in a controlled way to wireless devices of their friends, to share resources, devices and contents. Once understanding the benefits of "connected guests", they may want to accommodate multiple guests at the same time, e.g. several visiting family members or a couple of friends visiting for a "LAN-Party". The complexity of the system, and with it the complexity of its management, grows.
The current enterprise-oriented state-of-the-art solution for configuring wireless devices with individual credentials uses IEEE 802. IX authentication, based on an authentication server such as a RADIUS server, an Extensible Authentication Protocol (EAP) and a Public Key Infrastructure (PKI). The need for 802. IX, EAP and PKI support increases device cost, and required capabilities, as well as the implementation effort for device manufacturers. For an end-user, it also increases the configuration and maintenance effort in respect of the infrastructure, e.g. for an Access Point (AP) and RADIUS server, and the to- be-authenticated devices. The resulting network management complexity requires a rich User Interface (UI), where all items to be managed and all management options/actions are listed.
The current state-of-the-art solution for configuring personal (home) wireless networks is based on a single Pre-shared Key (PSK), shared by all devices in the network. As a result, any user of the network can impersonate any other user, join at any time, or snoop and successfully decode any traffic of any one of the other users. This does not allow for sufficient cryptographic separation of devices on the same network. Applications like guest access are thereby complicated as they presently require reconfiguration of the entire network before and after a guest visit, or are even completely prevented.
The current home-oriented state-of-the-art solution for configuring wireless devices with different credentials is based on PSKs with some modifications of the Access Point (AP) internal implementation to allow multiple concurrent PSKs. The PSKs can be either bound to a specific client station, and identified by its MAC address, or used by any client. Such PSKs are later referred to as "unassigned" or "common" PSKs. An example is the open-source HostAP software (http://hostap.epitest.fi). Usage requires considerable Information Technology (IT) skills, as the current implementations are limited to PC software and are not yet available as standalone Access Point devices.
Summarizing, state-of-the-art manual configuration and access control management of per-device WLAN credentials, whether based on IEEE 802. IX authentication or on, possibly multiple, PSKs, has several drawbacks:
It requires a rich UI, i.e. with a display and keyboard, on devices that are to be managed, and which may not be available: a typical example is the UI-less wireless Access Point (AP). Alternatively it requires a PC in the network, e.g. to manage a RADIUS server; - It usually requires some IT skills, for example for installing additional software, e.g. by way of configuration wizards, manually reconfiguring a PC and the like;
It mostly uses technical jargon for referring to devices, e.g. MAC (Media Access Control) and IP (Internet Protocol) addresses, objects, e.g. credentials, and functions, e.g. associate and disassociate; - Alternatively, it requires the user to give all the relevant objects a user-friendly name;
Typically, it is very complicated, requires reading a manual, and obeying an exact sequence of steps, etc.; It often requires manual insertion of long and complicated parameters, e.g. a 32 bytes PSK;
It requires the user to take complicated policy decisions, e.g. which EAP method and pairwise cipher to be used, etc.
It is an object of the invention, inter alia, to provide an easy-to-use, secure, home-environment-suitable method for the management of individual access to a wireless network, and to an IEEE 802.11 WLAN in particular. The method is based on the multiple- PSK (Pre-Shared Key) concept, extending the Wi-Fi WPA (Wi-Fi Protected Access) and WP A2 (Wi-Fi Protected Access version 2) Personal standard. This object is achieved by the independent method claim. The dependent method claims provide advantageous embodiments.
Further objects of the invention are a wireless station (STA) and an access point (AP) arranged for the management of individual access to a wireless network.
The invention is based on a multiple-PSK concept, which requires the AP to be able to store and handle multiple Pre-Shared Keys in parallel, but is completely transparent to the STAs. The invention provides methods of addressing and managing the devices individually in an easy way. It also assures optimal performance of the AP, capable of supporting multiple PSKs, by specifying methods of binding each PSK to an individual device and thus enabling simple key search and smooth association.
The basic assumption is that the procedure for wireless network configuration uses a portable unit called Short-range Key Transmitter (SKT) item, and that the to-be- configured devices (AP and STAs) are equipped with an appropriate interface to communicate with the SKT, as defined by WO 2004/014040 Al . Furthermore, it is assumed that every home network will be equipped with two SKT items: a so-called "home SKT" (HSKT), used for configuration of home devices, and a Guest SKT (GSKT), used for configuration of guest devices. For example, the Access Point could be sold pre-packaged with HSKT and GSKT. It is further assumed that the wireless Access Point (AP) can support multiple
Pre-Shared Keys (PSK) in parallel and that the AP is capable of randomly generating fresh network access credentials, as and when required, per-device or, in the case of guest devices, per-visit. Complementary to all this, the present invention provides an easy user interaction for creating and managing individual device credentials, using the same easy, secure and intuitive step of touching the devices with SKT as proposed by WO 2004/014040 Al. Unless otherwise stated in method descriptions, all methods apply to managing both home devices (HD) and guest device (GD), which are jointly referred to as client stations (STA).
The invention provides a method of generating a unique PSK for every individual wireless client station (STA) and of sharing the PSK between the target client station and the Access Point, optionally resulting in binding a particular PSK to the STA's MAC address in the Access Point, in order to prevent that other potential STAs use the same PSK and simplify the PSK lookup process on the AP for smooth association. Obviously, PSK is not the only parameter needed for successful authentication; however, all other parameters are either equal for all STAs, e.g. the authentication methods, the encryption algorithm or the network identifier, i.e. SSID, or can be derived automatically, e.g. channel number. Thus, although other, non-security-related settings will be configured in the same SKT step, this invention focuses mainly on configuration of multiple PSKs.
For the security properties and unambiguity of the described configuration methods, it is vital that the credentials (PSK and MAC, if used), transferred to the (network- wide used) SKT-item, are removed from the SKT as soon as possible. The credentials can be overwritten in the first step of a new configuration procedure or automatically by the SKT item (if capable). Preferably, the credentials are removed in the last SKT step of the configuration procedure. The credential removal feature especially influences the methods' security.
In order to support the multiple PSK functionality, the AP must implement at least a list of PSKs (psklist). If only multiple PSKs (without unique STA identifier) were stored in a psklist, this would force the AP to search the entire list on every STA (re-)association. Therefore, to optimize the association process, the psklist may be further extended by a particular embodiment. In a further improvement, the AP could start the PSK lookup from the recently added PSK or PSK-MAC binding, instead of starting from the beginning of the psklist.
The above and other aspects of the invention will be apparent from and elucidated with reference to the embodiments described hereinafter. In the drawings:
Fig. 1 shows a block diagram illustrating the architecture of a wireless communication system whereto embodiments of the present invention are to be applied;
Fig. 2 shows a block diagram of two short-range key transmission items, an access point and a wireless station in accordance with an embodiment of the present invention; and
Fig. 3 shows a flow chart illustrating the operation steps of wireless network access management according to an embodiment of the present invention.
In the following part, for indicating any kind of SKT data exchange, the terms "SKT step", "touch (SKT)" or "connect (SKT)" are interchangeably used.
Fig. 1 illustrates a representative wireless network 100 whereto embodiments of the present invention are to be applied. As shown in Fig. 1, an access point (AP) 101 is coupled to a plurality of wireless stations (STAs) 102, 103 and 104, which, through a wireless link, are communicating with each other and to the AP via a plurality of wireless channels. Also shown in Fig. 1 is a further wireless station (STA) 110 for which it is required that it be granted access to the wireless network 100 too, thereby becoming part of the wireless network 100. The wireless station 110 could for example be a device newly bought by the owner of the wireless network 100, or it could be a "guest" device, temporarily brought in by a friend of the owner. Furthermore shown in Fig. 1 is a short-range key transmission item (SKT) 120 for configuring the access point 101 and the wireless station 110 in accordance with the invention.
The setup for wireless network access management in a home network, here consisting of wireless and wired apparatuses (not shown) will be described with reference to Fig. 2, which shows a first portable, short-range key transmission item (SKT) 1, a second portable, short-range key transmission item (SKT) 2, an access point (AP) 3 and a wireless station (STA) 4. The STA 4 is new in the home network.
The SKT 1 comprises a memory 5 for storing access data 6, such as a pre- shared key (PSK) or a Media Access Control (MAC) address of a wireless device, an optional button 7 for triggering a transmission or reception of access data 6, and a transmitter/receiver (transceiver) 8 used as a wireless interface for transmitting/receiving (transceiving) access data 6. The SKT 1 has a short range of maximally about 50 cm. The SKT 2, comprises, like the SKT 1, a memory 9 for storing access data 10, such as a pre-shared key (PSK) or a Media Access Control (MAC) address of a wireless device, an optional button 11 for triggering a transmission or reception of access data 10, and a transceiver 12 used as a wireless interface for transceiving access data 10. The SKT 2 also has a short range of maximally about 50 cm.
Although described here as essentially identical, the SKTs 1 and 2 may be different in that for example the SKT 1 is preconfigured with access data 6 pertaining to the STA 4. Then the SKT 1 would not require the receiver function 8 for receiving access data. In particular, this may be the case if the SKT 1 would be an SKT that was manufactured and sold together with the STA 4.
The AP 3 is an apparatus equipped with a radio interface 12 operating in accordance with the IEEE 802.11 standard. This radio interface 12 is controlled by a component denoted as driver software 13 and is used for transceiving useful data (music, video, general data, but also control data). The driver software 13 may be operated by other software components via standardized software interfaces (APIs). The AP 3 is also equipped with a transceiving unit 14. The transceiving unit 14 comprises a transceiver 15 provided as an interface for transceiving access data, for example the access data 6 transceived by transceiver 8. The transceiving unit 14 is provided with transceiver software 16 as both a generation and an evaluation component. As a generation component, triggered by the connection of an SKT, for example the SKT 1, the software 16 may generate a pre-shared key (PSK), for example as defined in the IEEE 802.11 standard, and transmit this PSK as part of access data 6 to the SKT 1. As an evaluation component, after receiving access data, for example the access data 6 from the SKT 1, the software 16 may extract a PSK 17 therefrom, for example as defined in the IEEE 802.11 standard, and pass on this PSK 17 via a standardized management interface to the driver software 13. The AP 3 is furthermore provided with application software 18, required for operating the AP 3.
The STA 4 is, like the AP 3, an apparatus equipped with a radio interface 18 operating in accordance with the IEEE 802.11 standard. This radio interface 18 is controlled by a component denoted as driver software 19 and is used for transceiving useful data (music, video, general data, but also control data). The driver software 19 may be operated by other software components via standardized software interfaces (APIs). The STA 4 is also equipped with a transceiving unit 20. The transceiving unit 20 comprises a transceiver 21 provided as an interface for transceiving access data, for example the access data 10 transceived by transceiver 12. The transceiving unit 20 is provided with transceiver software 22 as both a generation and an evaluation component. As a generation component, triggered by the connection of an SKT, for example the SKT 2, the software 22 may generate a pre- shared key (PSK), for example as defined in the IEEE 802.11 standard, and transmit this PSK as part of access data 10 to the SKT 2. As an evaluation component, after receiving access data 10 from the SKT 2, the software 22 may extract a PSK 23 therefrom, for example as defined in the IEEE 802.11 standard, and pass on this PSK 23 via a standardized management interface to the driver software 19. The STA 4 is furthermore provided with application software 24, required for operating the STA 4.
Although described here as essentially identical, the AP 2 and the STA 4 will be different devices, pertaining to their respective functions in the wireless network in which they are used. Additionally, and complementary to any differences that may exist for the SKTs 1 and 2, also the AP 3 and the STA 4 may differ in the functionality provided by the respective transceiver units 14 and 20. For example, the STA 4 may be equipped with a transceiver unit 20 that does not comprise a PSK generation component. It may even be the case, for example when the SKT 1 is sold preconfigured with access data 6 pertaining to the STA 4, that STA 4 does not comprise a transceiving unit 20 at all.
A user would like to install the STA 4 in the home network and radio-connect it to the AP 3 and other wireless stations in the home network in order that the user can exchange useful data between STA 4 and the other wireless stations. To this end, the user approaches the AP 3 and/or the STA 4 with an SKT, such as one of the SKTs 1 or 2, for the exchange of access data, and more in particular a PSK, according to one of the below embodiments of the invention.
In a first embodiment, an AP, such as the AP 3 in Fig. 2, is able to bind/attribute a PSK to a particular STA, such as the STA 4 in Fig. 2, thanks to a triple-touch user interaction. Fig. 3 shows a flow chart 300 illustrating the operation steps of wireless network access management according to this embodiment.
After being touched with an SKT (further referred to as "SKT step"), such as the SKT 1 in Fig. 2, the AP generates a fresh unique PSK and stores it on the SKT (step 301). Subsequently, while being touched with the SKT, the station (STA) reads the PSK (along with other necessary configuration parameters) and stores its MAC address on the SKT (step 302). Touching the AP with the SKT again provides the AP with the MAC address of the willing-to-join STA, and the AP can therefore associate the newly generated PSK with this MAC address (step 303). This allows the AP to select the proper PSK when the STA initiates the association process (steps 304 and 305). In detail, the user action can be described as follows:
1. Touch home AP with SKT (step 301): AP generates fresh PSK - AP caches the fresh PSK (temporarily)
AP stores the fresh PSK on the SKT
2. Touch new STA with SKT (step 302): STA reads and stores PSK
STA stores its MAC address on SKT 3. Touch home AP with SKT (step 303):
AP reads STA MAC address from SKT and stores it in the list of PSK-MAC bindings along with the previously saved PSK optionally, AP deletes both PSK and MAC from the SKT
4. STA starts the state-of-the-art IEEE 802.1 Ii association procedure with the AP: an Association Request frame, followed by an Open System Authentication and a 4-way handshake (step 304). Based on the STA MAC address, present in the MAC frames, the AP can identify which PSK to use for the 4-way handshake and the authentication is successful (step 305).
To increase the security level for guest access, two SKTs should be used, one for home devices (Home SKT) and one for guest devices (Guest SKT). For example, the AP could be sold pre-packaged with a HSKT and a GSKT.
In another embodiment of the invention, the steps described above can be performed in the opposite order:
1. STA is touched with an SKT; and stores its MAC on the SKT. 2. AP is touched with the SKT; AP reads out the MAC, generates a fresh PSK, stores the PSK-MAC binding locally and stores the PSK on the SKT.
3. STA is touched again with the SKT; checks the MAC, reads the PSK and optionally cleans the SKT.
4. STA immediately starts an association. Based on the STA MAC address the AP can identify which PSK to use for the authentication.
This embodiment offers the advantage that the AP can immediately store the PSK-MAC binding. Furthermore, the STA can start a successful association as soon as it is touched for the second time. The previously described embodiment required the STA to wait for step 3 to be performed on the AP before trying to associate. In a further embodiment, the STA is assumed to have the capabilities to generate its PSK itself. In this case, the procedure is simplified to touching the to-be- configured devices once each, i.e. double-touch user interaction, in the following manner:
1. STA is touched with an SKT, and writes its MAC and freshly generated PSK on the SKT.
2. AP is touched with the SKT, reads out the MAC and PSK, stores the PSK- MAC binding and cleans the SKT.
3. STA starts an association. Based on the STA MAC address the AP can identify which PSK to use for the authentication. The applicability of this method may be limited to trusted home devices only.
In yet another embodiment of the invention, the binding/attribution of an individual PSK to a particular STA could be executed automatically by an AP on the STA's first association.
On the AP, touching with the SKT triggers the generation of a fresh PSK, which is initially treated as a "common PSK", i.e. one not yet bound to a MAC address. If thereafter a STA successfully associates, using this PSK, within a pre-defined timeout period, the PSK becomes assigned to this STA, i.e. bound to its MAC address, and no other STA with a different MAC address can associate using the same PSK. If no STA associates, using the common PSK, before a timeout, set to some reasonable value, e.g. 2 minutes, the AP removes the common PSK. In detail, the user action can be described as follows:
1. Touch home AP with SKT: AP generates fresh PSK
AP stores the fresh PSK as a common PSK, i.e. usable PSK but not yet bound to a MAC - AP stores the fresh PSK on the SKT
2. Touch new STA with SKT: STA reads and stores PSK
3. STA starts the association procedure with the AP.
Since the AP does not yet have a PSK associated with the STA MAC present in the MAC frames, it will use the common PSK if still valid for a 4-way handshake.
If the authentication is successful, the AP associates the STA MAC with the common PSK, creating a PSK-MAC binding.
If the authentication is not successful, another valid common PSK is tried if available; otherwise the association fails. To increase the security level for guest access, two SKTs should be used, one for home devices (Home SKT) and one for guest devices (Guest SKT). For example, the AP could be sold pre-packaged with a HSKT and a GSKT.
In a further embodiment of the invention, the user interaction for configuring individual PSKs can be further simplified to a single SKT touch only. The devices are sold with individual SKT items, which are pre-configured with the read only MAC address of the STA and the rewritable STA's individual PSK. Then, to configure the STA, only touching the AP with the SKT would be necessary. In detail, the user action can be described as follows: 1. Touch home AP with STA's SKT:
AP stores PSK-MAC binding in the PSK list
2. STA starts the association procedure with the AP. Based on the STA MAC address, present in the MAC frames, the AP can find which PSK to use for the 4-way handshake, and the authentication is successful. This embodiment offers a simplified user interaction; in order to add the STA to the network, only touching the home AP with STA's SKT is needed.
To increase the security level for guest access, the devices should be sold with two SKTs, i.e. a HSKT and a GSKT, both pre-configured with an STA MAC address. While the HSKT may contain a pre-configured individual STA PSK, the STA's guest PSK will be generated and stored on the STA's GSKT per visit by either the STA or the AP. In this case, the user interaction is modified as follows:
1. Touch home AP with new (guest) STA SKT: AP reads out the STA MAC
AP generates fresh PSK - AP stores the PSK-MAC binding in the PSKs list
AP stores the fresh PSK on the SKT
2. Touch new STA with its SKT: STA reads and stores PSK Optionally, STA removes PSK from SKT 3. STA immediately starts the association procedure with the AP. Based on the
STA MAC address, present in the MAC frames, the AP can find which PSK to use for the 4- way handshake, and the authentication is successful.
In a further embodiment of the invention, PMKID (Pairwise Master Key Identifier) is used for authentication of the devices. PMKID is an 802.1 Ii construct, which allows already successfully 802. IX authenticated stations to avoid repeated authentication. Therefore, after disassociation, both the AP and the STA can cache the 802. IX authentication outcome, i.e. the PMK (Pairwise Master Key), and a (re-)associating STA can place the PMKID (being the PMK hashed with the SSID and the AP's MAC address) in the Association Request, so that the AP can resume the previous session and find the appropriate PMK.
If there are multiple common PSKs, PMKID can be applied to PSKs, in order to simplify the initial multiple PSK lookup on the AP, as the PMKID can be used as an index to search the psklist. In this embodiment, the user interaction can be described as follows: 1. Touch home AP with its SKT:
AP generates fresh PSK
AP stores the PSK in the PSKs list
AP stores the fresh PSK on the SKT, optionally along with the AP's MAC
2. Touch new STA with SKT: - STA reads and stores PSK
Optionally, STA removes PSK from SKT
3. STA immediately starts the association procedure with the AP: STA calculates PMKID from PSK, SSID and AP's MAC
In Association Request, STA attaches the PMKID - For all stored PSKs (and PMKs), AP calculates the associated PMKID and compares it with the PMKID sent by the STA
If a matching PSK is found on the AP, the AP places the same PMKID in message 1 of 4 of the 4-way handshake
If STA authentication is successful, a PSK-MAC binding is created to be used for lookup on later (re-)association.
In a further extension, the AP starts the PSK lookup from the recently added PSK, instead of starting from the beginning of the PSK list.
Furthermore, the procedure for configuring the shared PSK on the AP and the STA, which precedes the actual association, could be modified as described in any other points, i.e. the PSK could be already stored on the SKT or generated by one of the peers (AP or STA); the sequence of the steps can be changed accordingly.
This method is more secure than the standard 802.1 Ii PMKID lookup, since it does not require the sending of a PMKID on every association, which might enable brute force attacks on the long-lived PSK. The multiple PSK methods provided by the invention allow the user to configure every single device, i.e. home or guest, with an individual PSK. Said methods can be also creatively combined with a basic SKT configuration method, as defined in WO 2004/014040 Al, WO 2004/014039 Al and WO 2004/014038 Al, allowing some of the home devices, or e.g. a group of guest devices, to share a common PSK, which simplifies user interaction if network reconfiguration is necessary, while guest devices, as well as some home devices, e.g. those prone to being lost, e.g. portables, or those subject to special security considerations, are configured with individual PSKs. Individual credentials allow for individual management of every station and, e.g. for easier key revocation, for example in case a device is stolen, since reconfiguration of an entire network, as in the case of a shared PSK, is no longer necessary.
All of the above-described multiple PSK configuration and management methods are equally applicable for the configuration of home as well as guest devices into a wireless network. For both home and guest STAs, as well as for the AP, the possibility to differentiate between home and guest status can be useful. For example, MAC-related parameters, e.g. session keys lifetimes etc., could be different for home and guest devices. Moreover, whereas home devices are assumed to have long-term, if not constant, access to a home network, a guest visit is definitely time-limited, thus differentiation between home and guest (device) status allows for applying some automated guest removal procedures, e.g. duration based, like for example after 2 hours of access, timer based, like for example always at 8 p.m., event based, like for example when a certain user logs out/in, or user action based, like for example on a button press.
Furthermore, this link-layer differentiation may allow for the implementation of access control mechanisms on higher layers, e.g. providing guest devices with DHCP leases for IP addresses from a pool different than the one for home devices or limiting guest access to certain resources. This differentiation may also be of benefit to the STAs, e.g. to tell the STA whether to switch the personal firewall off or not.
The devices can differentiate between home and guest status, based on the following parameters: - The type of SKT item used for configuration, being either a home SKT or a guest SKT;
The type of SKT/PSK, set dynamically by configured devices, e.g. depending on user interaction (e.g. if STA is touched first, SKT carries guest configuration) or on which of the peers generates the credentials (e.g. STAs are allowed only to generate home configuration credentials, whereas APs should generate guest credentials);
SKT identifier, being a unique SKT number, which allows the devices to differentiate between their own SKT (if paired with the device) or an already known SKT (e.g. one already used for home configuration) and an unknown SKT;
SKT capabilities, e.g. a guest SKT should typically be (from a security point of view) rewritable, whereas a home SKT should be read only (if per- STA).
On the AP, home/guest status of certain credentials (PSK) can be represented e.g. by Home/Guest bits, stored for each PSK (or PSK-MAC binding). Alternatively, AP can implement separate psklists, for home and guest PSKs and STAs.
Though the exemplary embodiments focused mainly on standalone portable SKT units, as specified by WO 2004/014040 Al, the SKT item could be integrated into one of the to-be-configured devices, i.e. the AP or preferably the STA. Dependent on the technology used, the SKT unit can alternatively be replaced by establishing a direct connection between the two to-be-configured devices (e.g. AP, STA). In both cases, the user will be required to touch both devices, in order to enable direct Short-range Transmission between AP and STA. In this case the number of connection steps as described hereinbefore could be reduced.
The generation of a PSK may be automatically triggered by the SKT step or by other user interaction.
In the case of direct Short-range Transmission or if only one SKT per network (AP) is used, an additional user interaction (e.g. a button or a switch) on one of the to-be- configured devices could be used to inform this device about what type of PSK (home or guest) is to be generated. In general, the methods provided by the invention offer a plurality of advantages as compared to state-of-the-art configuration methods. Neither a GUI nor a PC is required. There is no installation of a management wizard. This management solution is applicable to all kinds of CE devices: headless, GUI-less, portable, small form factor, since the user does not need to find, remember or type in parameters. Furthermore, there is no struggling with MAC/IP addresses, and no naming of devices is required. The name or
MAC/IP address-based identification is replaced with an intuitive pointing action (with the SKT). Beside the optional capabilities of generating PSKs and differentiating between home/guest status, no changes are required to a STAs' wireless stack w.r.t. standard PSK solutions. A fast, easy and secure, intuitive and not error-prone configuration and management method for the user is provided.
The multiple PSK extension to IEEE 802. Hi, together with intuitive management methods, allows for a flexible and more secure configuration of devices and networks than plain WPA-PSK, without the hassles of a full IEEE 802. IX solution.
It has been found that a RFID/NFC card/tag is one prominent example of a SKT, but the applicability of the solution proposed by the invention is not limited to RFID/NFC. Also other types of SKT, i.e. a contact SKT, e.g. USB, or a contactless SKT, e.g. IR, may be employed.

Claims

CLAIMS:
1. A method for wireless network access management, for use in a wireless network comprising an access point, hereinafter AP, and a plurality of wireless stations, hereinafter STAs, with each of the STAs having a unique MAC address, wherein a short- range key transmission item, hereinafter SKT, is applied for configuring a wireless network connection between the AP and a wireless station, hereinafter STA, by exchanging a pre- shared key, hereinafter PSK, associated with the MAC address of the STA between the access point AP and the wireless station STA.
2. A method for wireless network access management according to claim 1, comprising the steps of: connecting the SKT to the AP, with the AP thereupon: generating the PSK, storing the PSK on the SKT, and storing the PSK internally; - subsequently connecting the SKT to the STA, with the STA thereupon: reading the PSK from the SKT, storing the PSK internally, and storing its MAC address on the SKT; subsequently connecting the SKT to the AP again, with the AP thereupon: - reading the MAC address of the STA from the SKT, entering the MAC address of the STA together with the previously stored PSK in a MAC-PSK binding administration maintained for the plurality of STAs; the STA thereafter starting an association procedure with the AP, using the previously stored PSK; and - the AP using the MAC address obtained during the association procedure for retrieving the PSK from the MAC-PSK binding administration.
3. A method for wireless network access management according to claim 1, comprising the steps of: connecting the SKT to the STA, with the STA thereupon: storing its MAC address on the SKT; subsequently connecting the SKT to the AP, with the AP thereupon: reading the MAC address of the STA from the SKT, - generating the PSK, storing the PSK on the SKT, and entering the MAC address of the STA together with the PSK in a MAC-PSK binding administration maintained for the plurality of STAs; subsequently connecting the SKT to the STA again, with the STA thereupon: - reading the PSK from the SKT, and storing the PSK internally; the STA thereafter starting an association procedure with the AP, using the previously stored PSK; and the AP using the MAC address obtained during the association procedure for retrieving the PSK from the MAC-PSK binding administration.
4. A method for wireless network access management according to claim 1, comprising the steps of: connecting the SKT to the STA, with the STA thereupon: - generating the PSK, storing the PSK on the SKT, storing its MAC-address on the SKT, and storing the PSK internally; subsequently connecting the SKT to the AP, with the AP thereupon: - reading the PSK from the SKT, reading the MAC address of the STA from the SKT, entering the MAC address of the STA together with the PSK in a MAC-PSK binding administration maintained for the plurality of STAs; the STA thereafter starting an association procedure with the AP, using the previously stored PSK; and the AP using the MAC address obtained during the association procedure for retrieving the PSK from the MAC-PSK binding administration.
5. A method for wireless network access management according to claim 1, comprising the steps of: connecting the SKT to the AP, with the AP thereupon: generating the PSK, - storing the PSK on the SKT, and storing the PSK, which is not yet bound to any STA, for a limited time period internally; subsequently connecting the SKT to the STA, with the STA thereupon: reading the PSK from the SKT, and - storing the PSK internally; the STA thereafter starting an association procedure with the AP, using the previously stored PSK; the AP, as part of the association procedure: using the MAC address obtained during the association procedure for searching a MAC-PSK binding administration maintained for the plurality of STAs for a match; if the MAC address is not found, checking whether the previously stored PSK, which was not bound to any PSK, is still available; if the PSK is still available, performing an authentication with the STA based on the PSK, and if successful, entering the MAC address of the STA together with the PSK in the MAC-PSK binding administration.
6. A method for wireless network access management according to claim 1, comprising the steps of: providing the SKT preconfigured with the MAC address of the STA; connecting the SKT to the AP, with the AP thereupon: generating the PSK, storing the PSK on the SKT, - reading the MAC address of the STA from the SKT, entering the MAC address of the STA together with the PSK in a MAC-PSK binding administration maintained for the plurality of STAs; subsequently connecting the SKT to the STA, with the STA thereupon: reading the PSK from the SKT, and storing the PSK internally; the STA thereafter starting an association procedure with the AP, using the previously stored PSK; and the AP using the MAC address obtained during the association procedure for retrieving the PSK in the MAC-PSK binding administration.
7. A method for wireless network access management according to claim 1, comprising the steps of: providing the SKT is preconfigured with both the MAC address of the STA and the PSK; connecting the SKT to the AP, with the AP thereupon: reading the PSK from the SKT, reading the MAC address of the STA from the SKT, entering the MAC address of the STA together with the PSK in a MAC-PSK binding administration maintained for the plurality of STAs; the STA thereafter starting an association procedure with the AP, using the previously stored PSK; and the AP using the MAC address obtained during the association procedure for retrieving the PSK in the MAC-PSK binding administration.
8. A method for wireless network access management according to any one of the claims 1-6, wherein the PSK is automatically removed from the SKT substantially immediately upon the PSK being read from the SKT.
9. An access point arranged for wireless network access management according to any one of the claims 1 to 7.
10. A wireless station arranged for wireless network access management according to any one of the claims 1 to 6.
PCT/IB2006/051752 2005-06-03 2006-06-01 Method and devices for wireless network access management WO2006129287A1 (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
EP05104833.8 2005-06-03
EP05104833 2005-06-03
EP05111577 2005-12-01
EP05111577.2 2005-12-01

Publications (1)

Publication Number Publication Date
WO2006129287A1 true WO2006129287A1 (en) 2006-12-07

Family

ID=37038292

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2006/051752 WO2006129287A1 (en) 2005-06-03 2006-06-01 Method and devices for wireless network access management

Country Status (1)

Country Link
WO (1) WO2006129287A1 (en)

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011085069A3 (en) * 2010-01-06 2011-09-09 Qualcomm Incorporated Method and apparatus for providing simultaneous support for multiple master keys at an access point in a wireless communication system
US8898474B2 (en) 2008-11-04 2014-11-25 Microsoft Corporation Support of multiple pre-shared keys in access point
US9002277B2 (en) 2010-09-07 2015-04-07 Aerohive Networks, Inc. Distributed channel selection for wireless networks
US9008089B2 (en) 2012-06-14 2015-04-14 Aerohive Networks, Inc. Multicast to unicast conversion technique
US9019938B2 (en) 2008-05-14 2015-04-28 Aerohive Networks, Inc. Predictive and nomadic roaming of wireless clients across different network subnets
US9413772B2 (en) 2013-03-15 2016-08-09 Aerohive Networks, Inc. Managing rogue devices through a network backhaul
US9572135B2 (en) 2009-01-21 2017-02-14 Aerohive Networks, Inc. Airtime-based packet scheduling for wireless networks
US9674892B1 (en) * 2008-11-04 2017-06-06 Aerohive Networks, Inc. Exclusive preshared key authentication
US9900251B1 (en) 2009-07-10 2018-02-20 Aerohive Networks, Inc. Bandwidth sentinel
US10091065B1 (en) 2011-10-31 2018-10-02 Aerohive Networks, Inc. Zero configuration networking on a subnetted network
EP3474510A1 (en) * 2017-10-20 2019-04-24 Nokia Solutions and Networks Oy Granting to a device access to an access point
US10389650B2 (en) 2013-03-15 2019-08-20 Aerohive Networks, Inc. Building and maintaining a network
US10798634B2 (en) 2007-04-27 2020-10-06 Extreme Networks, Inc. Routing method and system for a wireless network
CN112311771A (en) * 2020-09-30 2021-02-02 新华三大数据技术有限公司 Method for managing user access equipment, management equipment and network equipment
US11115857B2 (en) 2009-07-10 2021-09-07 Extreme Networks, Inc. Bandwidth sentinel
EP3338473B1 (en) * 2015-09-04 2021-10-27 Huawei Technologies Co., Ltd. Method and apparatus for authentication of wireless devices

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004014038A1 (en) * 2002-07-29 2004-02-12 Philips Intellectual Property & Standards Gmbh Security system for apparatuses in a network

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004014038A1 (en) * 2002-07-29 2004-02-12 Philips Intellectual Property & Standards Gmbh Security system for apparatuses in a network

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
PHILIPPE TEUWEN: "Patch submission: multi-PSK support for hostapd", INTERNET, 16 September 2004 (2004-09-16), pages 1 - 3, XP002402360, Retrieved from the Internet <URL:http://lists.shmoo.com/pipermail/hostap/2004-September/008037.html> [retrieved on 20061006] *

Cited By (46)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10798634B2 (en) 2007-04-27 2020-10-06 Extreme Networks, Inc. Routing method and system for a wireless network
US10064105B2 (en) 2008-05-14 2018-08-28 Aerohive Networks, Inc. Predictive roaming between subnets
US9338816B2 (en) 2008-05-14 2016-05-10 Aerohive Networks, Inc. Predictive and nomadic roaming of wireless clients across different network subnets
US10181962B2 (en) 2008-05-14 2019-01-15 Aerohive Networks, Inc. Predictive and nomadic roaming of wireless clients across different network subnets
US9787500B2 (en) 2008-05-14 2017-10-10 Aerohive Networks, Inc. Predictive and nomadic roaming of wireless clients across different network subnets
US10700892B2 (en) 2008-05-14 2020-06-30 Extreme Networks Inc. Predictive roaming between subnets
US9590822B2 (en) 2008-05-14 2017-03-07 Aerohive Networks, Inc. Predictive roaming between subnets
US10880730B2 (en) 2008-05-14 2020-12-29 Extreme Networks, Inc. Predictive and nomadic roaming of wireless clients across different network subnets
US9019938B2 (en) 2008-05-14 2015-04-28 Aerohive Networks, Inc. Predictive and nomadic roaming of wireless clients across different network subnets
US9025566B2 (en) 2008-05-14 2015-05-05 Aerohive Networks, Inc. Predictive roaming between subnets
US9674892B1 (en) * 2008-11-04 2017-06-06 Aerohive Networks, Inc. Exclusive preshared key authentication
EP2345268A4 (en) * 2008-11-04 2016-11-30 Microsoft Technology Licensing Llc Support of multiple pre-shared keys in access point
US10945127B2 (en) 2008-11-04 2021-03-09 Extreme Networks, Inc. Exclusive preshared key authentication
US8898474B2 (en) 2008-11-04 2014-11-25 Microsoft Corporation Support of multiple pre-shared keys in access point
US20170230824A1 (en) * 2008-11-04 2017-08-10 Aerohive Networks, Inc. Exclusive preshared key authentication
US9867167B2 (en) 2009-01-21 2018-01-09 Aerohive Networks, Inc. Airtime-based packet scheduling for wireless networks
US9572135B2 (en) 2009-01-21 2017-02-14 Aerohive Networks, Inc. Airtime-based packet scheduling for wireless networks
US10219254B2 (en) 2009-01-21 2019-02-26 Aerohive Networks, Inc. Airtime-based packet scheduling for wireless networks
US10772081B2 (en) 2009-01-21 2020-09-08 Extreme Networks, Inc. Airtime-based packet scheduling for wireless networks
US10412006B2 (en) 2009-07-10 2019-09-10 Aerohive Networks, Inc. Bandwith sentinel
US9900251B1 (en) 2009-07-10 2018-02-20 Aerohive Networks, Inc. Bandwidth sentinel
US11115857B2 (en) 2009-07-10 2021-09-07 Extreme Networks, Inc. Bandwidth sentinel
CN102696204A (en) * 2010-01-06 2012-09-26 高通股份有限公司 Method and apparatus for providing simultaneous support for multiple master keys at an access point in a wireless communication system
US8955054B2 (en) 2010-01-06 2015-02-10 Qualcomm Incorporated Method and apparatus for providing simultaneous support for multiple master keys at an access point in a wireless communication system
WO2011085069A3 (en) * 2010-01-06 2011-09-09 Qualcomm Incorporated Method and apparatus for providing simultaneous support for multiple master keys at an access point in a wireless communication system
JP2013516911A (en) * 2010-01-06 2013-05-13 クゥアルコム・インコーポレイテッド Method and apparatus for simultaneous support of multiple master keys at an access point in a wireless communication system
KR101505493B1 (en) 2010-01-06 2015-03-24 퀄컴 인코포레이티드 Method and apparatus for providing simultaneous support for multiple master keys at an access point in a wireless communication system
US10390353B2 (en) 2010-09-07 2019-08-20 Aerohive Networks, Inc. Distributed channel selection for wireless networks
US9814055B2 (en) 2010-09-07 2017-11-07 Aerohive Networks, Inc. Distributed channel selection for wireless networks
US10966215B2 (en) 2010-09-07 2021-03-30 Extreme Networks, Inc. Distributed channel selection for wireless networks
US9002277B2 (en) 2010-09-07 2015-04-07 Aerohive Networks, Inc. Distributed channel selection for wireless networks
US10091065B1 (en) 2011-10-31 2018-10-02 Aerohive Networks, Inc. Zero configuration networking on a subnetted network
US10833948B2 (en) 2011-10-31 2020-11-10 Extreme Networks, Inc. Zero configuration networking on a subnetted network
US10523458B2 (en) 2012-06-14 2019-12-31 Extreme Networks, Inc. Multicast to unicast conversion technique
US10205604B2 (en) 2012-06-14 2019-02-12 Aerohive Networks, Inc. Multicast to unicast conversion technique
US9729463B2 (en) 2012-06-14 2017-08-08 Aerohive Networks, Inc. Multicast to unicast conversion technique
US9565125B2 (en) 2012-06-14 2017-02-07 Aerohive Networks, Inc. Multicast to unicast conversion technique
US9008089B2 (en) 2012-06-14 2015-04-14 Aerohive Networks, Inc. Multicast to unicast conversion technique
US10542035B2 (en) 2013-03-15 2020-01-21 Aerohive Networks, Inc. Managing rogue devices through a network backhaul
US10389650B2 (en) 2013-03-15 2019-08-20 Aerohive Networks, Inc. Building and maintaining a network
US10027703B2 (en) 2013-03-15 2018-07-17 Aerohive Networks, Inc. Managing rogue devices through a network backhaul
US9413772B2 (en) 2013-03-15 2016-08-09 Aerohive Networks, Inc. Managing rogue devices through a network backhaul
EP3338473B1 (en) * 2015-09-04 2021-10-27 Huawei Technologies Co., Ltd. Method and apparatus for authentication of wireless devices
EP3474510A1 (en) * 2017-10-20 2019-04-24 Nokia Solutions and Networks Oy Granting to a device access to an access point
CN112311771A (en) * 2020-09-30 2021-02-02 新华三大数据技术有限公司 Method for managing user access equipment, management equipment and network equipment
CN112311771B (en) * 2020-09-30 2022-05-24 新华三大数据技术有限公司 Method for managing user access equipment, management equipment and network equipment

Similar Documents

Publication Publication Date Title
WO2006129287A1 (en) Method and devices for wireless network access management
US8208455B2 (en) Method and system for transporting configuration protocol messages across a distribution system (DS) in a wireless local area network (WLAN)
US8959601B2 (en) Client configuration during timing window
US8589687B2 (en) Architecture for supporting secure communication network setup in a wireless local area network (WLAN)
EP2740315B1 (en) Method, apparatus, and computer program product for connection setup in device-to-device communication
US7948925B2 (en) Communication device and communication method
CN101375243B (en) System and method for wireless network profile provisioning
JP3869392B2 (en) User authentication method in public wireless LAN service system and recording medium storing program for causing computer to execute the method
US8917651B2 (en) Associating wi-fi stations with an access point in a multi-access point infrastructure network
CN104717225B (en) A kind of things-internet gateway access authentication method and system
US20090274065A1 (en) Method and apparatus for setting wireless local area network by using button
JP6263962B2 (en) COMMUNICATION DEVICE, COMMUNICATION METHOD, AND PROGRAM
US20060265333A1 (en) Mesh network with digital rights management interoperability
US11818575B2 (en) Systems and methods for virtual personal Wi-Fi network
CN100579042C (en) Method and apparatus for supporting multiple logical networks in wireless LAN
US20110314136A1 (en) Method and System for Improved Communication Network Setup
JP5721183B2 (en) Wireless LAN communication system, wireless LAN base unit, communication connection establishment method, and program
JP2008078957A (en) Wireless communication system, and wireless network connection method
WO2006129288A1 (en) Method and devices for individual removal of a device from a wireless network
KR20070040042A (en) Wireless lan auto setting method
US11665544B2 (en) Multicast containment in a multiple pre-shared key (PSK) wireless local area network (WLAN)
Ramachandran Multi-Protocol Device Commissioning Framework for IoT Mesh Networks

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

WWW Wipo information: withdrawn in national office

Country of ref document: DE

122 Ep: pct application non-entry in european phase

Ref document number: 06756034

Country of ref document: EP

Kind code of ref document: A1