+

WO2006129287A1 - Procede et dispositifs de gestion de l'acces a un reseau sans film - Google Patents

Procede et dispositifs de gestion de l'acces a un reseau sans film Download PDF

Info

Publication number
WO2006129287A1
WO2006129287A1 PCT/IB2006/051752 IB2006051752W WO2006129287A1 WO 2006129287 A1 WO2006129287 A1 WO 2006129287A1 IB 2006051752 W IB2006051752 W IB 2006051752W WO 2006129287 A1 WO2006129287 A1 WO 2006129287A1
Authority
WO
WIPO (PCT)
Prior art keywords
psk
skt
sta
mac address
mac
Prior art date
Application number
PCT/IB2006/051752
Other languages
English (en)
Inventor
Bozena Erdmann
Ventzislav Nikov
Philippe Teuwen
Original Assignee
Koninklijke Philips Electronics N.V.
Philips Intellectual Property & Standards Gmbh
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Koninklijke Philips Electronics N.V., Philips Intellectual Property & Standards Gmbh filed Critical Koninklijke Philips Electronics N.V.
Publication of WO2006129287A1 publication Critical patent/WO2006129287A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/50Secure pairing of devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/30Connection release
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/10Small scale networks; Flat hierarchical networks
    • H04W84/12WLAN [Wireless Local Area Networks]

Definitions

  • the invention relates to a method for wireless network access management, and in particular for IEEE 802.11 Wireless Local Area Network (WLAN) access management.
  • the invention relates furthermore to devices arranged for wireless network access management.
  • Wireless networks e.g. the IEEE 802.11 -based WLANs
  • easy and secure configuration methods such as SKT (Short-range Key Transmission) described in e.g. WO 2004/014040 Al (Applicant's reference PHDE020188), WO 2004/014039 Al (Applicant's reference PHDE020273) and WO 2004/014038 Al
  • the current enterprise-oriented state-of-the-art solution for configuring wireless devices with individual credentials uses IEEE 802. IX authentication, based on an authentication server such as a RADIUS server, an Extensible Authentication Protocol (EAP) and a Public Key Infrastructure (PKI).
  • EAP Extensible Authentication Protocol
  • PKI Public Key Infrastructure
  • the need for 802. IX, EAP and PKI support increases device cost, and required capabilities, as well as the implementation effort for device manufacturers.
  • For an end-user it also increases the configuration and maintenance effort in respect of the infrastructure, e.g. for an Access Point (AP) and RADIUS server, and the to- be-authenticated devices.
  • AP Access Point
  • RADIUS server Remote Authentication Protocol
  • the resulting network management complexity requires a rich User Interface (UI), where all items to be managed and all management options/actions are listed.
  • UI User Interface
  • the current state-of-the-art solution for configuring personal (home) wireless networks is based on a single Pre-shared Key (PSK), shared by all devices in the network.
  • PSK Pre-shared Key
  • any user of the network can impersonate any other user, join at any time, or snoop and successfully decode any traffic of any one of the other users. This does not allow for sufficient cryptographic separation of devices on the same network.
  • Applications like guest access are thereby complicated as they presently require reconfiguration of the entire network before and after a guest visit, or are even completely prevented.
  • the current home-oriented state-of-the-art solution for configuring wireless devices with different credentials is based on PSKs with some modifications of the Access Point (AP) internal implementation to allow multiple concurrent PSKs.
  • the PSKs can be either bound to a specific client station, and identified by its MAC address, or used by any client. Such PSKs are later referred to as "unassigned" or "common" PSKs.
  • An example is the open-source HostAP software (http://hostap.epitest.fi). Usage requires considerable Information Technology (IT) skills, as the current implementations are limited to PC software and are not yet available as standalone Access Point devices.
  • IT Information Technology
  • UI-less wireless Access Point a typical example is the UI-less wireless Access Point (AP).
  • AP UI-less wireless Access Point
  • PC in the network, e.g. to manage a RADIUS server;
  • RADIUS server a typical example is the UI-less wireless Access Point (AP).
  • PC in the network, e.g. to manage a RADIUS server;
  • IT skills for example for installing additional software, e.g. by way of configuration wizards, manually reconfiguring a PC and the like;
  • MAC Media Access Control
  • IP Internet Protocol
  • the method is based on the multiple- PSK (Pre-Shared Key) concept, extending the Wi-Fi WPA (Wi-Fi Protected Access) and WP A2 (Wi-Fi Protected Access version 2) Personal standard. This object is achieved by the independent method claim.
  • the dependent method claims provide advantageous embodiments.
  • STA wireless station
  • AP access point
  • the invention is based on a multiple-PSK concept, which requires the AP to be able to store and handle multiple Pre-Shared Keys in parallel, but is completely transparent to the STAs.
  • the invention provides methods of addressing and managing the devices individually in an easy way. It also assures optimal performance of the AP, capable of supporting multiple PSKs, by specifying methods of binding each PSK to an individual device and thus enabling simple key search and smooth association.
  • the basic assumption is that the procedure for wireless network configuration uses a portable unit called Short-range Key Transmitter (SKT) item, and that the to-be- configured devices (AP and STAs) are equipped with an appropriate interface to communicate with the SKT, as defined by WO 2004/014040 Al . Furthermore, it is assumed that every home network will be equipped with two SKT items: a so-called “home SKT” (HSKT), used for configuration of home devices, and a Guest SKT (GSKT), used for configuration of guest devices. For example, the Access Point could be sold pre-packaged with HSKT and GSKT. It is further assumed that the wireless Access Point (AP) can support multiple SKT items: a so-called "home SKT" (HSKT), used for configuration of home devices, and a Guest SKT (GSKT), used for configuration of guest devices. For example, the Access Point could be sold pre-packaged with HSKT and GSKT. It is further assumed that the wireless Access Point (AP) can support multiple
  • Pre-Shared Keys in parallel and that the AP is capable of randomly generating fresh network access credentials, as and when required, per-device or, in the case of guest devices, per-visit.
  • the present invention provides an easy user interaction for creating and managing individual device credentials, using the same easy, secure and intuitive step of touching the devices with SKT as proposed by WO 2004/014040 Al. Unless otherwise stated in method descriptions, all methods apply to managing both home devices (HD) and guest device (GD), which are jointly referred to as client stations (STA).
  • HD home devices
  • GD guest device
  • STA client stations
  • the invention provides a method of generating a unique PSK for every individual wireless client station (STA) and of sharing the PSK between the target client station and the Access Point, optionally resulting in binding a particular PSK to the STA's MAC address in the Access Point, in order to prevent that other potential STAs use the same PSK and simplify the PSK lookup process on the AP for smooth association.
  • PSK is not the only parameter needed for successful authentication; however, all other parameters are either equal for all STAs, e.g. the authentication methods, the encryption algorithm or the network identifier, i.e. SSID, or can be derived automatically, e.g. channel number.
  • this invention focuses mainly on configuration of multiple PSKs.
  • the credentials PSK and MAC, if used
  • the credentials can be overwritten in the first step of a new configuration procedure or automatically by the SKT item (if capable).
  • the credentials are removed in the last SKT step of the configuration procedure.
  • the credential removal feature especially influences the methods' security.
  • the AP In order to support the multiple PSK functionality, the AP must implement at least a list of PSKs (psklist). If only multiple PSKs (without unique STA identifier) were stored in a psklist, this would force the AP to search the entire list on every STA (re-)association. Therefore, to optimize the association process, the psklist may be further extended by a particular embodiment. In a further improvement, the AP could start the PSK lookup from the recently added PSK or PSK-MAC binding, instead of starting from the beginning of the psklist.
  • Fig. 1 shows a block diagram illustrating the architecture of a wireless communication system whereto embodiments of the present invention are to be applied;
  • Fig. 2 shows a block diagram of two short-range key transmission items, an access point and a wireless station in accordance with an embodiment of the present invention
  • Fig. 3 shows a flow chart illustrating the operation steps of wireless network access management according to an embodiment of the present invention.
  • Fig. 1 illustrates a representative wireless network 100 whereto embodiments of the present invention are to be applied.
  • an access point (AP) 101 is coupled to a plurality of wireless stations (STAs) 102, 103 and 104, which, through a wireless link, are communicating with each other and to the AP via a plurality of wireless channels.
  • STAs wireless stations
  • a further wireless station (STA) 110 for which it is required that it be granted access to the wireless network 100 too, thereby becoming part of the wireless network 100.
  • the wireless station 110 could for example be a device newly bought by the owner of the wireless network 100, or it could be a "guest" device, temporarily brought in by a friend of the owner.
  • a short-range key transmission item (SKT) 120 for configuring the access point 101 and the wireless station 110 in accordance with the invention.
  • Fig. 2 shows a first portable, short-range key transmission item (SKT) 1, a second portable, short-range key transmission item (SKT) 2, an access point (AP) 3 and a wireless station (STA) 4.
  • the STA 4 is new in the home network.
  • the SKT 1 comprises a memory 5 for storing access data 6, such as a pre- shared key (PSK) or a Media Access Control (MAC) address of a wireless device, an optional button 7 for triggering a transmission or reception of access data 6, and a transmitter/receiver (transceiver) 8 used as a wireless interface for transmitting/receiving (transceiving) access data 6.
  • access data 6 such as a pre- shared key (PSK) or a Media Access Control (MAC) address of a wireless device
  • PSK pre- shared key
  • MAC Media Access Control
  • transmitter/receiver 8 used as a wireless interface for transmitting/receiving (transceiving) access data 6.
  • the SKT 1 has a short range of maximally about 50 cm.
  • the SKT 2 comprises, like the SKT 1, a memory 9 for storing access data 10, such as a pre-shared key (PSK) or a Media Access Control (MAC) address of a wireless device, an optional button 11 for triggering a transmission or reception of access data 10, and a transceiver 12 used as a wireless interface for transceiving access data 10.
  • access data 10 such as a pre-shared key (PSK) or a Media Access Control (MAC) address of a wireless device
  • PSK pre-shared key
  • MAC Media Access Control
  • the SKT 2 also has a short range of maximally about 50 cm.
  • the SKTs 1 and 2 may be different in that for example the SKT 1 is preconfigured with access data 6 pertaining to the STA 4. Then the SKT 1 would not require the receiver function 8 for receiving access data. In particular, this may be the case if the SKT 1 would be an SKT that was manufactured and sold together with the STA 4.
  • the AP 3 is an apparatus equipped with a radio interface 12 operating in accordance with the IEEE 802.11 standard.
  • This radio interface 12 is controlled by a component denoted as driver software 13 and is used for transceiving useful data (music, video, general data, but also control data).
  • the driver software 13 may be operated by other software components via standardized software interfaces (APIs).
  • the AP 3 is also equipped with a transceiving unit 14.
  • the transceiving unit 14 comprises a transceiver 15 provided as an interface for transceiving access data, for example the access data 6 transceived by transceiver 8.
  • the transceiving unit 14 is provided with transceiver software 16 as both a generation and an evaluation component.
  • the software 16 may generate a pre-shared key (PSK), for example as defined in the IEEE 802.11 standard, and transmit this PSK as part of access data 6 to the SKT 1.
  • PSK pre-shared key
  • the software 16 may extract a PSK 17 therefrom, for example as defined in the IEEE 802.11 standard, and pass on this PSK 17 via a standardized management interface to the driver software 13.
  • the AP 3 is furthermore provided with application software 18, required for operating the AP 3.
  • the STA 4 is, like the AP 3, an apparatus equipped with a radio interface 18 operating in accordance with the IEEE 802.11 standard.
  • This radio interface 18 is controlled by a component denoted as driver software 19 and is used for transceiving useful data (music, video, general data, but also control data).
  • the driver software 19 may be operated by other software components via standardized software interfaces (APIs).
  • the STA 4 is also equipped with a transceiving unit 20.
  • the transceiving unit 20 comprises a transceiver 21 provided as an interface for transceiving access data, for example the access data 10 transceived by transceiver 12.
  • the transceiving unit 20 is provided with transceiver software 22 as both a generation and an evaluation component.
  • the software 22 may generate a pre- shared key (PSK), for example as defined in the IEEE 802.11 standard, and transmit this PSK as part of access data 10 to the SKT 2.
  • PSK pre- shared key
  • the software 22 may extract a PSK 23 therefrom, for example as defined in the IEEE 802.11 standard, and pass on this PSK 23 via a standardized management interface to the driver software 19.
  • the STA 4 is furthermore provided with application software 24, required for operating the STA 4.
  • the AP 2 and the STA 4 will be different devices, pertaining to their respective functions in the wireless network in which they are used. Additionally, and complementary to any differences that may exist for the SKTs 1 and 2, also the AP 3 and the STA 4 may differ in the functionality provided by the respective transceiver units 14 and 20.
  • the STA 4 may be equipped with a transceiver unit 20 that does not comprise a PSK generation component. It may even be the case, for example when the SKT 1 is sold preconfigured with access data 6 pertaining to the STA 4, that STA 4 does not comprise a transceiving unit 20 at all.
  • a user would like to install the STA 4 in the home network and radio-connect it to the AP 3 and other wireless stations in the home network in order that the user can exchange useful data between STA 4 and the other wireless stations.
  • the user approaches the AP 3 and/or the STA 4 with an SKT, such as one of the SKTs 1 or 2, for the exchange of access data, and more in particular a PSK, according to one of the below embodiments of the invention.
  • an AP such as the AP 3 in Fig. 2 is able to bind/attribute a PSK to a particular STA, such as the STA 4 in Fig. 2, thanks to a triple-touch user interaction.
  • Fig. 3 shows a flow chart 300 illustrating the operation steps of wireless network access management according to this embodiment.
  • the AP After being touched with an SKT (further referred to as "SKT step"), such as the SKT 1 in Fig. 2, the AP generates a fresh unique PSK and stores it on the SKT (step 301). Subsequently, while being touched with the SKT, the station (STA) reads the PSK (along with other necessary configuration parameters) and stores its MAC address on the SKT (step 302). Touching the AP with the SKT again provides the AP with the MAC address of the willing-to-join STA, and the AP can therefore associate the newly generated PSK with this MAC address (step 303). This allows the AP to select the proper PSK when the STA initiates the association process (steps 304 and 305).
  • the user action can be described as follows:
  • step 301 AP generates fresh PSK - AP caches the fresh PSK (temporarily)
  • step 302 STA reads and stores PSK
  • STA stores its MAC address on SKT 3.
  • Touch home AP with SKT step 303):
  • AP reads STA MAC address from SKT and stores it in the list of PSK-MAC bindings along with the previously saved PSK optionally, AP deletes both PSK and MAC from the SKT
  • STA starts the state-of-the-art IEEE 802.1 Ii association procedure with the AP: an Association Request frame, followed by an Open System Authentication and a 4-way handshake (step 304). Based on the STA MAC address, present in the MAC frames, the AP can identify which PSK to use for the 4-way handshake and the authentication is successful (step 305).
  • the AP could be sold pre-packaged with a HSKT and a GSKT.
  • STA is touched with an SKT; and stores its MAC on the SKT.
  • AP is touched with the SKT; AP reads out the MAC, generates a fresh PSK, stores the PSK-MAC binding locally and stores the PSK on the SKT.
  • STA is touched again with the SKT; checks the MAC, reads the PSK and optionally cleans the SKT.
  • STA immediately starts an association. Based on the STA MAC address the AP can identify which PSK to use for the authentication.
  • This embodiment offers the advantage that the AP can immediately store the PSK-MAC binding. Furthermore, the STA can start a successful association as soon as it is touched for the second time. The previously described embodiment required the STA to wait for step 3 to be performed on the AP before trying to associate. In a further embodiment, the STA is assumed to have the capabilities to generate its PSK itself. In this case, the procedure is simplified to touching the to-be- configured devices once each, i.e. double-touch user interaction, in the following manner:
  • STA is touched with an SKT, and writes its MAC and freshly generated PSK on the SKT.
  • AP is touched with the SKT, reads out the MAC and PSK, stores the PSK- MAC binding and cleans the SKT.
  • STA starts an association. Based on the STA MAC address the AP can identify which PSK to use for the authentication. The applicability of this method may be limited to trusted home devices only.
  • the binding/attribution of an individual PSK to a particular STA could be executed automatically by an AP on the STA's first association.
  • a fresh PSK which is initially treated as a "common PSK", i.e. one not yet bound to a MAC address. If thereafter a STA successfully associates, using this PSK, within a pre-defined timeout period, the PSK becomes assigned to this STA, i.e. bound to its MAC address, and no other STA with a different MAC address can associate using the same PSK. If no STA associates, using the common PSK, before a timeout, set to some reasonable value, e.g. 2 minutes, the AP removes the common PSK.
  • the user action can be described as follows:
  • MAC - AP stores the fresh PSK as a common PSK, i.e. usable PSK but not yet bound to a MAC - AP stores the fresh PSK on the SKT
  • the AP Since the AP does not yet have a PSK associated with the STA MAC present in the MAC frames, it will use the common PSK if still valid for a 4-way handshake.
  • the AP associates the STA MAC with the common PSK, creating a PSK-MAC binding.
  • the association fails.
  • two SKTs should be used, one for home devices (Home SKT) and one for guest devices (Guest SKT).
  • the AP could be sold pre-packaged with a HSKT and a GSKT.
  • the user interaction for configuring individual PSKs can be further simplified to a single SKT touch only.
  • the devices are sold with individual SKT items, which are pre-configured with the read only MAC address of the STA and the rewritable STA's individual PSK. Then, to configure the STA, only touching the AP with the SKT would be necessary.
  • the user action can be described as follows: 1. Touch home AP with STA's SKT:
  • STA starts the association procedure with the AP. Based on the STA MAC address, present in the MAC frames, the AP can find which PSK to use for the 4-way handshake, and the authentication is successful.
  • This embodiment offers a simplified user interaction; in order to add the STA to the network, only touching the home AP with STA's SKT is needed.
  • the devices should be sold with two SKTs, i.e. a HSKT and a GSKT, both pre-configured with an STA MAC address. While the HSKT may contain a pre-configured individual STA PSK, the STA's guest PSK will be generated and stored on the STA's GSKT per visit by either the STA or the AP. In this case, the user interaction is modified as follows:
  • STA Touch new STA with its SKT: STA reads and stores PSK Optionally, STA removes PSK from SKT 3. STA immediately starts the association procedure with the AP. Based on the
  • the AP can find which PSK to use for the 4- way handshake, and the authentication is successful.
  • PMKID Packewise Master Key Identifier
  • PMKID is used for authentication of the devices.
  • PMKID is an 802.1 Ii construct, which allows already successfully 802. IX authenticated stations to avoid repeated authentication. Therefore, after disassociation, both the AP and the STA can cache the 802. IX authentication outcome, i.e. the PMK (Pairwise Master Key), and a (re-)associating STA can place the PMKID (being the PMK hashed with the SSID and the AP's MAC address) in the Association Request, so that the AP can resume the previous session and find the appropriate PMK.
  • PMKID can be applied to PSKs, in order to simplify the initial multiple PSK lookup on the AP, as the PMKID can be used as an index to search the psklist.
  • the user interaction can be described as follows: 1. Touch home AP with its SKT:
  • AP stores the fresh PSK on the SKT, optionally along with the AP's MAC
  • STA removes PSK from SKT
  • STA immediately starts the association procedure with the AP: STA calculates PMKID from PSK, SSID and AP's MAC
  • STA attaches the PMKID - For all stored PSKs (and PMKs), AP calculates the associated PMKID and compares it with the PMKID sent by the STA
  • the AP places the same PMKID in message 1 of 4 of the 4-way handshake
  • PSK-MAC binding is created to be used for lookup on later (re-)association.
  • the AP starts the PSK lookup from the recently added PSK, instead of starting from the beginning of the PSK list.
  • the procedure for configuring the shared PSK on the AP and the STA, which precedes the actual association, could be modified as described in any other points, i.e. the PSK could be already stored on the SKT or generated by one of the peers (AP or STA); the sequence of the steps can be changed accordingly.
  • the multiple PSK methods provided by the invention allow the user to configure every single device, i.e. home or guest, with an individual PSK. Said methods can be also creatively combined with a basic SKT configuration method, as defined in WO 2004/014040 Al, WO 2004/014039 Al and WO 2004/014038 Al, allowing some of the home devices, or e.g. a group of guest devices, to share a common PSK, which simplifies user interaction if network reconfiguration is necessary, while guest devices, as well as some home devices, e.g.
  • those prone to being lost, e.g. portables, or those subject to special security considerations, are configured with individual PSKs.
  • Individual credentials allow for individual management of every station and, e.g. for easier key revocation, for example in case a device is stolen, since reconfiguration of an entire network, as in the case of a shared PSK, is no longer necessary.
  • All of the above-described multiple PSK configuration and management methods are equally applicable for the configuration of home as well as guest devices into a wireless network.
  • the possibility to differentiate between home and guest status can be useful.
  • MAC-related parameters e.g. session keys lifetimes etc.
  • home devices are assumed to have long-term, if not constant, access to a home network, a guest visit is definitely time-limited, thus differentiation between home and guest (device) status allows for applying some automated guest removal procedures, e.g. duration based, like for example after 2 hours of access, timer based, like for example always at 8 p.m., event based, like for example when a certain user logs out/in, or user action based, like for example on a button press.
  • duration based like for example after 2 hours of access
  • timer based like for example always at 8 p.m.
  • event based like for example when a certain user logs out/in, or user action based, like for example on a button press.
  • this link-layer differentiation may allow for the implementation of access control mechanisms on higher layers, e.g. providing guest devices with DHCP leases for IP addresses from a pool different than the one for home devices or limiting guest access to certain resources.
  • This differentiation may also be of benefit to the STAs, e.g. to tell the STA whether to switch the personal firewall off or not.
  • the devices can differentiate between home and guest status, based on the following parameters: - The type of SKT item used for configuration, being either a home SKT or a guest SKT;
  • SKT/PSK set dynamically by configured devices, e.g. depending on user interaction (e.g. if STA is touched first, SKT carries guest configuration) or on which of the peers generates the credentials (e.g. STAs are allowed only to generate home configuration credentials, whereas APs should generate guest credentials);
  • SKT identifier being a unique SKT number, which allows the devices to differentiate between their own SKT (if paired with the device) or an already known SKT (e.g. one already used for home configuration) and an unknown SKT;
  • SKT capabilities e.g. a guest SKT should typically be (from a security point of view) rewritable, whereas a home SKT should be read only (if per- STA).
  • home/guest status of certain credentials can be represented e.g. by Home/Guest bits, stored for each PSK (or PSK-MAC binding).
  • PSK home/guest status of certain credentials
  • AP can implement separate psklists, for home and guest PSKs and STAs.
  • the SKT item could be integrated into one of the to-be-configured devices, i.e. the AP or preferably the STA.
  • the SKT unit can alternatively be replaced by establishing a direct connection between the two to-be-configured devices (e.g. AP, STA).
  • the user will be required to touch both devices, in order to enable direct Short-range Transmission between AP and STA. In this case the number of connection steps as described hereinbefore could be reduced.
  • the generation of a PSK may be automatically triggered by the SKT step or by other user interaction.
  • an additional user interaction e.g. a button or a switch
  • one of the to-be- configured devices could be used to inform this device about what type of PSK (home or guest) is to be generated.
  • the methods provided by the invention offer a plurality of advantages as compared to state-of-the-art configuration methods. Neither a GUI nor a PC is required. There is no installation of a management wizard. This management solution is applicable to all kinds of CE devices: headless, GUI-less, portable, small form factor, since the user does not need to find, remember or type in parameters. Furthermore, there is no struggling with MAC/IP addresses, and no naming of devices is required. The name or
  • MAC/IP address-based identification is replaced with an intuitive pointing action (with the SKT). Beside the optional capabilities of generating PSKs and differentiating between home/guest status, no changes are required to a STAs' wireless stack w.r.t. standard PSK solutions. A fast, easy and secure, intuitive and not error-prone configuration and management method for the user is provided.
  • the multiple PSK extension to IEEE 802. Hi together with intuitive management methods, allows for a flexible and more secure configuration of devices and networks than plain WPA-PSK, without the hassles of a full IEEE 802. IX solution.
  • a RFID/NFC card/tag is one prominent example of a SKT, but the applicability of the solution proposed by the invention is not limited to RFID/NFC.
  • SKT i.e. a contact SKT, e.g. USB, or a contactless SKT, e.g. IR, may be employed.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

La présente invention se rapporte à un procédé de gestion de l'accès domestique/invité à un réseau sans fil, en particulier un réseau WLAN 802.11, qui consiste à utiliser des éléments de transmission de clé à faible portée (SKT) pour configurer une pluralité de postes clients sans fil domestiques/invités (STA) à l'aide de multiples clés prépartagées (PSK). L'invention a également trait à des dispositifs destinés à la gestion de comptes d'accès au réseau sans fil.
PCT/IB2006/051752 2005-06-03 2006-06-01 Procede et dispositifs de gestion de l'acces a un reseau sans film WO2006129287A1 (fr)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
EP05104833 2005-06-03
EP05104833.8 2005-06-03
EP05111577.2 2005-12-01
EP05111577 2005-12-01

Publications (1)

Publication Number Publication Date
WO2006129287A1 true WO2006129287A1 (fr) 2006-12-07

Family

ID=37038292

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2006/051752 WO2006129287A1 (fr) 2005-06-03 2006-06-01 Procede et dispositifs de gestion de l'acces a un reseau sans film

Country Status (1)

Country Link
WO (1) WO2006129287A1 (fr)

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011085069A3 (fr) * 2010-01-06 2011-09-09 Qualcomm Incorporated Procédé et appareil permettant d'offrir un support simultané pour de multiples clés maîtres au niveau d'un point d'accès dans un système de communication sans fil
US8898474B2 (en) 2008-11-04 2014-11-25 Microsoft Corporation Support of multiple pre-shared keys in access point
US9002277B2 (en) 2010-09-07 2015-04-07 Aerohive Networks, Inc. Distributed channel selection for wireless networks
US9008089B2 (en) 2012-06-14 2015-04-14 Aerohive Networks, Inc. Multicast to unicast conversion technique
US9019938B2 (en) 2008-05-14 2015-04-28 Aerohive Networks, Inc. Predictive and nomadic roaming of wireless clients across different network subnets
US9413772B2 (en) 2013-03-15 2016-08-09 Aerohive Networks, Inc. Managing rogue devices through a network backhaul
US9572135B2 (en) 2009-01-21 2017-02-14 Aerohive Networks, Inc. Airtime-based packet scheduling for wireless networks
US9674892B1 (en) * 2008-11-04 2017-06-06 Aerohive Networks, Inc. Exclusive preshared key authentication
US9900251B1 (en) 2009-07-10 2018-02-20 Aerohive Networks, Inc. Bandwidth sentinel
US10091065B1 (en) 2011-10-31 2018-10-02 Aerohive Networks, Inc. Zero configuration networking on a subnetted network
EP3474510A1 (fr) * 2017-10-20 2019-04-24 Nokia Solutions and Networks Oy Accorder à un périphérique l'accès à un point d'accès
US10389650B2 (en) 2013-03-15 2019-08-20 Aerohive Networks, Inc. Building and maintaining a network
US10798634B2 (en) 2007-04-27 2020-10-06 Extreme Networks, Inc. Routing method and system for a wireless network
CN112311771A (zh) * 2020-09-30 2021-02-02 新华三大数据技术有限公司 一种管理用户接入设备的方法、管理设备和网络设备
US11115857B2 (en) 2009-07-10 2021-09-07 Extreme Networks, Inc. Bandwidth sentinel
EP3338473B1 (fr) * 2015-09-04 2021-10-27 Huawei Technologies Co., Ltd. Procédé et appareil d'authentification de dispositifs sans fil

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004014038A1 (fr) * 2002-07-29 2004-02-12 Philips Intellectual Property & Standards Gmbh Systeme de securite pour dispositifs d'un reseau

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004014038A1 (fr) * 2002-07-29 2004-02-12 Philips Intellectual Property & Standards Gmbh Systeme de securite pour dispositifs d'un reseau

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
PHILIPPE TEUWEN: "Patch submission: multi-PSK support for hostapd", INTERNET, 16 September 2004 (2004-09-16), pages 1 - 3, XP002402360, Retrieved from the Internet <URL:http://lists.shmoo.com/pipermail/hostap/2004-September/008037.html> [retrieved on 20061006] *

Cited By (46)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10798634B2 (en) 2007-04-27 2020-10-06 Extreme Networks, Inc. Routing method and system for a wireless network
US10064105B2 (en) 2008-05-14 2018-08-28 Aerohive Networks, Inc. Predictive roaming between subnets
US9338816B2 (en) 2008-05-14 2016-05-10 Aerohive Networks, Inc. Predictive and nomadic roaming of wireless clients across different network subnets
US10700892B2 (en) 2008-05-14 2020-06-30 Extreme Networks Inc. Predictive roaming between subnets
US10181962B2 (en) 2008-05-14 2019-01-15 Aerohive Networks, Inc. Predictive and nomadic roaming of wireless clients across different network subnets
US9787500B2 (en) 2008-05-14 2017-10-10 Aerohive Networks, Inc. Predictive and nomadic roaming of wireless clients across different network subnets
US9025566B2 (en) 2008-05-14 2015-05-05 Aerohive Networks, Inc. Predictive roaming between subnets
US9590822B2 (en) 2008-05-14 2017-03-07 Aerohive Networks, Inc. Predictive roaming between subnets
US9019938B2 (en) 2008-05-14 2015-04-28 Aerohive Networks, Inc. Predictive and nomadic roaming of wireless clients across different network subnets
US10880730B2 (en) 2008-05-14 2020-12-29 Extreme Networks, Inc. Predictive and nomadic roaming of wireless clients across different network subnets
US20170230824A1 (en) * 2008-11-04 2017-08-10 Aerohive Networks, Inc. Exclusive preshared key authentication
EP2345268A4 (fr) * 2008-11-04 2016-11-30 Microsoft Technology Licensing Llc Prise en charge de plusieurs clés pré-partagées dans un point d accès
US10945127B2 (en) 2008-11-04 2021-03-09 Extreme Networks, Inc. Exclusive preshared key authentication
US8898474B2 (en) 2008-11-04 2014-11-25 Microsoft Corporation Support of multiple pre-shared keys in access point
US9674892B1 (en) * 2008-11-04 2017-06-06 Aerohive Networks, Inc. Exclusive preshared key authentication
US9867167B2 (en) 2009-01-21 2018-01-09 Aerohive Networks, Inc. Airtime-based packet scheduling for wireless networks
US9572135B2 (en) 2009-01-21 2017-02-14 Aerohive Networks, Inc. Airtime-based packet scheduling for wireless networks
US10772081B2 (en) 2009-01-21 2020-09-08 Extreme Networks, Inc. Airtime-based packet scheduling for wireless networks
US10219254B2 (en) 2009-01-21 2019-02-26 Aerohive Networks, Inc. Airtime-based packet scheduling for wireless networks
US11115857B2 (en) 2009-07-10 2021-09-07 Extreme Networks, Inc. Bandwidth sentinel
US9900251B1 (en) 2009-07-10 2018-02-20 Aerohive Networks, Inc. Bandwidth sentinel
US10412006B2 (en) 2009-07-10 2019-09-10 Aerohive Networks, Inc. Bandwith sentinel
CN102696204A (zh) * 2010-01-06 2012-09-26 高通股份有限公司 无线通信系统中用于在接入点处提供对多个主密钥的同时支持的方法和装置
KR101505493B1 (ko) 2010-01-06 2015-03-24 퀄컴 인코포레이티드 무선 통신 시스템에서의 액세스 포인트에서 다수의 마스터 키들에 대한 동시 지원을 제공하기 위한 방법 및 장치
WO2011085069A3 (fr) * 2010-01-06 2011-09-09 Qualcomm Incorporated Procédé et appareil permettant d'offrir un support simultané pour de multiples clés maîtres au niveau d'un point d'accès dans un système de communication sans fil
JP2013516911A (ja) * 2010-01-06 2013-05-13 クゥアルコム・インコーポレイテッド ワイヤレス通信システムにおけるアクセスポイントにおいて複数のマスターキーの同時サポートを行うための方法および装置
US8955054B2 (en) 2010-01-06 2015-02-10 Qualcomm Incorporated Method and apparatus for providing simultaneous support for multiple master keys at an access point in a wireless communication system
US10966215B2 (en) 2010-09-07 2021-03-30 Extreme Networks, Inc. Distributed channel selection for wireless networks
US9002277B2 (en) 2010-09-07 2015-04-07 Aerohive Networks, Inc. Distributed channel selection for wireless networks
US9814055B2 (en) 2010-09-07 2017-11-07 Aerohive Networks, Inc. Distributed channel selection for wireless networks
US10390353B2 (en) 2010-09-07 2019-08-20 Aerohive Networks, Inc. Distributed channel selection for wireless networks
US10091065B1 (en) 2011-10-31 2018-10-02 Aerohive Networks, Inc. Zero configuration networking on a subnetted network
US10833948B2 (en) 2011-10-31 2020-11-10 Extreme Networks, Inc. Zero configuration networking on a subnetted network
US10523458B2 (en) 2012-06-14 2019-12-31 Extreme Networks, Inc. Multicast to unicast conversion technique
US10205604B2 (en) 2012-06-14 2019-02-12 Aerohive Networks, Inc. Multicast to unicast conversion technique
US9729463B2 (en) 2012-06-14 2017-08-08 Aerohive Networks, Inc. Multicast to unicast conversion technique
US9565125B2 (en) 2012-06-14 2017-02-07 Aerohive Networks, Inc. Multicast to unicast conversion technique
US9008089B2 (en) 2012-06-14 2015-04-14 Aerohive Networks, Inc. Multicast to unicast conversion technique
US10542035B2 (en) 2013-03-15 2020-01-21 Aerohive Networks, Inc. Managing rogue devices through a network backhaul
US10389650B2 (en) 2013-03-15 2019-08-20 Aerohive Networks, Inc. Building and maintaining a network
US10027703B2 (en) 2013-03-15 2018-07-17 Aerohive Networks, Inc. Managing rogue devices through a network backhaul
US9413772B2 (en) 2013-03-15 2016-08-09 Aerohive Networks, Inc. Managing rogue devices through a network backhaul
EP3338473B1 (fr) * 2015-09-04 2021-10-27 Huawei Technologies Co., Ltd. Procédé et appareil d'authentification de dispositifs sans fil
EP3474510A1 (fr) * 2017-10-20 2019-04-24 Nokia Solutions and Networks Oy Accorder à un périphérique l'accès à un point d'accès
CN112311771A (zh) * 2020-09-30 2021-02-02 新华三大数据技术有限公司 一种管理用户接入设备的方法、管理设备和网络设备
CN112311771B (zh) * 2020-09-30 2022-05-24 新华三大数据技术有限公司 一种管理用户接入设备的方法、管理设备和网络设备

Similar Documents

Publication Publication Date Title
WO2006129287A1 (fr) Procede et dispositifs de gestion de l&#39;acces a un reseau sans film
US8208455B2 (en) Method and system for transporting configuration protocol messages across a distribution system (DS) in a wireless local area network (WLAN)
US8959601B2 (en) Client configuration during timing window
US8589687B2 (en) Architecture for supporting secure communication network setup in a wireless local area network (WLAN)
EP2740315B1 (fr) Procédé, dispositif et produit de programme informatique de configuration d&#39;une connexion dans une communication de dispositif à dispositif
US7948925B2 (en) Communication device and communication method
US8917651B2 (en) Associating wi-fi stations with an access point in a multi-access point infrastructure network
US20060265333A1 (en) Mesh network with digital rights management interoperability
US20250142335A1 (en) Systems and methods for virtual personal wi-fi network
JP2014197830A (ja) 通信装置、通信システム及びプログラム
US12069478B2 (en) Multicast containment in a multiple pre-shared key (PSK) wireless local area network (WLAN)
US20110314136A1 (en) Method and System for Improved Communication Network Setup
JP5721183B2 (ja) 無線lan通信システム、無線lan親機、通信接続確立方法、及びプログラム
JP2008078957A (ja) 無線通信システム及び無線ネットワーク接続方法
US20060039305A1 (en) Method and system for EAP encapsulation exchange for a setup configuration protocol in a WLAN
WO2006129288A1 (fr) Procede et dispositifs permettant de retirer individuellement un dispositif d&#39;un reseau sans fil
US20250056233A1 (en) Methods and devices facilitating secure wi-fi pairing
US20250133395A1 (en) Supporting multiple pre-shared keys in wi-fi networks
EP4546944A1 (fr) Prise en charge de multiples clés pré-partagées dans des réseaux wi-fi
KR20070040042A (ko) 무선랜 자동 설정 방법
CN116437348A (zh) 网络连接的建立方法和系统、存储介质及电子装置
Ramachandran Multi-Protocol Device Commissioning Framework for IoT Mesh Networks

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

WWW Wipo information: withdrawn in national office

Country of ref document: DE

122 Ep: pct application non-entry in european phase

Ref document number: 06756034

Country of ref document: EP

Kind code of ref document: A1

点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载