WO2004095857A1 - An apparatus and method for location based wireless client authentication - Google Patents

An apparatus and method for location based wireless client authentication Download PDF

Info

Publication number
WO2004095857A1
WO2004095857A1 PCT/US2004/008392 US2004008392W WO2004095857A1 WO 2004095857 A1 WO2004095857 A1 WO 2004095857A1 US 2004008392 W US2004008392 W US 2004008392W WO 2004095857 A1 WO2004095857 A1 WO 2004095857A1
Authority
WO
WIPO (PCT)
Prior art keywords
wireless
wireless client
authentication
client
network
Prior art date
Application number
PCT/US2004/008392
Other languages
French (fr)
Inventor
Behram Mario Dacosta
Original Assignee
Sony Electronics, Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sony Electronics, Inc. filed Critical Sony Electronics, Inc.
Publication of WO2004095857A1 publication Critical patent/WO2004095857A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0492Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload by using a location-limited connection, e.g. near-field communication or limited proximity of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/63Location-dependent; Proximity-dependent
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/63Location-dependent; Proximity-dependent
    • H04W12/64Location-dependent; Proximity-dependent using geofenced areas
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W64/00Locating users or terminals or network equipment for network management purposes, e.g. mobility management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/10Small scale networks; Flat hierarchical networks
    • H04W84/12WLAN [Wireless Local Area Networks]

Definitions

  • the invention relates generally to the field of wireless device security.
  • one or more of the embodiments of the invention relate to a method and apparatus for location based wireless client authentication.
  • Wireless technology provides a mechanism for either replacing or extending traditional wired networks including, but not limited to, local area networks (LANs), personal area networks (PAN) and metropolitan area networks (MAN).
  • LANs local area networks
  • PAN personal area networks
  • MAN metropolitan area networks
  • RF radio frequency
  • wireless networks transmit and receive data over the air, through walls, ceilings and even cement structures without wired cabling.
  • a wireless-LAN (WLAN) is a flexible data communication system.
  • a WLAN provides all the features and benefits of traditional LAN technology, such as Ethernet and Token Ring, but without the limitations of being tethered together by a cable. This provides greater freedom and increased flexibility.
  • a WLAN is a network in which a mobile user can connect to a local area network (LAN) through a wireless (radio) connection according to a wireless protocol.
  • Wireless protocols include, but are not limited to, IEEE 802.11a, 802.11b, 802.11c, 802. llg, HiperLan 2, or any other protocol for any point-to-point wireless link or network. These wireless protocols are designed to provide high bandwidth allocation, technologies for WLANs, as well as other wireless networks. As a result, WLANs will enable, at a relatively low cost, wiring of various buildings, such as businesses, classrooms, homes or the like, while providing high bandwidth allocation.
  • UWB radio systems are also used to provide wireless-PANS (WPAN) UWB radio systems employ the transmission of very short pulses of radio energy. These characteristic spectrum signatures extend across a wide range of radio frequencies.
  • UWB signals have high bandwidth and frequency diversity, UWB signals are particularly suited for high speed data communications in environments, such as indoors where multipath fading is likely. Consequently, UWB radio systems are generally well suited for implementing a WLAN.
  • wireless networks such as WLANs rely on a communications medium (RF waves) which represent a shared medium.
  • RF waves communications medium
  • encryption and authentication are considered when developing a wireless network system.
  • the goal of these security features is to make wireless traffic as secure as wired traffic.
  • wireless protocols require a mechanism for encrypting traffic and authenticating nodes such as, for example, the wired equivalence privacy (WEP) protocol.
  • WEP wired equivalence privacy
  • the WEP protocol is used to protect link layer communications from eavesdropping and other attacks.
  • various individuals have discovered serious security flaws in the protocol stemming from misapplication of cryptographic primitives.
  • a number of practical attacks have been discovered that cause the WEP protocol to fail to achieve its security goals. Therefore, there remains a need to overcome one or more of the limitations in the above-described, existing art.
  • One embodiment of the present invention provides a method and apparatus for location based wireless client authentication.
  • the method includes the receipt of an authentication/access request from a wireless client desiring access to a wireless network. Once the request is received, a spatial location of the client is identified. Once the spatial location of the client is identified, compliance with the authentication/access request is performed according to the identified spatial location of the client.
  • the client is generally granted network access. The granted access may include a possible key exchange for unidentified , clients, or challenge and response authentication for identified clients.
  • FIG. 1 is a block diagram illustrating a peer-to-peer wireless network configuration, in accordance with one embodiment of the present invention.
  • FIG. 2 is a block diagram illustrating a wireless local area network
  • FIG. 3 is a block diagram illustrating prevention of attack on a wireless local area network using location based authentication, in accordance with one embodiment of the present invention.
  • FIG. 4 is a block diagram illustrating a wireless client configured to implement location based authentication, in accordance with one embodiment of the present invention.
  • FIG. 5 is a block diagram illustrating a wireless network which uses location based authentication to supplement conventional wireless authentication, in accordance with one embodiment of the present invention.
  • FIG. 6 is a flow chart illustrating a method for location based authentication of wireless clients, in accordance with one embodiment of the present invention.
  • FIG. 7 is a flow chart illustrating a method for establishing an internal representation of wireless network boundaries, in accordance with one embodiment of the present invention.
  • FIG. 8 is a flow chart illustrating a method for identifying the approximate spatial location of a wireless client, in accordance with one embodiment of the present invention.
  • FIG. 9 is a flow chart illustrating a method for authenticating a wireless client according to its spatial location, in accordance with one embodiment of the present invention.
  • FIG. 10 is a flow chart illustrating a method for authenticating a wireless client based on its spatial location, in accordance with the further embodiment of the present invention.
  • FIG. 11 is flow chart illustrating a method for performing authentication of a wireless client according to its spatial location, in accordance with one embodiment of the present invention.
  • FIG. 12 is a flow chart illustrating a method for terminating communication with the wireless client once the wireless client is outside network boundaries, in accordance with one embodiment of the present invention.
  • logic is representative of hardware and/or software configured to perform one or more functions.
  • examples of “hardware” include, but are not limited or restricted to an integrated circuit, a finite state machine or even combinatorial logic.
  • the integrated circuit may take the form of a processor such as a microprocessor, application specific integrated circuit, a digital signal processor, a micro-controller, or the like.
  • An example of "software” includes executable code in the form of an application, an applet, a routine or even a series of instructions.
  • the software may be stored in any type of computer or machine readable medium such as a programmable electronic circuit, a semiconductor memory device inclusive of volatile memory (e.g., random access memory, etc.) and/or non- volatile memory (e.g., any type of read-only memory "ROM”, flash memory), a floppy diskette, an optical disk (e.g., compact disk or digital video disc “DVD”), a hard drive disk, tape, or the like.
  • a further example of software includes a "software module.”
  • a software module includes executable code in the form of an application, an applet, a routine or even a series of instructions.
  • the software may be stored in any type of computer or machine readable medium such as a programmable electronic circuit, a semiconductor memory device inclusive of volatile memory (e.g., random access memory, etc.) and/or non- volatile memory (e.g.,
  • software module or “module” is a series of code instructions that, when executed, performs a certain function. Examples of such code include an operating system, an application, an applet, a program or even a subroutine.
  • Software module(s) may be stored in a machine-readable medium, including, but not limited to, an electronic circuit, a semiconductor memory device, a read only memory (ROM), a flash memory, an erasable ROM (EROM), a floppy diskette, a computer disk, an optical disk, a hard disk, a fiber optic medium, a radio frequency (RF) link and the like.
  • FIG. 1 is a block diagram illustrating a peer-to-peer configuration for a wireless network 100, in accordance with one embodiment of the invention.
  • the wireless networks may be configured according to a "wireless protocol" including, but not limited to, IEEE 802.11a, 802.11b, 802.11c, 802. llg, HiperLan 2, or any other protocol for any point-to-point wireless link or network.
  • a wireless protocol including, but not limited to, IEEE 802.11a, 802.11b, 802.11c, 802. llg, HiperLan 2, or any other protocol for any point-to-point wireless link or network.
  • network 100 is configured according to an ad hoc mode as independent basic service set (IBSS).
  • IBSS independent basic service set
  • wireless client 102 102-1, ..., 102-N
  • wireless adapter cards to communicate with
  • wireless network 100 the term “wireless client” or “client” is used to refer to wireless devices including, but not limited to, personal computers including laptop computers, equipped with wireless adapter cards, as well as personal digital assistants (PDAs), appliances, and the like devices configured to communicate via a wireless communications medium such as, for example, radio frequency (RF) waves.
  • RF radio frequency
  • wireless station or “station” is used to refer to devices including, but not limited to, wireless base stations, wireless access points (AP), computers such as server computers, personal computers, laptops, PDAs, or like devices configured to restrict access to stored information contained therein or to an attached wired network.
  • AP wireless access points
  • computers such as server computers, personal computers, laptops, PDAs, or like devices configured to restrict access to stored information contained therein or to an attached wired network.
  • network 100 is configured according to an ad hoc mode as independent basic service set (IBSS).
  • IBSS independent basic service set
  • peer-to-peer wireless configuration only the wireless clients within the transmission range (within the same cell) can communicate with each other.
  • the peer-to-peer network configuration 100 is principally used to quickly and easily setup a wireless network where no infrastructure is available, such as a convention center or offsite meeting location.
  • station 110 of wireless network 100 is configured to perform location based authentication of wireless clients requesting network access.
  • request for network access includes, but is not limited to network access requests, authentication requests or any other like requests for access to a wireless network or WLAN.
  • peer-to-peer configuration network 100 is designed to limit access to wireless devices which fall within predefined network boundaries, as described in further detail below.
  • FIG. 2 illustrates a WLAN network configuration 150, in accordance with one embodiment of the present invention.
  • the network 150 is also referred to as infrastructure mode or basic service set (BSS).
  • BSS basic service set
  • each client 102 sends all communications to a wireless local area network (WLAN) access point (station) 160.
  • WLAN wireless local area network
  • station 160 acts as a bridge to resources of a wired network 180.
  • Wired network 110 may implement an Ethernet protocol, Home Plug protocol, or the like.
  • Conventional WLAN networks may be governed by the wire equivalency protocol (WEP).
  • WLAN network 150 utilizes location based authentication as described in further detail below.
  • the association process is a two step process involving three states: (1) unauthenticated and associated; (2) authenticated and unassociated; and (3) authenticated and associated. To transition between the states, the communicating parties exchange messages called management frames. In operation, all stations transmit a beacon management frame at a fixed interval.
  • a wireless client listens for beacon messages to identify stations within range. After identifying a station, the client and the station may perform a mutual authentication by exchanging several management frames as part of the process. After successful authentication, the client moves into the second state authenticated and unassociated. Moving from the second state to the third and final state, authenticated and associated involves the client sending an association request frame and the station responding with an association response frame.
  • WLAN 200 may come under attack from a client 220 (220-1, ... , 220-N), which desires access to the WLAN 200 via an access point (station) 202 (202-1, ..., 202-N).
  • an attacker computer 220-1 is able to freely access corporate LAN 230, as well as internal host 240.
  • an attacker client 220-1 is able to circumvent corporate firewall 250 which traditionally secures corporate LAN 230 from various attacks via the Internet 260.
  • the WEP protocol provides two mechanisms for authentication, open system authentication and shared key authentication.
  • the open system authentication is a default authentication protocol for, for example, 802.1 IB.
  • open system authentication provides access to anyone that requests authentication by providing a null authentication process. For example, as illustrated in FIG. 3, attacker client 220 may detect a beacon management frame from station 210-1. Once detected, if WLAN 200 is configured according to open system authentication, attacker client 220 may freely access corporate LAN 230, as well as internal host 240 by simply requesting access.
  • Shared key authentication uses a standard challenge and response scheme based on knowledge of secret keys to provide authentication.
  • the client 220 requesting authentication (initiator) sends an authentication request management frame to station 202 indicating a desire to use shared key authentication.
  • station 202 responder
  • station 202 responder
  • PRNG WEP pseudorandom number generator
  • management frame is received from the initiator 220, contents of the challenge text are copied into a new management frame body, which is then encrypted using the shared secret key along with a new IV selected by the initiator 220.
  • the encrypted frame is then sent to the responder 202.
  • the responder decrypts the received frame and verifies the 32-bit integrity check value (ICV) as valid and that the challenge text matches that sent in the first message.
  • IOV integrity check value
  • one embodiment of the invention describes a method and apparatus for location based authentication which may be used to supplement conventional wireless security mechanisms and ensure a secure wireless network.
  • station 160 is configured to perform location based authentication in order to supplement, or possibly replace, shared key authentication as described above.
  • WLAN 200 could be configured to prohibit granting of access/authentication requests to clients outside physical security perimeter 210.
  • configuration of stations to perform location based authentication is depicted with reference to FIG. 4.
  • a station 300 includes a microprocessor 302 which uses chipset 310 to access memory 312, as well as communications interface 320.
  • the communications interface may include one or more incoming antennas 330, as well as one or more outgoing antennas 340.
  • station 300 may include adaptive antenna arrays and work in conjunction with additional stations to identify spatial location of wireless clients.
  • station 300 includes client authentication logic 400.
  • the client authentication logic 400 includes location based authentication logic 410.
  • the location based authentication logic uses network boundary identification logic 430.
  • network boundary identification logic 430 requires inputting of one or more values to define boundaries of a network.
  • a wireless network 500 is configured within home 510.
  • a user would be required to provide, for example, geographic coordinates identifying the boundaries of the user's home 510 as predetermined network boundaries 510.
  • providing of the boundaries can simply be performed by providing a remote control device (not shown) for station 300 which a user can carry along the boundaries of their home which are recorded by the remote control.
  • the coordinates may either be wirelessly transmitted to network boundary identification logic 430 or, for example, downloaded into identification logic 430 from the remote control once docked onto station 300.
  • a geographic positioning system could be used to identify the boundaries of home 510 and provide the boundaries to identification logic 430. Based on this information, identification logic 430 generates an internal representation of the home or structure.
  • the parameters used to form the internal representation of the wireless network may vary depending on the desired implementation which may include, for example, geographic coordinate systems, latitude and longitude readings, and the like.
  • identification logic 430 stores data based on characteristics from a sample wireless device signal such as, for example, the estimated direction of arrival (DO A), signal strengths, and characteristics (space-time features) of multipath signals received from the wireless client.
  • data is transmitted to the station 300 from a wireless client located at a few locations within the geographic boundaries of the wireless network and from a few locations outside the geographic boundaries of the wireless network. This information may be used to assist the client location detection logic 420 to convert detected signal characteristics from a wireless client requesting network access into network boundary identification parameters to determine whether the client is located within the wireless network boundaries.
  • this information can be used to perform multipath fingerprinting of wireless clients.
  • the multipath fingerprints may be stored within, for example, a database (not shown) which may be configured to adapt over time as multipath fingerprints changes over time.
  • multiple stations may be utilized within the wireless network, which may each perform the various techniques described above for enabling analysis of the RF signal received from a wireless client and convert characteristics of the received signal into, for example, geographic coordinates, the geographic coordinates are then compared with the internal representation of the wireless network boundaries.
  • the station 300 will transmit, for example, a beacon management frame.
  • a wireless client responds to the beacon management frame with an authentication request management frame (network access request).
  • location based authentication logic 410 uses the client location detection logic 420 to identify a spatial (relative/absolute) location of the wireless client.
  • identifying of the wireless client's location may be performed utilizing a trusted global positioning system (GPS).
  • GPS global positioning system
  • characteristics of the radio frequency waves used to transmit the authentication request from the wireless client to the station 300 may be analyzed.
  • device location detect logic 420 may generate a model of the multipath propagation effect, as well as the RF propagation effect according to the radio frequency waves used to provide the authentication request to the station 300. According to the multipath and RF propagation estimates, location detection logic 420 can determine an approximate location of the wireless client.
  • the mechanism used to identify the location of a wireless client will depend on the model used to supplement the internal representation of the wireless network boundaries.
  • multipath fingerprinting can be used to estimate the location of devices.
  • pattern matching may be used to estimate the location of the client based on multipath characteristics of the received signal. Accordingly, in one embodiment, if the exact location of matching multipath characteristics is stored in a database, the location of the wireless client may be estimated with nearly one hundred percent accuracy.
  • a direction arrival, signal strength, and characteristics of spatio-temporal features of multipath signals received from the wireless client may be compared against previously stored values in order to approximate the spatial location of the wireless client.
  • a wireless network may utilize multiple stations. When using multiple stations, in one embodiment, the location of a wireless client may be performed using triangulation. In a further embodiment, a probabilistic approach can be used to help increase the accuracy of location estimation. [00048] For example, as described above, estimates from wireless clients located within and outside the wireless network boundaries may be analyzed using Euclidean Distance Estimation or Neural Network Estimation methods.
  • estimation location may be improved by determining a direct distance to a client. This may be estimated by signal strengths, as well as measuring round trip times of a packet sent from the station to the client.
  • a packet is sent to the client after response or acknowledgement is received within a certain period of time the client is assumed to be within a certain distance of the station talcing into account propagation times.
  • the round-trip time for communication of the packet can be used to provide distance estimation due to the decrease or absence of multipath fading in UWB systems.
  • station 300 may be equipped with direction of arrival estimation logic, such as adaptive antenna arrays.
  • direction of arrival estimation logic such as adaptive antenna arrays.
  • beam forming adaptive antenna arrays may be used to determine the direction of arrival from the signal received from the wireless client, and can also be used to estimate the distance of the wireless client. Based on this information, an approximate location of the wireless client is determined.
  • information such as the direction of the client may be used to transmit directionally from the station 300 to the wireless clients, hence decreasing the possibility of interception from rogue clients.
  • the location is compared to the internal representation of the network boundaries contained within boundary identification logic 430. Consequently, when the identified spatial location of the wireless client falls within the network boundaries, location based authentication logic 410 may comply with the authentication/access request received from the wireless client. For example, in one embodiment, a wireless client authenticated based on an identified spatial location could then be provided with secret keys in order to implement future shared key authentication.
  • location based authentication logic 410 uses key authentication logic 440 to engage in traditional challenge and response shared key authentication.
  • the wireless client could simply be provided access once location based authentication is successful.
  • the location based authentication presupposes that the wireless client has gained access to a certain location and is assumed to have passed through some other physical authentication and, hence, is deemed trustable.
  • station 502 would grant access to wireless client 520-1 and wireless client 520-2 since both wireless clients reside within the network boundaries of home 510. Conversely, location based authentication would be denied to wireless client 520-3 and wireless client 520-4, as well as wireless client 520-5, since each of the aforementioned wireless clients are currently located outside the network boundaries of home 510. Furthermore, station 502 could monitor the wireless clients and terminate communication once the wireless clients are outside the network boundaries 510.
  • the spatial location of devices may be determined by the various methods described above, such as by GPS devices on the wireless devices or other methods, such as 802.11, HiperLan or UWB based positioning.
  • location based authentication is implemented in the form of hardware and software in the wireless devices.
  • identifying the spatial location of a wireless client may be based on characteristics of signals received from the wireless client.
  • location based authentication may be based on absolute or relative location of wireless clients in accordance with embodiments of the present invention. Procedural methods for implementing embodiments of the present invention are now described. Operation
  • FIG. 6 is a flow chart illustrating a method 600 for performing location based authentication of wireless clients in accordance with one embodiment of the invention.
  • the location based authentication may be performed within a network, for example, as depicted in FIG. 5, utilizing a station as described in FIG. 4, in accordance with one embodiment of the invention.
  • it is determined whether or not an authentication (network access request) request is received.
  • station 502 would determine whether, for example, an authentication request is received from a wireless device (client) that is requesting access to a wireless network.
  • the various wireless clients illustrated (A-E) are required to submit network access requests, such as, for example, authentication requests to gain access to wireless network 500.
  • the wireless device is authenticated according to the identified spatial location of the wireless device.
  • the location based authentication denies network access and authentication requests from wireless clients identified outside the network boundaries.
  • wireless clients identified as located within the network boundaries are presumed to have passed through some other method of physical authentication once they are located within predefined network boundaries. As such, devices within the network boundaries are identified as having attained a minimum level of trust.
  • FIG. 7 is a flow chart illustrating a method 602 for establishing an internal representation of wireless network boundaries, in accordance with one embodiment of the invention.
  • it is determined whether a network boundary setup request is received. Once received, at process block 606 one or more values defining physical boundaries of a wireless network are received. Once the values are received, at process block 606 the received values are processed to establish an internal representation of the wireless network boundaries.
  • geographic coordinates, longitude and latitude readings, or the like are used to establish an internal representation of the network boundaries within, for example, a station 300, as depicted in FIG. 4.
  • the internal representation of the boundaries is used to compare identified spatial locations of wireless devices either relative to the network boundaries or as indicated by precise or approximate coordinate location.
  • a flow chart illustrating a method 614 for identifying the spatial location of a wireless device is shown, in accordance with one embodiment of the invention.
  • a signal strength of a signal received from a wireless client is determined.
  • multipath and radio frequency (RF) propagation values are calculated according to one or more predetermined characteristics of the received signal.
  • the predetermined characteristics may include direction of arrival, spatial temporal properties, such as multipath delay in the scattering environment, and the like.
  • an approximate spatial location of the wireless client is identified according to the signal strength and the calculated multipath and radio frequency (RF) propagation values.
  • multipath fingerprinting may be used to identify the spatial location.
  • the spatial location is provided relative to the boundaries of the wireless network.
  • an approximate coordinate location of the wireless client is identified.
  • an exact coordinate location of the wireless client may be provided using a geographic positioning system (GPS).
  • GPS geographic positioning system
  • FIG. 9 is a flow chart illustrating a method 632 for authenticating a wireless client according to an identified spatial location of the wireless client, in accordance with one embodiment of the invention.
  • the identified spatial location of the wireless client is compared with predetermined wireless network boundaries.
  • a response is provided to the network access/authentication request received from the wireless device. Otherwise, at process block 640 the network access/authentication request received from the wireless client is disregarded.
  • FIG. 10 is a flow chart illustrating a method 650 for authenticating a wireless client according to an identified spatial location, in accordance with one embodiment of the invention.
  • an approximate spatial location of the wireless device is converted into one or more coordinate values.
  • the one or more coordinate values are compared to an internal representation of the wireless network boundaries. Based on the comparison, at process block 656 it is determined whether the coordinate values fall within the internal representation of the wireless network boundaries. When the values fall within coordinates of the wireless network boundaries, process block 658 is performed. Otherwise, process block 660 is performed.
  • wireless client is authenticated based on its physical location within the wireless network boundaries.
  • a reply is sent to the wireless client denying access to the wireless network.
  • wireless clients A and B (520-2 and 520-1) are granted network access by station 502.
  • wireless client C (520-3) which is located in yard 530
  • wireless client D (520-4) which is located in street 540
  • wireless client E (520-5) which is located within neighbor's home 530, are denied network access.
  • FIG. 11 is a flow chart illustrating a method 670 for authenticating the wireless client according to an identified spatial location of the device, in accordance with one embodiment of the invention.
  • process block 672 it is determined whether the wireless client is physically located within predetermined network boundaries. When the wireless client is physically located within the network boundaries, process block 674 is performed. Otherwise, at process block 684 the wireless device is denied wireless network access.
  • process block 674 it is determined whether the wireless client, within the network boundaries, has previously communicated with the network according to, for example, an identification value of the wireless client.
  • process block 676 when the wireless client has previously established communication with the network, process block 678 is performed. Otherwise, at process block 680 a shared key exchange is performed with the wireless client. Once the shared key exchange is performed, at process block 682 the wireless client is granted wireless network access. Otherwise, for previously identified wireless clients, at process block 678 the wireless client is granted wireless network access. In one embodiment, the challenge and response authentication scheme is engaged with the previously identified wireless clients to provide authentication of the wireless client, which may be repeated to provide mutual authentication between the wireless client and, for example, a network access point, such as depicted in FIG. 4.
  • FIG. 12 is a flow chart illustrating a method 690 for performing location based authentication of wireless clients, in accordance with one embodiment of the invention.
  • a current spatial location of an authenticated wireless client is monitored. In other words, in one embodiment, movement of a wireless client will cause monitoring of the current spatial location of the device.
  • a station, having an adaptive antenna array transmits directionally to the wireless clients to decrease the possibility of interception from rogue wireless clients. Alternate Embodiments

Abstract

In some embodiments, an apparatus and method for location based wireless client authentication is described. The method includes the receipt of an authentication/access request from a wireless client (220, 520) desiring network access. Once the request is received, a spatial location of the client (220, 520) is identified. Once the physical location of the client (220, 520) is identified, compliance with the authentication/access request is performed according to the identified spatial location of the client (220, 520). In one embodiment, when the spatial location of the client (220, 520) falls within predefined wireless network boundaries (210, 510), the client (220, 520) is granted network access. The granted access may include a possible key exchange for unidentified clients, or challenge and response authentication for identified clients. Hence, wireless clients (220, 520) that have gained access to a certain physical location are assumed to have passed through some other form of physical authentication and, hence, are deemed trustable. Other embodiments are described and claimed.

Description

AN APPARATUS AND METHOD FOR LOCATION BASED WIRELESS CLIENT AUTHENTICATION
FIELD
[0001] The invention relates generally to the field of wireless device security.
More particularly, one or more of the embodiments of the invention relate to a method and apparatus for location based wireless client authentication.
BACKGROUND [0002] Wireless technology provides a mechanism for either replacing or extending traditional wired networks including, but not limited to, local area networks (LANs), personal area networks (PAN) and metropolitan area networks (MAN). Using radio frequency (RF) or non-RF technology, wireless networks transmit and receive data over the air, through walls, ceilings and even cement structures without wired cabling. For example, a wireless-LAN (WLAN) is a flexible data communication system. A WLAN provides all the features and benefits of traditional LAN technology, such as Ethernet and Token Ring, but without the limitations of being tethered together by a cable. This provides greater freedom and increased flexibility.
[0003] In other words, a WLAN is a network in which a mobile user can connect to a local area network (LAN) through a wireless (radio) connection according to a wireless protocol. Wireless protocols include, but are not limited to, IEEE 802.11a, 802.11b, 802.11c, 802. llg, HiperLan 2, or any other protocol for any point-to-point wireless link or network. These wireless protocols are designed to provide high bandwidth allocation, technologies for WLANs, as well as other wireless networks. As a result, WLANs will enable, at a relatively low cost, wiring of various buildings, such as businesses, classrooms, homes or the like, while providing high bandwidth allocation. [0004] One technique for high bandwidth allocation in either a WLAN or a wireless-PAN (WPAN) is provided via ultra wide bandwidth (UWB) radio systems. UWB radio systems are also used to provide wireless-PANS (WPAN) UWB radio systems employ the transmission of very short pulses of radio energy. These characteristic spectrum signatures extend across a wide range of radio frequencies. In addition, since UWB signals have high bandwidth and frequency diversity, UWB signals are particularly suited for high speed data communications in environments, such as indoors where multipath fading is likely. Consequently, UWB radio systems are generally well suited for implementing a WLAN.
[0005] Unfortunately, wireless networks, such as WLANs rely on a communications medium (RF waves) which represent a shared medium. As a result, everything that is transmitted or received over a wireless network can be intercepted. Generally, encryption and authentication are considered when developing a wireless network system. The goal of these security features is to make wireless traffic as secure as wired traffic. To promote this goal, wireless protocols require a mechanism for encrypting traffic and authenticating nodes such as, for example, the wired equivalence privacy (WEP) protocol.
[0006] The WEP protocol is used to protect link layer communications from eavesdropping and other attacks. Unfortunately, various individuals have discovered serious security flaws in the protocol stemming from misapplication of cryptographic primitives. As a result, a number of practical attacks have been discovered that cause the WEP protocol to fail to achieve its security goals. Therefore, there remains a need to overcome one or more of the limitations in the above-described, existing art.
SUMMARY [0007] One embodiment of the present invention provides a method and apparatus for location based wireless client authentication. The method includes the receipt of an authentication/access request from a wireless client desiring access to a wireless network. Once the request is received, a spatial location of the client is identified. Once the spatial location of the client is identified, compliance with the authentication/access request is performed according to the identified spatial location of the client. [0008] For example, in one embodiment, when the physical location of the client falls within predefined wireless network boundaries, the client is generally granted network access. The granted access may include a possible key exchange for unidentified , clients, or challenge and response authentication for identified clients. In other words, wireless clients that have gained access to a certain location are assumed to have passed through some other form of physical authentication and, hence, are deemed trustable. Accordingly, the location based authentication described herein may be used to supplement conventional wireless client authentication, such as the wired equivalent privacy (WEP) protocol. BRIEF DESCRIPTION OF THE DRAWINGS [0009] The present invention is illustrated by way of example, and not by way of limitation, in the figures of the accompanying drawings and in which: [00010] FIG. 1 is a block diagram illustrating a peer-to-peer wireless network configuration, in accordance with one embodiment of the present invention. [00011] FIG. 2 is a block diagram illustrating a wireless local area network
(WLAN) configuration, in accordance with one embodiment of the present invention. [00012] FIG. 3 is a block diagram illustrating prevention of attack on a wireless local area network using location based authentication, in accordance with one embodiment of the present invention.
[00013] FIG. 4 is a block diagram illustrating a wireless client configured to implement location based authentication, in accordance with one embodiment of the present invention.
[00014] FIG. 5 is a block diagram illustrating a wireless network which uses location based authentication to supplement conventional wireless authentication, in accordance with one embodiment of the present invention. [00015] FIG. 6 is a flow chart illustrating a method for location based authentication of wireless clients, in accordance with one embodiment of the present invention.
[00016] FIG. 7 is a flow chart illustrating a method for establishing an internal representation of wireless network boundaries, in accordance with one embodiment of the present invention.
[00017] FIG. 8 is a flow chart illustrating a method for identifying the approximate spatial location of a wireless client, in accordance with one embodiment of the present invention.
[00018] FIG. 9 is a flow chart illustrating a method for authenticating a wireless client according to its spatial location, in accordance with one embodiment of the present invention.
[00019] FIG. 10 is a flow chart illustrating a method for authenticating a wireless client based on its spatial location, in accordance with the further embodiment of the present invention. [00020] FIG. 11 is flow chart illustrating a method for performing authentication of a wireless client according to its spatial location, in accordance with one embodiment of the present invention.
[00021] FIG. 12 is a flow chart illustrating a method for terminating communication with the wireless client once the wireless client is outside network boundaries, in accordance with one embodiment of the present invention.
DETAILED DESCRIPTION [00022] In the following description, for the purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the present invention. It will be apparent, however, to one skilled in the art that present invention may be practiced without some of these specific details. In addition, the following description provides examples, and the accompanying drawings show various examples for the purposes of illustration. However, these examples should not be construed in a limiting sense as they are merely intended to provide examples of embodiments of the invention rather than to provide an exhaustive list of all possible implementations. In other instances, well-known structures and devices are shown in block diagram form in order to avoid obscuring the details of the present invention. [00023] In the following description, certain terminology is used to describe features of the invention. For example, the term "logic" is representative of hardware and/or software configured to perform one or more functions. For instance, examples of "hardware" include, but are not limited or restricted to an integrated circuit, a finite state machine or even combinatorial logic. The integrated circuit may take the form of a processor such as a microprocessor, application specific integrated circuit, a digital signal processor, a micro-controller, or the like.
[00024] An example of "software" includes executable code in the form of an application, an applet, a routine or even a series of instructions. The software may be stored in any type of computer or machine readable medium such as a programmable electronic circuit, a semiconductor memory device inclusive of volatile memory (e.g., random access memory, etc.) and/or non- volatile memory (e.g., any type of read-only memory "ROM", flash memory), a floppy diskette, an optical disk (e.g., compact disk or digital video disc "DVD"), a hard drive disk, tape, or the like. [00025] A further example of software includes a "software module." A
"software module" or "module" is a series of code instructions that, when executed, performs a certain function. Examples of such code include an operating system, an application, an applet, a program or even a subroutine. Software module(s) may be stored in a machine-readable medium, including, but not limited to, an electronic circuit, a semiconductor memory device, a read only memory (ROM), a flash memory, an erasable ROM (EROM), a floppy diskette, a computer disk, an optical disk, a hard disk, a fiber optic medium, a radio frequency (RF) link and the like. System Architecture
[00026] FIG. 1 is a block diagram illustrating a peer-to-peer configuration for a wireless network 100, in accordance with one embodiment of the invention. In embodiments depicted in FIGS. 1-3 and 5, the wireless networks may be configured according to a "wireless protocol" including, but not limited to, IEEE 802.11a, 802.11b, 802.11c, 802. llg, HiperLan 2, or any other protocol for any point-to-point wireless link or network. For example, as defined by the IEEE 802.11 standard, network 100 is configured according to an ad hoc mode as independent basic service set (IBSS). As illustrated, two or more wireless clients 102 (102-1, ..., 102-N) equipped with, for • example, wireless adapter cards to communicate with, form the wireless network 100. [00027] As described herein, the term "wireless client" or "client" is used to refer to wireless devices including, but not limited to, personal computers including laptop computers, equipped with wireless adapter cards, as well as personal digital assistants (PDAs), appliances, and the like devices configured to communicate via a wireless communications medium such as, for example, radio frequency (RF) waves. Furthermore, as described herein, the term "wireless station" or "station" is used to refer to devices including, but not limited to, wireless base stations, wireless access points (AP), computers such as server computers, personal computers, laptops, PDAs, or like devices configured to restrict access to stored information contained therein or to an attached wired network.
[00028] For example, as defined by the IEEE 802.11 standard, network 100 is configured according to an ad hoc mode as independent basic service set (IBSS). Within the ad hoc mode (peer-to-peer wireless configuration) only the wireless clients within the transmission range (within the same cell) can communicate with each other. Generally, the peer-to-peer network configuration 100 is principally used to quickly and easily setup a wireless network where no infrastructure is available, such as a convention center or offsite meeting location.
[00029] However, in contrast to conventional wireless networks, station 110 of wireless network 100 is configured to perform location based authentication of wireless clients requesting network access. As described herein, the term "request for network access" includes, but is not limited to network access requests, authentication requests or any other like requests for access to a wireless network or WLAN. Accordingly, as described in further detail below, peer-to-peer configuration network 100 is designed to limit access to wireless devices which fall within predefined network boundaries, as described in further detail below.
[00030] FIG. 2 illustrates a WLAN network configuration 150, in accordance with one embodiment of the present invention. For example, according to the IEEE 802.11 standard, the network 150 is also referred to as infrastructure mode or basic service set (BSS). As illustrated, in the infrastructure mode, each client 102 sends all communications to a wireless local area network (WLAN) access point (station) 160. As such, the clients 102 communicate with station 160, which acts as a bridge to resources of a wired network 180. Wired network 110 may implement an Ethernet protocol, Home Plug protocol, or the like. Conventional WLAN networks may be governed by the wire equivalency protocol (WEP). However, WLAN network 150 utilizes location based authentication as described in further detail below.
[00031] Conventionally, prior to communicating data, wireless clients and station
160 establish a relationship or an association. After an association is established, wireless clients and stations exchange data. In the infrastructure mode, the clients associate with an access point (station). The association process is a two step process involving three states: (1) unauthenticated and associated; (2) authenticated and unassociated; and (3) authenticated and associated. To transition between the states, the communicating parties exchange messages called management frames. In operation, all stations transmit a beacon management frame at a fixed interval.
[00032] To associate with a station and join a wireless network, a wireless client listens for beacon messages to identify stations within range. After identifying a station, the client and the station may perform a mutual authentication by exchanging several management frames as part of the process. After successful authentication, the client moves into the second state authenticated and unassociated. Moving from the second state to the third and final state, authenticated and associated involves the client sending an association request frame and the station responding with an association response frame.
[00033] Unfortunately, current techniques for providing secure wireless networks are susceptible to various attacks. For example, as illustrated in FIG. 3, WLAN 200 may come under attack from a client 220 (220-1, ... , 220-N), which desires access to the WLAN 200 via an access point (station) 202 (202-1, ..., 202-N). Once granted access, an attacker computer 220-1 is able to freely access corporate LAN 230, as well as internal host 240. In other words, as illustrated with reference to FIG. 3, an attacker client 220-1 is able to circumvent corporate firewall 250 which traditionally secures corporate LAN 230 from various attacks via the Internet 260.
[00034] To avoid this problem, the WEP protocol provides two mechanisms for authentication, open system authentication and shared key authentication. The open system authentication is a default authentication protocol for, for example, 802.1 IB. Generally, open system authentication provides access to anyone that requests authentication by providing a null authentication process. For example, as illustrated in FIG. 3, attacker client 220 may detect a beacon management frame from station 210-1. Once detected, if WLAN 200 is configured according to open system authentication, attacker client 220 may freely access corporate LAN 230, as well as internal host 240 by simply requesting access.
[00035] Shared key authentication uses a standard challenge and response scheme based on knowledge of secret keys to provide authentication. The client 220 requesting authentication (initiator) sends an authentication request management frame to station 202 indicating a desire to use shared key authentication. In response, station 202 (responder) responds by sending an authentication management frame containing 128- octets of challenge text to the initiator. The frame is generated using a WEP pseudorandom number generator (PRNG) with the "shared secret" and random initialization vector (IV).
[00036] Once the management frame is received from the initiator 220, contents of the challenge text are copied into a new management frame body, which is then encrypted using the shared secret key along with a new IV selected by the initiator 220. The encrypted frame is then sent to the responder 202. The responder decrypts the received frame and verifies the 32-bit integrity check value (ICV) as valid and that the challenge text matches that sent in the first message. When matches are detected, authentication of the initiator is successful. If authentication is successful then the initiator and the responder switch rolls and repeat the process to ensure mutual authentication.
[00037] Unfortunately, since wireless networks communicate via a shared medium, shared key authentication is easily exploited through a passive attack by the eavesdropping of one leg of a mutual authentication. The attack works because of the fixed structure of the WEP protocol. Accordingly, one embodiment of the invention describes a method and apparatus for location based authentication which may be used to supplement conventional wireless security mechanisms and ensure a secure wireless network.
[00038] As a result, in one embodiment, station 160 is configured to perform location based authentication in order to supplement, or possibly replace, shared key authentication as described above. Accordingly, as illustrated with reference to FIG. 3, WLAN 200 could be configured to prohibit granting of access/authentication requests to clients outside physical security perimeter 210. In one embodiment, configuration of stations to perform location based authentication is depicted with reference to FIG. 4. [00039] As illustrated in FIG. 4, a station 300 includes a microprocessor 302 which uses chipset 310 to access memory 312, as well as communications interface 320. The communications interface may include one or more incoming antennas 330, as well as one or more outgoing antennas 340. In one embodiment, station 300 may include adaptive antenna arrays and work in conjunction with additional stations to identify spatial location of wireless clients. In contrast to conventional stations, station 300 includes client authentication logic 400. The client authentication logic 400 includes location based authentication logic 410. The location based authentication logic uses network boundary identification logic 430.
[00040] In one embodiment, network boundary identification logic 430 requires inputting of one or more values to define boundaries of a network. For example, as illustrated with reference to FIG. 5, a wireless network 500 is configured within home 510. Within the embodiment, a user would be required to provide, for example, geographic coordinates identifying the boundaries of the user's home 510 as predetermined network boundaries 510. In one embodiment, providing of the boundaries can simply be performed by providing a remote control device (not shown) for station 300 which a user can carry along the boundaries of their home which are recorded by the remote control.
[00041] In one embodiment, the coordinates may either be wirelessly transmitted to network boundary identification logic 430 or, for example, downloaded into identification logic 430 from the remote control once docked onto station 300. In an alternative embodiment, a geographic positioning system could be used to identify the boundaries of home 510 and provide the boundaries to identification logic 430. Based on this information, identification logic 430 generates an internal representation of the home or structure. The parameters used to form the internal representation of the wireless network may vary depending on the desired implementation which may include, for example, geographic coordinate systems, latitude and longitude readings, and the like. [00042] In addition to the internal representation of the wireless network, in one embodiment, identification logic 430 stores data based on characteristics from a sample wireless device signal such as, for example, the estimated direction of arrival (DO A), signal strengths, and characteristics (space-time features) of multipath signals received from the wireless client. In such an embodiment, data is transmitted to the station 300 from a wireless client located at a few locations within the geographic boundaries of the wireless network and from a few locations outside the geographic boundaries of the wireless network. This information may be used to assist the client location detection logic 420 to convert detected signal characteristics from a wireless client requesting network access into network boundary identification parameters to determine whether the client is located within the wireless network boundaries.
[00043] In a further embodiment, this information can be used to perform multipath fingerprinting of wireless clients. In one embodiment, the multipath fingerprints may be stored within, for example, a database (not shown) which may be configured to adapt over time as multipath fingerprints changes over time. In a further embodiment, multiple stations may be utilized within the wireless network, which may each perform the various techniques described above for enabling analysis of the RF signal received from a wireless client and convert characteristics of the received signal into, for example, geographic coordinates, the geographic coordinates are then compared with the internal representation of the wireless network boundaries. [00044] Accordingly, once the wireless network boundaries are provided to identification logic 430, location based authentication logic 410 functions as follows, in accordance with one embodiment. Initially, the station 300 will transmit, for example, a beacon management frame. In response, a wireless client responds to the beacon management frame with an authentication request management frame (network access request). Once received, location based authentication logic 410 uses the client location detection logic 420 to identify a spatial (relative/absolute) location of the wireless client. [00045] In one embodiment, identifying of the wireless client's location may be performed utilizing a trusted global positioning system (GPS). In an alternative embodiment, characteristics of the radio frequency waves used to transmit the authentication request from the wireless client to the station 300 may be analyzed. For example, in one embodiment, device location detect logic 420 may generate a model of the multipath propagation effect, as well as the RF propagation effect according to the radio frequency waves used to provide the authentication request to the station 300. According to the multipath and RF propagation estimates, location detection logic 420 can determine an approximate location of the wireless client.
[00046] As will be recognized by those skilled in the art, the mechanism used to identify the location of a wireless client will depend on the model used to supplement the internal representation of the wireless network boundaries. For example, as described above, in one embodiment, multipath fingerprinting can be used to estimate the location of devices. For example, when an access request is received from a wireless client, pattern matching may be used to estimate the location of the client based on multipath characteristics of the received signal. Accordingly, in one embodiment, if the exact location of matching multipath characteristics is stored in a database, the location of the wireless client may be estimated with nearly one hundred percent accuracy. [00047] In a further embodiment, a direction arrival, signal strength, and characteristics of spatio-temporal features of multipath signals received from the wireless client may be compared against previously stored values in order to approximate the spatial location of the wireless client. In a further embodiment, a wireless network may utilize multiple stations. When using multiple stations, in one embodiment, the location of a wireless client may be performed using triangulation. In a further embodiment, a probabilistic approach can be used to help increase the accuracy of location estimation. [00048] For example, as described above, estimates from wireless clients located within and outside the wireless network boundaries may be analyzed using Euclidean Distance Estimation or Neural Network Estimation methods. For Euclidean Distance, the distance between the newly measured vector and stored vectors is minimized to yield the best estimation of the wireless client location. Furthermore, estimation location may be improved by determining a direct distance to a client. This may be estimated by signal strengths, as well as measuring round trip times of a packet sent from the station to the client.
[00049] For example, a packet is sent to the client after response or acknowledgement is received within a certain period of time the client is assumed to be within a certain distance of the station talcing into account propagation times. Within UWB system, the round-trip time for communication of the packet can be used to provide distance estimation due to the decrease or absence of multipath fading in UWB systems. [00050] In a further embodiment, station 300 may be equipped with direction of arrival estimation logic, such as adaptive antenna arrays. For example, in one embodiment, beam forming adaptive antenna arrays may be used to determine the direction of arrival from the signal received from the wireless client, and can also be used to estimate the distance of the wireless client. Based on this information, an approximate location of the wireless client is determined. In a further embodiment, information such as the direction of the client may be used to transmit directionally from the station 300 to the wireless clients, hence decreasing the possibility of interception from rogue clients. [00051] As such, once either a GPS provided location or an approximate location for the wireless client is determined, the location is compared to the internal representation of the network boundaries contained within boundary identification logic 430. Consequently, when the identified spatial location of the wireless client falls within the network boundaries, location based authentication logic 410 may comply with the authentication/access request received from the wireless client. For example, in one embodiment, a wireless client authenticated based on an identified spatial location could then be provided with secret keys in order to implement future shared key authentication. [00052] Alternatively, when the wireless client has previously communicated and successfully been granted access to the wireless network, location based authentication logic 410 uses key authentication logic 440 to engage in traditional challenge and response shared key authentication. Alternatively, the wireless client could simply be provided access once location based authentication is successful. In this embodiment, the location based authentication presupposes that the wireless client has gained access to a certain location and is assumed to have passed through some other physical authentication and, hence, is deemed trustable.
[00053] Accordingly, as depicted with reference to FIG. 5, based on the spatial location of the various wireless clients, station 502 would grant access to wireless client 520-1 and wireless client 520-2 since both wireless clients reside within the network boundaries of home 510. Conversely, location based authentication would be denied to wireless client 520-3 and wireless client 520-4, as well as wireless client 520-5, since each of the aforementioned wireless clients are currently located outside the network boundaries of home 510. Furthermore, station 502 could monitor the wireless clients and terminate communication once the wireless clients are outside the network boundaries 510.
[00054] Accordingly, as described in the embodiments, the spatial location of devices may be determined by the various methods described above, such as by GPS devices on the wireless devices or other methods, such as 802.11, HiperLan or UWB based positioning. In one embodiment, location based authentication is implemented in the form of hardware and software in the wireless devices. Conversely, identifying the spatial location of a wireless client may be based on characteristics of signals received from the wireless client. Accordingly, location based authentication may be based on absolute or relative location of wireless clients in accordance with embodiments of the present invention. Procedural methods for implementing embodiments of the present invention are now described. Operation
[00055] FIG. 6 is a flow chart illustrating a method 600 for performing location based authentication of wireless clients in accordance with one embodiment of the invention. For example, the location based authentication may be performed within a network, for example, as depicted in FIG. 5, utilizing a station as described in FIG. 4, in accordance with one embodiment of the invention. At process block 610, it is determined whether or not an authentication (network access request) request is received. For example, as illustrated with reference to FIG. 5, station 502 would determine whether, for example, an authentication request is received from a wireless device (client) that is requesting access to a wireless network.
[00056] For example, as illustrated with reference to FIG. 5, the various wireless clients illustrated (A-E) are required to submit network access requests, such as, for example, authentication requests to gain access to wireless network 500. In response, at process block 630 the wireless device is authenticated according to the identified spatial location of the wireless device. In one embodiment, the location based authentication denies network access and authentication requests from wireless clients identified outside the network boundaries. In contrast, wireless clients identified as located within the network boundaries are presumed to have passed through some other method of physical authentication once they are located within predefined network boundaries. As such, devices within the network boundaries are identified as having attained a minimum level of trust. [00057] FIG. 7 is a flow chart illustrating a method 602 for establishing an internal representation of wireless network boundaries, in accordance with one embodiment of the invention. At process block 604, it is determined whether a network boundary setup request is received. Once received, at process block 606 one or more values defining physical boundaries of a wireless network are received. Once the values are received, at process block 606 the received values are processed to establish an internal representation of the wireless network boundaries.
[00058] For example, in one embodiment, geographic coordinates, longitude and latitude readings, or the like are used to establish an internal representation of the network boundaries within, for example, a station 300, as depicted in FIG. 4. In one embodiment, the internal representation of the boundaries is used to compare identified spatial locations of wireless devices either relative to the network boundaries or as indicated by precise or approximate coordinate location.
[00059] Referring now to FIG. 8, a flow chart illustrating a method 614 for identifying the spatial location of a wireless device is shown, in accordance with one embodiment of the invention. At process block 616 a signal strength of a signal received from a wireless client is determined. Once the signal strength is determined, at process block 618, multipath and radio frequency (RF) propagation values are calculated according to one or more predetermined characteristics of the received signal. In one embodiment, the predetermined characteristics may include direction of arrival, spatial temporal properties, such as multipath delay in the scattering environment, and the like. [00060] At process block 620, an approximate spatial location of the wireless client is identified according to the signal strength and the calculated multipath and radio frequency (RF) propagation values. Alternatively, multipath fingerprinting, pattern matching, direction of arrival and distance estimation, triangulation, or the like, may be used to identify the spatial location. In one embodiment, the spatial location is provided relative to the boundaries of the wireless network. In an alternate embodiment, an approximate coordinate location of the wireless client is identified. In one embodiment, an exact coordinate location of the wireless client may be provided using a geographic positioning system (GPS).
[00061] FIG. 9 is a flow chart illustrating a method 632 for authenticating a wireless client according to an identified spatial location of the wireless client, in accordance with one embodiment of the invention. At process block 634, the identified spatial location of the wireless client is compared with predetermined wireless network boundaries. At process block 636, it is determined whether the wireless client is physically located within the predetermined wireless network boundaries. When the wireless client is physically located within the network boundaries at process block 638, a response is provided to the network access/authentication request received from the wireless device. Otherwise, at process block 640 the network access/authentication request received from the wireless client is disregarded.
[00062] FIG. 10 is a flow chart illustrating a method 650 for authenticating a wireless client according to an identified spatial location, in accordance with one embodiment of the invention. At process block 650 an approximate spatial location of the wireless device is converted into one or more coordinate values. At process block 654, the one or more coordinate values are compared to an internal representation of the wireless network boundaries. Based on the comparison, at process block 656 it is determined whether the coordinate values fall within the internal representation of the wireless network boundaries. When the values fall within coordinates of the wireless network boundaries, process block 658 is performed. Otherwise, process block 660 is performed.
[00063] At process block 658 the wireless client is authenticated based on its physical location within the wireless network boundaries. Conversely, at process block 660, a reply is sent to the wireless client denying access to the wireless network. For example, as illustrated with reference to wireless network 500 of FIG. 5, wireless clients A and B (520-2 and 520-1) are granted network access by station 502. Conversely, wireless client C (520-3) which is located in yard 530, wireless client D (520-4) which is located in street 540, and wireless client E (520-5) which is located within neighbor's home 530, are denied network access.
[00064] FIG. 11 is a flow chart illustrating a method 670 for authenticating the wireless client according to an identified spatial location of the device, in accordance with one embodiment of the invention. At process block 672 it is determined whether the wireless client is physically located within predetermined network boundaries. When the wireless client is physically located within the network boundaries, process block 674 is performed. Otherwise, at process block 684 the wireless device is denied wireless network access. At process block 674, it is determined whether the wireless client, within the network boundaries, has previously communicated with the network according to, for example, an identification value of the wireless client.
[00065] At process block 676, when the wireless client has previously established communication with the network, process block 678 is performed. Otherwise, at process block 680 a shared key exchange is performed with the wireless client. Once the shared key exchange is performed, at process block 682 the wireless client is granted wireless network access. Otherwise, for previously identified wireless clients, at process block 678 the wireless client is granted wireless network access. In one embodiment, the challenge and response authentication scheme is engaged with the previously identified wireless clients to provide authentication of the wireless client, which may be repeated to provide mutual authentication between the wireless client and, for example, a network access point, such as depicted in FIG. 4.
[00066] FIG. 12 is a flow chart illustrating a method 690 for performing location based authentication of wireless clients, in accordance with one embodiment of the invention. At process block 692 a current spatial location of an authenticated wireless client is monitored. In other words, in one embodiment, movement of a wireless client will cause monitoring of the current spatial location of the device. At process block 694, it is determined whether the wireless client is located outside the predetermined network boundaries. When such is the case, at process block 696 termination of communication within the wireless device is performed, revoking previously granted network access. However, in one embodiment, a station, having an adaptive antenna array transmits directionally to the wireless clients to decrease the possibility of interception from rogue wireless clients. Alternate Embodiments
[00067] Several aspects of one implementation of the location based authentication for providing improved wireless network security are described. However, various implementations of the location based authentication provide numerous features including, complementing, supplementing, and/or replacing the features described above. Features can be implemented as part of the access point or as part of the wireless devices in different embodiment implementations. In addition, the foregoing description, for purposes of explanation, used specific nomenclature to provide a thorough understanding of the embodiments of the invention. However, it will be apparent to one skilled in the art that the specific details are not required in order to practice the embodiments of the invention.
[00068] It is to be understood that even though numerous characteristics and advantages of various embodiments of the present invention have been set forth in the foregoing description, together with details of the structure and function of various embodiments of the invention, this disclosure is illustrative only. In some cases, certain subassemblies are only described in detail with one such embodiment. Nevertheless, it is recognized and intended that such subassemblies may be used in other embodiments of the invention. Changes may be made in detail, especially matters of structure and management of parts within the principles of the embodiments of the present invention to the full extent indicated by the broad general meaning of the terms in which the appended claims are expressed.
[00069] Having disclosed exemplary embodiments and the best mode, modifications and variations may be made to the disclosed embodiments while remaining within the scope of the embodiments of the invention as defined by the following claims.

Claims

CLAIMSWhat is claimed is:
1. A method comprising: receiving, from a wireless client (220, 520), a request for access to a wireless network (200, 500); identifying a spatial location of the wireless client (220, 520); and authenticating the wireless client (220, 520), according to the identified spatial location of the wireless client (220, 520).
2. The method of claim 1, wherein authenticating the wireless client (220, 520) further comprises: comparing the identified spatial location of the wireless client (220, 520) with predetermined wireless network boundaries (210, 510); when the wireless client (220, 520) is physically located within the predetermined wireless network boundaries (210, 510), responding to an authentication request received from the wireless client (220, 520); and otherwise, disregarding the authentication request.
3. The method of claim 2, authenticating the wireless client (220, 520) further comprises: engaging in a challenge and response authentication with the wireless client (220, 520) based on commonly shared keys.
4. The method of claim 1, wherein the method, prior to receiving the authentication request, further comprises: receiving one or more values identifying the wireless network boundaries (210, 510); and processing the received values to establish an internal representation of the wireless network boundaries (210, 510).
5. The method of claim 1, wherein identifying the spatial location of the wireless client (220, 520) further comprises: determining a signal strength of a received signal used to communicate the authentication request from the wireless client (220, 520); calculating multipath and radio frequency (RF) propagation values according to one or more predetermined characteristics of the received signal; and identifying an approximate spatial location of the wireless client (220, 520) according to the signal strength and the calculated multipath and RF propagation values.
6. The method of claim 1, wherein identifying the spatial location of the wireless client (220, 520) further comprises: determining coordinates of the spatial location of the wireless client (520, 540) using a geographic positioning system (GPS).
7. The method of claim 1, wherein authenticating the wireless client (220, 520) further comprises: converting an approximate spatial location of the wireless client (220, 520) into one or more coordinate values; comparing the one or more coordinate values to an internal representation of the wireless network boundaries (210, 510); when the one or more coordinate values falls within the internal representation of the wireless network boundaries (210, 510), authenticating the wireless client (220, 520); and otherwise, sending a reply to the wireless client (220, 520) denying access to the wireless network (200, 500).
8. The method of claim 1, wherein authenticating the wireless client (220, 520) further comprises: determining whether the wireless client (220, 520) has previously communicated with the network (200, 500) according to an identification value of the wireless client (220, 520); when the wireless client (220, 520) is identified as having previously established communication with the wireless network (200, 500), granting wireless network access to the wireless client (220, 520) if the spatial location of the wireless client (220, 520) is within the predetermined wireless network boundaries (210, 510); and otherwise, performing a shared key exchange with the wireless client (220,
520) to enable shared key authentication during subsequent authentication requests from the wireless client (220, 520), and granting the wireless client (220, 520) access to the wireless network (200, 500), if the spatial location of the wireless client (220, 520) is within the predetermined wireless network boundaries (210, 510).
9. The method of claim 1, wherein authenticating the wireless client (220, 520) further comprises: engaging in a challenge and response authentication of the wireless client (220, 520) when the wireless client (220, 520) is physically located within the predetermined wireless network boundaries (210, 510).
10. The method of claim 1, further comprising: monitoring a current spatial location of the wireless client (220, 520) when movement of the wireless client (220, 520) is detected; and terminating communication with the wireless client (220, 520) once the current spatial location of the wireless client (220, 520) is outside the predetermined network boundaries (210, 510).
11. A machine readable medium including software executed by at least one processor, within an electronic device, the software comprising: an identification module to identify a spatial location of a wireless client (220, 520) if a request for access to a wireless network (200, 500) is received from the wireless client (220, 520); and an authentication module to authenticate the wireless client (220, 520), according to the identified spatial location of the wireless client (220, 520).
12. The machine readable storage medium of claim 11, wherein the authentication module responds to an authentication request received from the wireless client (220, 520) if the wireless client (220, 520) is physically located within predetermined wireless network boundari.es (210, 510), and otherwise, disregards the received authentication request.
13. The machine readable medium of claim 12, wherein the authentication module engages in a challenge and response authentication with the wireless client (220, 520) based on commonly shared keys to authenticate the wireless client (220, 520).
14. The machine readable medium of claim 11, wherein the software further comprises: a network boundary module to process one or more received values identifying the wireless network boundaries (210, 510) to establish an internal representation of the wireless network boundaries (210, 510) prior to receiving access requests.
15. The machine readable medium of claim 11 , wherein the identification module determines a signal strength of a received signal used to communicate the request from the wireless client (220, 520), calculates multipath and radio frequency (RF) propagation values according to one or more predetermined characteristics of the received signal, and identifies an approximate spatial location of the wireless client (220, 520) according to the signal strength and the calculated multipath and RF propagation values.
16. The machine readable medium of claim 11 , wherein the identification module determines coordinates of the spatial location of the wireless client (220, 520) using a geographic positioning system (GPS).
17. The machine readable storage medium of claim 11 , wherein the authentication module converts an approximate spatial location of the wireless client (220, 520) into one or more coordinate values, compares the one or more coordinate values to an internal representation of the wireless network boundaries (210, 510), authenticates the wireless client (220, 520) if the one or more coordinate values falls within the internal representation of the wireless network boundaries (210, 510), and otherwise, sends a reply to the wireless client (220, 520) denying access to the wireless network (200, 500).
18. The machine readable storage medium of claim 11, wherein the authentication module grants wireless network access to the wireless client (220, 520) if the spatial location of the wireless client (220, 520) is within the predetermined wireless network boundaries (210, 510) and if the wireless client (220, 520) is identified as not having previously established communication with the wireless network (200, 500), performs a shared key exchange with the wireless client (220, 520) to enable shared key authentication during subsequent authentication requests from the wireless client (220, 520).
19. The machine readable storage medium of claim 11, wherein the authentication module engages in a challenge and response authentication of the wireless client (220, 520) if the wireless client (220, 520) is physically located within the predetermined wireless network boundaries (210, 510).
20. The machine readable storage medium of claim 11, wherein software further comprises: a motion detection module to monitor a current spatial location of the wireless client (220, 520) if movement of the wireless client (220, 520) is detected, and terminate communication with the wireless client (220, 520) once the current spatial location of the wireless client (220, 520) is outside the predetermined network boundaries (210, 510).
21. An apparatus (300) comprising: a communication interface (320) to receive an authentication request being a request from a wireless client (220, 520) requesting network access; and circuitry (400) coupled to the communications interface (320), the circuitry comprising authentication logic (410) to respond to the authentication request when an identified spatial location of the wireless client (220, 520) falls within predetermined network boundaries (210, 510).
22. The apparatus of claim 21, wherein the authentication logic (410) of the circuitry further comprises: device location detection logic (420) to identify a relative/spatial location of wireless clients (220, 520) requesting network access.
23. The apparatus of claim 21, wherein the authentication logic (410) of the circuitry further comprises: network boundary identification logic (430) to generate an internal representation of the network boundaries (210, 510) according to received coordinate values.
24. The apparatus of claim 21, further comprising: a remote control device to capture coordinate values of network boundaries (210, 510) and provide the coordinate values to boundary identification logic (430) of the authentication logic (410).
25. The apparatus of claim 22, wherein the device location detection logic (420) of the circuitry (400) includes a geographic positioning system to identify the spatial location of wireless clients (220, 520) requesting network access.
26. A system comprising: a wireless network local area network (200, 500) having predetermined wireless network boundaries (210, 510); and a station (300) located within the predetermined wireless network boundaries (210, 510), the station (300) including authentication logic circuitry (400) to respond to an authentication request being a network access request from a wireless client (220, 520) when an identified spatial location of the wireless client (220, 520) falls within the predetermined wireless network boundaries (210, 510).
27. The system of claim 26, wherein the authentication logic circuitry (400) further comprises: device location detection logic (420) to identify a relative/spatial location of wireless clients (220, 520) requesting network access.
28. The system of claim 26, wherein the authentication logic (400) further comprises: network boundary identification logic (430) to generate an internal representation of the network boundaries (210, 510) according to received coordinate values.
29. The system of claim 26, further comprising: a remote control device to capture coordinate values of the network boundaries (210, 510) and provide the coordinate values to boundary identification logic (430) of the authentication logic (400).
30. The system of claim 26, wherein the station (300) further comprises: a communications interface (320) including an adaptive antenna array (330, 340) to enable directional communication with authenticated wireless clients to reduce communication interception by unauthenticated wireless clients.
PCT/US2004/008392 2003-03-25 2004-03-18 An apparatus and method for location based wireless client authentication WO2004095857A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US10/397,934 US6978023B2 (en) 2003-03-25 2003-03-25 Apparatus and method for location based wireless client authentication
US10/397,934 2003-03-25

Publications (1)

Publication Number Publication Date
WO2004095857A1 true WO2004095857A1 (en) 2004-11-04

Family

ID=32989113

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2004/008392 WO2004095857A1 (en) 2003-03-25 2004-03-18 An apparatus and method for location based wireless client authentication

Country Status (2)

Country Link
US (3) US6978023B2 (en)
WO (1) WO2004095857A1 (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1696626A1 (en) * 2005-02-28 2006-08-30 Research In Motion Limited Method and System for Enhanced Security Using Location Based Wireless Authentication
EP1708528A1 (en) * 2005-03-31 2006-10-04 BRITISH TELECOMMUNICATIONS public limited company Location based authentication
US7221949B2 (en) 2005-02-28 2007-05-22 Research In Motion Limited Method and system for enhanced security using location-based wireless authentication
WO2015119870A1 (en) * 2014-02-07 2015-08-13 Microsoft Technology Licensing, Llc Securely determining the location of a user
US11308477B2 (en) 2005-04-26 2022-04-19 Spriv Llc Method of reducing fraud in on-line transactions
US11354667B2 (en) 2007-05-29 2022-06-07 Spriv Llc Method for internet user authentication
US11792314B2 (en) 2010-03-28 2023-10-17 Spriv Llc Methods for acquiring an internet user's consent to be located and for authenticating the location information
US11818287B2 (en) 2017-10-19 2023-11-14 Spriv Llc Method and system for monitoring and validating electronic transactions

Families Citing this family (194)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8041817B2 (en) 2000-06-30 2011-10-18 At&T Intellectual Property I, Lp Anonymous location service for wireless networks
US7085555B2 (en) 2000-12-19 2006-08-01 Bellsouth Intellectual Property Corporation Location blocking service from a web advertiser
US7428411B2 (en) * 2000-12-19 2008-09-23 At&T Delaware Intellectual Property, Inc. Location-based security rules
US7181225B1 (en) 2000-12-19 2007-02-20 Bellsouth Intellectual Property Corporation System and method for surveying wireless device users by location
US7116977B1 (en) 2000-12-19 2006-10-03 Bellsouth Intellectual Property Corporation System and method for using location information to execute an action
US7224978B2 (en) 2000-12-19 2007-05-29 Bellsouth Intellectual Property Corporation Location blocking service from a wireless service provider
US7440780B2 (en) * 2002-09-18 2008-10-21 University Of Pittsburgh - Of The Commonwealth System Of Higher Education Recharging method and apparatus
JP2006501789A (en) 2002-09-30 2006-01-12 コーニンクレッカ フィリップス エレクトロニクス エヌ ヴィ Secure proximity verification of nodes on the network
US7342906B1 (en) * 2003-04-04 2008-03-11 Airespace, Inc. Distributed wireless network security system
US7936872B2 (en) * 2003-05-19 2011-05-03 Microsoft Corporation Client proximity detection method and system
US20040267551A1 (en) * 2003-06-26 2004-12-30 Satyendra Yadav System and method of restricting access to wireless local area network based on client location
KR101195304B1 (en) * 2003-07-17 2012-10-26 인터디지탈 테크날러지 코포레이션 Method and system for delivery of assistance data
US7239850B2 (en) * 2003-07-25 2007-07-03 Cyrus Peikari Optimizing the protection of wireless local area networks with real-time, flexible, perimeter sensor feedback
JP4543657B2 (en) * 2003-10-31 2010-09-15 ソニー株式会社 Information processing apparatus and method, and program
US20050114694A1 (en) * 2003-11-05 2005-05-26 Openwave Systems Inc. System and method for authentication of applications in a non-trusted network environment
US7752320B2 (en) * 2003-11-25 2010-07-06 Avaya Inc. Method and apparatus for content based authentication for network access
WO2005057355A2 (en) * 2003-12-05 2005-06-23 Motion Picture Association Of America Digital rights management using a triangulating geographic locating device
US8230486B2 (en) * 2003-12-30 2012-07-24 Entrust, Inc. Method and apparatus for providing mutual authentication between a sending unit and a recipient
US9191215B2 (en) * 2003-12-30 2015-11-17 Entrust, Inc. Method and apparatus for providing authentication using policy-controlled authentication articles and techniques
US8612757B2 (en) * 2003-12-30 2013-12-17 Entrust, Inc. Method and apparatus for securely providing identification information using translucent identification member
US8966579B2 (en) 2003-12-30 2015-02-24 Entrust, Inc. Method and apparatus for providing authentication between a sending unit and a recipient based on challenge usage data
US8060915B2 (en) 2003-12-30 2011-11-15 Entrust, Inc. Method and apparatus for providing electronic message authentication
US20050144450A1 (en) * 2003-12-30 2005-06-30 Entrust Limited Method and apparatus for providing mutual authentication between a sending unit and a recipient
US9281945B2 (en) * 2003-12-30 2016-03-08 Entrust, Inc. Offline methods for authentication in a client/server authentication system
US7630323B2 (en) * 2004-03-11 2009-12-08 Symbol Technologies, Inc. Self-configuring wireless personal area network
US8208634B2 (en) * 2004-04-16 2012-06-26 Qualcomm Incorporated Position based enhanced security of wireless communications
US7509131B2 (en) * 2004-06-29 2009-03-24 Microsoft Corporation Proximity detection using wireless signal strengths
WO2006002458A1 (en) * 2004-07-07 2006-01-12 Nariste Networks Pty Ltd Location-enabled security services in wireless network
US7480803B1 (en) 2004-07-23 2009-01-20 Sprint Communications Company L.P. System and method for securing system content by automated device authentication
KR100620687B1 (en) * 2004-08-17 2006-09-19 주식회사 팬택앤큐리텔 Short Message Service System based on the position of a mobile phone and message generation method and message display method
US7680087B2 (en) * 2004-09-08 2010-03-16 Canon U.S.A., Inc. Wireless state machine and multiplexing method for concurrent ad-hoc and infrastructure mode service in wireless networking
US20060072760A1 (en) * 2004-09-29 2006-04-06 Frank Gates System and method to use a wireless network to protect data and equipment
US8369264B2 (en) * 2005-10-28 2013-02-05 Skyhook Wireless, Inc. Method and system for selecting and providing a relevant subset of Wi-Fi location information to a mobile client device so the client device may estimate its position with efficient utilization of resources
US7414988B2 (en) 2004-10-29 2008-08-19 Skyhook Wireless, Inc. Server for updating location beacon database
US8244272B2 (en) 2005-02-22 2012-08-14 Skyhook Wireless, Inc. Continuous data optimization of moved access points in positioning systems
EP1662820A1 (en) * 2004-11-25 2006-05-31 Siemens Aktiengesellschaft Transmission of service-relevant access information on authentication of a terminal at an access device of a telecommunications network
US8553885B2 (en) 2005-01-27 2013-10-08 Blackberry Limited Wireless personal area network having authentication and associated methods
US7865602B2 (en) * 2005-02-23 2011-01-04 Nokia Siemens Networks Oy System, method, and network elements for providing a service such as an advice of charge supplementary service in a communication network
US20060193299A1 (en) * 2005-02-25 2006-08-31 Cicso Technology, Inc., A California Corporation Location-based enhancements for wireless intrusion detection
US20060212535A1 (en) * 2005-03-21 2006-09-21 Marvell World Trade Ltd. Network system for distributing protected content
EP1708527A1 (en) * 2005-03-31 2006-10-04 BRITISH TELECOMMUNICATIONS public limited company Location based authentication
US8190155B2 (en) * 2005-05-11 2012-05-29 Interdigital Technology Corporation Method and system for reselecting an access point
CN100383695C (en) * 2005-05-11 2008-04-23 联想(北京)有限公司 Safety turn-on method in visual range
JP4577776B2 (en) * 2005-05-25 2010-11-10 フェリカネットワークス株式会社 Non-contact IC chip and portable terminal
ES2384326T3 (en) * 2005-06-20 2012-07-03 Telecom Italia S.P.A. Procedure and system to manage the authentication of a mobile terminal in a communications network, corresponding network and software product
SE532098C2 (en) * 2005-08-23 2009-10-20 Smarttrust Ab Authentication system and procedure
US8257177B1 (en) 2005-10-04 2012-09-04 PICO Mobile Networks, Inc Proximity based games for mobile communication devices
US8411662B1 (en) 2005-10-04 2013-04-02 Pico Mobile Networks, Inc. Beacon based proximity services
WO2007062192A2 (en) * 2005-11-23 2007-05-31 Skyhook Wireless, Inc. Location toolbar for internet search and communication
WO2007064747A1 (en) * 2005-11-29 2007-06-07 Pango Networks Methods and apparatus for active radio frequency identification tags
EP1802155A1 (en) * 2005-12-21 2007-06-27 Cronto Limited System and method for dynamic multifactor authentication
US20070184851A1 (en) * 2005-12-30 2007-08-09 Pango Networks, Inc. Methods and apparatus for location synthesis in a wireless network environment
US8494559B1 (en) 2005-12-30 2013-07-23 At&T Intellectual Property I, L.P. Method and system for selecting a wireless access technology using location based information
WO2007094056A1 (en) * 2006-02-15 2007-08-23 Fujitsu Limited Communication device, wireless communication device, and control method
US7471954B2 (en) * 2006-02-24 2008-12-30 Skyhook Wireless, Inc. Methods and systems for estimating a user position in a WLAN positioning system based on user assigned access point locations
US7603130B2 (en) * 2006-03-08 2009-10-13 Microsoft Corporation Locating and displaying information about users of proximately located wireless computing devices
US8270418B2 (en) * 2006-03-14 2012-09-18 Telefonaktiebolget Lm Ericsson (Publ) Access control in a communication network
US8014788B2 (en) * 2006-05-08 2011-09-06 Skyhook Wireless, Inc. Estimation of speed of travel using the dynamic signal strength variation of multiple WLAN access points
US7551929B2 (en) 2006-05-08 2009-06-23 Skyhook Wireless, Inc. Estimation of speed and direction of travel in a WLAN positioning system using multiple position estimations
US7835754B2 (en) 2006-05-08 2010-11-16 Skyhook Wireless, Inc. Estimation of speed and direction of travel in a WLAN positioning system
US7551579B2 (en) 2006-05-08 2009-06-23 Skyhook Wireless, Inc. Calculation of quality of wlan access point characterization for use in a wlan positioning system
US7970013B2 (en) * 2006-06-16 2011-06-28 Airdefense, Inc. Systems and methods for wireless network content filtering
JP2008027422A (en) * 2006-06-19 2008-02-07 Ricoh Co Ltd Request transmission management device and method
US20070296696A1 (en) * 2006-06-21 2007-12-27 Nokia Corporation Gesture exchange
US8230087B2 (en) * 2006-06-22 2012-07-24 Nokia Corporation Enforcing geographic constraints in content distribution
WO2008006077A2 (en) * 2006-07-07 2008-01-10 Skyhook Wireless Inc. Systems and methods of gathering information from wlan- enabled access points to estimate position of a wlan positioning device
US7680502B2 (en) * 2006-07-28 2010-03-16 Mccown Steven H Radio frequency detection assembly and method for detecting radio frequencies
JP2009545922A (en) * 2006-08-04 2009-12-24 スカイフック ワイヤレス,インク. System and method for automatically extracting location information from a user device for use in a server system
US8281392B2 (en) 2006-08-11 2012-10-02 Airdefense, Inc. Methods and systems for wired equivalent privacy and Wi-Fi protected access protection
US20080066181A1 (en) * 2006-09-07 2008-03-13 Microsoft Corporation DRM aspects of peer-to-peer digital content distribution
US20160210636A9 (en) * 2006-09-08 2016-07-21 American Well Corporation Verification processing for brokered engagements
US7856234B2 (en) 2006-11-07 2010-12-21 Skyhook Wireless, Inc. System and method for estimating positioning error within a WLAN-based positioning system
US20080117862A1 (en) * 2006-11-16 2008-05-22 Yerachmiel Yeshayahu Techniques to use location information to reduce scanning in wireless networks
JP4407691B2 (en) * 2006-11-20 2010-02-03 ソニー株式会社 COMMUNICATION DEVICE, COMMUNICATION DEVICE PROTECTION METHOD, AND PROGRAM
US8000719B1 (en) * 2006-11-21 2011-08-16 Pico Mobile Networks, Inc. Multi-mode location services
US7970384B1 (en) 2006-11-21 2011-06-28 Picomobile Networks, Inc. Active phone book enhancements
US7978699B1 (en) 2006-11-21 2011-07-12 Picomobile Networks, Inc. Protocol compression with synchronized sequence numbers
US7961756B1 (en) 2006-11-21 2011-06-14 Picomobile Networks, Inc. Integrated multimedia system
US8279884B1 (en) 2006-11-21 2012-10-02 Pico Mobile Networks, Inc. Integrated adaptive jitter buffer
US8774018B1 (en) * 2006-12-14 2014-07-08 At&T Intellectual Property I, L.P. Interactive inquiry and access to information via cellular networks
US7787891B2 (en) * 2006-12-20 2010-08-31 Intel Corporation Mobile station localization apparatus, systems, and methods
US20080178252A1 (en) * 2007-01-18 2008-07-24 General Instrument Corporation Password Installation in Home Networks
US7940732B2 (en) * 2007-01-19 2011-05-10 At&T Intellectual Property I, L.P. Automatic wireless network device configuration
US10027789B2 (en) 2007-02-13 2018-07-17 Google Llc Modular wireless communicator
US8391921B2 (en) 2007-02-13 2013-03-05 Google Inc. Modular wireless communicator
US7970433B2 (en) 2007-06-08 2011-06-28 Modu Ltd. SD switch box in a cellular handset
US9247516B2 (en) * 2007-02-28 2016-01-26 Polaris Wireless, Inc. Estimating whether or not a wireless terminal is in a geographic zone using pattern classification
US9013298B2 (en) * 2007-03-13 2015-04-21 Honeywell International Inc. System and method for providing location-based training information
WO2008116168A1 (en) * 2007-03-21 2008-09-25 Jadi, Inc. Navigation unit and base station
US20080242372A1 (en) * 2007-03-26 2008-10-02 Kurt Schmidt Electronic device with location-based and presence-based physical attributes and method of controlling same
US20080242283A1 (en) * 2007-03-26 2008-10-02 Bellsouth Intellectual Property Corporation Methods, Systems and Computer Program Products for Enhancing Communications Services
US20080248808A1 (en) * 2007-04-05 2008-10-09 Farshid Alizadeh-Shabdiz Estimation of position, speed and bearing using time difference of arrival and received signal strength in a wlan positioning system
US8155081B1 (en) 2007-05-21 2012-04-10 Marvell International Ltd. Self learning roaming optimization
US8045960B2 (en) * 2007-05-31 2011-10-25 Honeywell International Inc. Integrated access control system and a method of controlling the same
US8984133B2 (en) * 2007-06-19 2015-03-17 The Invention Science Fund I, Llc Providing treatment-indicative feedback dependent on putative content treatment
US8682982B2 (en) * 2007-06-19 2014-03-25 The Invention Science Fund I, Llc Preliminary destination-dependent evaluation of message content
US20080320088A1 (en) * 2007-06-19 2008-12-25 Searete Llc, A Limited Liability Corporation Of The State Of Delaware Helping valuable message content pass apparent message filtering
US9374242B2 (en) * 2007-11-08 2016-06-21 Invention Science Fund I, Llc Using evaluations of tentative message content
EP2009838A1 (en) * 2007-06-29 2008-12-31 France Télécom Efficient and secure cryptographic coupon reloading
FR2918529A1 (en) * 2007-07-02 2009-01-09 France Telecom METHOD FOR COMMUNICATING A TERMINAL WITH A SERVER
US8274957B2 (en) 2007-07-20 2012-09-25 Broadcom Corporation Method and system for dynamically setting up and tearing down connections in mesh networks
US8065404B2 (en) * 2007-08-31 2011-11-22 The Invention Science Fund I, Llc Layering destination-dependent content handling guidance
US8082225B2 (en) * 2007-08-31 2011-12-20 The Invention Science Fund I, Llc Using destination-dependent criteria to guide data transmission decisions
US8989764B2 (en) * 2007-09-05 2015-03-24 The University Of Utah Research Foundation Robust location distinction using temporal link signatures
US20090070424A1 (en) * 2007-09-06 2009-03-12 Brillhart David C System and method to provide a centralized alerting and awareness system through the use of an ear piece or other user interface
US7894412B2 (en) * 2007-09-07 2011-02-22 Cisco Technology, Inc. Floor determination for a wireless device
US20100278335A1 (en) * 2007-11-02 2010-11-04 Per Enge Arrangements for Location-Based Security Systems and Methods Therefor
US7930389B2 (en) 2007-11-20 2011-04-19 The Invention Science Fund I, Llc Adaptive filtering of annotated messages or the like
US8140076B2 (en) * 2007-12-17 2012-03-20 Motorola Mobility, Inc. Method for facilitating a mobile station to perform a fast handoff
US8220034B2 (en) * 2007-12-17 2012-07-10 International Business Machines Corporation User authentication based on authentication credentials and location information
US20090165116A1 (en) * 2007-12-20 2009-06-25 Morris Robert P Methods And Systems For Providing A Trust Indicator Associated With Geospatial Information From A Network Entity
US20090298419A1 (en) * 2008-05-28 2009-12-03 Motorola, Inc. User exchange of content via wireless transmission
US20090303113A1 (en) * 2008-06-06 2009-12-10 Skyhook Wireless, Inc. Methods and systems for improving the accuracy of expected error estimation in a hybrid positioning system
WO2010005731A1 (en) * 2008-06-16 2010-01-14 Skyhook Wireless, Inc. Methods and systems for determining location using a cellular and wlan positioning system by selecting the best wlan ps solution
US8412226B2 (en) * 2008-06-24 2013-04-02 Google Inc. Mobile phone locator
US8089371B2 (en) * 2008-07-30 2012-01-03 Cisco Technology, Inc. Logical floor determination for a wireless device using weighted AP received signal strengths
KR101505682B1 (en) * 2008-09-11 2015-03-24 엘지전자 주식회사 Mobile Terminal, Restricting System and Method of opening Information using the Mobile Terminal
US9049225B2 (en) * 2008-09-12 2015-06-02 University Of Utah Research Foundation Method and system for detecting unauthorized wireless access points using clock skews
US8170580B2 (en) * 2008-11-04 2012-05-01 International Business Machines Corporation Geo-boundary triggered messaging and schedule system and method of use
US8581698B2 (en) * 2008-11-25 2013-11-12 Nokia Corporation Method, apparatus and computer program product for facilitating location discovery
US8787929B2 (en) * 2009-02-09 2014-07-22 International Business Machines Corporation System and methods for providing location information using location based queues
US8063820B2 (en) 2009-07-16 2011-11-22 Skyhook Wireless, Inc. Methods and systems for determining location using a hybrid satellite and WLAN positioning system by selecting the best SPS measurements
US8022877B2 (en) 2009-07-16 2011-09-20 Skyhook Wireless, Inc. Systems and methods for using a satellite positioning system to detect moved WLAN access points
US20110021207A1 (en) * 2009-07-24 2011-01-27 Morgan Edward J System and Method for Estimating Positioning Error Within a WLAN-Based Positioning System
US8406785B2 (en) 2009-08-18 2013-03-26 Skyhook Wireless, Inc. Method and system for estimating range of mobile device to wireless installation
US8638256B2 (en) 2009-09-29 2014-01-28 Skyhook Wireless, Inc. Accuracy and performance of a hybrid positioning system
US8279114B2 (en) 2009-10-02 2012-10-02 Skyhook Wireless, Inc. Method of determining position in a hybrid positioning system using a dilution of precision metric
US9380401B1 (en) 2010-02-03 2016-06-28 Marvell International Ltd. Signaling schemes allowing discovery of network devices capable of operating in multiple network modes
FR2958102B1 (en) * 2010-03-23 2012-08-17 Ingenico Sa METHOD AND SYSTEM FOR VALIDATING A TRANSACTION, TRANSACTIONAL TERMINAL AND PROGRAM THEREFOR.
US8619643B2 (en) 2010-03-24 2013-12-31 Skyhook Wireless, Inc. System and method for estimating the probability of movement of access points in a WLAN-based positioning system
US9014715B2 (en) 2010-06-11 2015-04-21 Skyhook Wireless, Inc. Systems for and methods of determining likelihood of atypical transmission characteristics of reference points in a positioning system
CA2804179C (en) * 2010-07-06 2020-01-14 Galileo Satellite Navigation Ltd. Indoor satellite navigation system
US8818288B2 (en) 2010-07-09 2014-08-26 University Of Utah Research Foundation Statistical inversion method and system for device-free localization in RF sensor networks
US20120309415A1 (en) * 2010-07-21 2012-12-06 Zulutime, Llc Multipath compensation within geolocation of mobile devices
US9031775B2 (en) 2010-08-03 2015-05-12 Raytheon Company Determining locations of wireless mobile devices
US8606294B2 (en) 2010-10-05 2013-12-10 Skyhook Wireless, Inc. Method of and system for estimating temporal demographics of mobile users
US8890746B2 (en) 2010-11-03 2014-11-18 Skyhook Wireless, Inc. Method of and system for increasing the reliability and accuracy of location estimation in a hybrid positioning system
KR20120055371A (en) * 2010-11-23 2012-05-31 한국전자통신연구원 Method and apparatus for protecting digital contents
KR20120058199A (en) * 2010-11-29 2012-06-07 한국전자통신연구원 User authentication method using location information
US8553617B1 (en) 2010-12-01 2013-10-08 Google Inc. Channel scanning
US8551186B1 (en) * 2010-12-06 2013-10-08 Amazon Technologies, Inc. Audible alert for stolen user devices
US20120331561A1 (en) 2011-06-22 2012-12-27 Broadstone Andrew J Method of and Systems for Privacy Preserving Mobile Demographic Measurement of Individuals, Groups and Locations Over Time and Space
US10068084B2 (en) * 2011-06-27 2018-09-04 General Electric Company Method and system of location-aware certificate based authentication
US20130155102A1 (en) * 2011-12-20 2013-06-20 Honeywell International Inc. Systems and methods of accuracy mapping in a location tracking system
US10552581B2 (en) 2011-12-30 2020-02-04 Elwha Llc Evidence-based healthcare information management protocols
US20130173295A1 (en) 2011-12-30 2013-07-04 Elwha LLC, a limited liability company of the State of Delaware Evidence-based healthcare information management protocols
US10559380B2 (en) 2011-12-30 2020-02-11 Elwha Llc Evidence-based healthcare information management protocols
US10528913B2 (en) 2011-12-30 2020-01-07 Elwha Llc Evidence-based healthcare information management protocols
US10340034B2 (en) 2011-12-30 2019-07-02 Elwha Llc Evidence-based healthcare information management protocols
US10679309B2 (en) 2011-12-30 2020-06-09 Elwha Llc Evidence-based healthcare information management protocols
US10475142B2 (en) 2011-12-30 2019-11-12 Elwha Llc Evidence-based healthcare information management protocols
US9282471B2 (en) 2012-03-21 2016-03-08 Digimarc Corporation Positioning systems for wireless networks
CN102801856A (en) * 2012-07-30 2012-11-28 上海华勤通讯技术有限公司 Method for executing task in accordance with position
EP2712237B1 (en) * 2012-08-01 2018-06-13 Huawei Device Co., Ltd. Controlling a terminal device to access wireless network
US9479498B2 (en) 2012-09-28 2016-10-25 Intel Corporation Providing limited access to a service device via an intermediary
US9019974B2 (en) * 2012-10-26 2015-04-28 Blackberry Limited Multiple access point name and IP service connectivity
US9188668B2 (en) 2012-11-27 2015-11-17 At&T Intellectual Property I, L.P. Electromagnetic reflection profiles
US9060282B2 (en) 2012-12-04 2015-06-16 At&T Mobility Ii Llc Classification of indoor and outdoor telecommunications events of mobile telecommunications networks
US9026787B2 (en) * 2012-12-09 2015-05-05 International Business Machines Corporation Secure access using location-based encrypted authorization
US8839361B2 (en) * 2013-02-04 2014-09-16 Honeywell International Inc. Access control system and method with GPS location validation
US9767323B2 (en) * 2013-03-15 2017-09-19 International Business Machines Corporation Spatial security for stored data
JP2015012494A (en) * 2013-06-28 2015-01-19 パナソニックIpマネジメント株式会社 Visible light communication system
US9124659B2 (en) * 2013-07-23 2015-09-01 The Boeing Company Shared space for crew communication
US9998863B2 (en) 2013-08-19 2018-06-12 Estimote Polska Sp. Z O. O. System and method for providing content using beacon systems
US9202245B2 (en) * 2013-08-19 2015-12-01 Estimote Polska Sp. Z O.O. Wireless beacon and methods
CN103475998A (en) 2013-08-30 2013-12-25 北京智谷睿拓技术服务有限公司 Wireless network service providing method and system
US9838536B2 (en) * 2013-09-30 2017-12-05 Elwha, Llc Mobile device sharing facilitation methods and systems
US9740875B2 (en) 2013-09-30 2017-08-22 Elwha Llc Mobile device sharing facilitation methods and systems featuring exclusive data presentation
US9774728B2 (en) 2013-09-30 2017-09-26 Elwha Llc Mobile device sharing facilitation methods and systems in a context of plural communication records
US9826439B2 (en) 2013-09-30 2017-11-21 Elwha Llc Mobile device sharing facilitation methods and systems operable in network equipment
US9805208B2 (en) 2013-09-30 2017-10-31 Elwha Llc Mobile device sharing facilitation methods and systems with recipient-dependent inclusion of a data selection
US9813891B2 (en) 2013-09-30 2017-11-07 Elwha Llc Mobile device sharing facilitation methods and systems featuring a subset-specific source identification
US8718682B2 (en) * 2013-10-28 2014-05-06 Bandwidth.Com, Inc. Techniques for radio fingerprinting
US9148865B2 (en) * 2013-10-28 2015-09-29 Bandwidth.Com, Inc. Techniques for identification and valuation using a multi-point radio fingerprint
US10009099B2 (en) * 2014-03-29 2018-06-26 Intel Corporation Techniques for communication with body-carried devices
US9820022B2 (en) * 2014-12-11 2017-11-14 Adtran, Inc. Managing network access based on ranging information
US9826351B2 (en) 2015-09-02 2017-11-21 Estimote Polska Sp. Z O. O. System and method for beacon fleet management
US10136250B2 (en) 2015-09-02 2018-11-20 Estimote Polska Sp. Z O. O. System and method for lower power data routing
US9622208B2 (en) 2015-09-02 2017-04-11 Estimote, Inc. Systems and methods for object tracking with wireless beacons
US9867009B2 (en) 2016-03-22 2018-01-09 Estimote Polska Sp. Z O. O. System and method for multi-beacon interaction and management
WO2018009878A1 (en) 2016-07-07 2018-01-11 Estimote Polska Sp. Z O. O. Method and system for content delivery with a beacon
US10284538B2 (en) 2016-10-26 2019-05-07 Bank Of America Corporation System for processing an even request by determining a matching user profile based on user identifying information
US10255222B2 (en) 2016-11-22 2019-04-09 Dover Electronics LLC System and method for wirelessly transmitting data from a host digital device to an external digital location
US10878067B2 (en) * 2017-07-13 2020-12-29 Nec Corporation Of America Physical activity and IT alert correlation
US11170208B2 (en) * 2017-09-14 2021-11-09 Nec Corporation Of America Physical activity authentication systems and methods
US11146540B2 (en) * 2018-05-09 2021-10-12 Datalogic Ip Tech S.R.L. Systems and methods for public key exchange employing a peer-to-peer protocol
JP2020005024A (en) * 2018-06-25 2020-01-09 ルネサスエレクトロニクス株式会社 Terminal authentication device, terminal authentication system and terminal authentication method
WO2020039252A1 (en) 2018-08-22 2020-02-27 Estimote Polska Sp Z.O.O. System and method for verifying device security
WO2020039251A2 (en) 2018-08-24 2020-02-27 Estimote Polska Sp z o.o. A method and system for asset management
US11082451B2 (en) * 2018-12-31 2021-08-03 Citrix Systems, Inc. Maintaining continuous network service
US11196736B2 (en) * 2019-02-12 2021-12-07 Fujifilm Business Innovation Corp. Systems and methods for location-aware two-factor authentication
US11134081B2 (en) 2019-10-31 2021-09-28 International Business Machines Corporation Authentication mechanism utilizing location corroboration
US11337176B2 (en) 2020-06-12 2022-05-17 Cisco Technology, Inc. Access point based location system for high density wifi deployments
US20230096372A1 (en) * 2021-09-27 2023-03-30 At&T Intellectual Property I, L.P. Localized authorization for secure communication

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6011973A (en) * 1996-12-05 2000-01-04 Ericsson Inc. Method and apparatus for restricting operation of cellular telephones to well delineated geographical areas
WO2000051365A2 (en) * 1999-02-26 2000-08-31 Telefonaktiebolaget Lm Ericsson (Publ) Geographical information for location-based services
US6424840B1 (en) * 1999-11-05 2002-07-23 Signalsoft Corp. Method and system for dynamic location-based zone assignment for a wireless communication network

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2000023956A1 (en) * 1998-10-22 2000-04-27 University Of Maryland Method and system for providing location dependent and personal identification information to a public safety answering point
US6177905B1 (en) * 1998-12-08 2001-01-23 Avaya Technology Corp. Location-triggered reminder for mobile user devices
US7286671B2 (en) * 2001-11-09 2007-10-23 Ntt Docomo Inc. Secure network access method
FI117079B (en) * 2002-03-11 2006-05-31 Nokia Corp Method and apparatus for displaying reminders in a portable device
US20040203789A1 (en) * 2002-11-12 2004-10-14 Hammond Marc John Location service assisted transition between wireless networks

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6011973A (en) * 1996-12-05 2000-01-04 Ericsson Inc. Method and apparatus for restricting operation of cellular telephones to well delineated geographical areas
WO2000051365A2 (en) * 1999-02-26 2000-08-31 Telefonaktiebolaget Lm Ericsson (Publ) Geographical information for location-based services
US6424840B1 (en) * 1999-11-05 2002-07-23 Signalsoft Corp. Method and system for dynamic location-based zone assignment for a wireless communication network

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7221949B2 (en) 2005-02-28 2007-05-22 Research In Motion Limited Method and system for enhanced security using location-based wireless authentication
US9014725B2 (en) 2005-02-28 2015-04-21 Blackberry Limited Method and system for enhanced security using location based wireless authentication
EP1696626A1 (en) * 2005-02-28 2006-08-30 Research In Motion Limited Method and System for Enhanced Security Using Location Based Wireless Authentication
EP1708528A1 (en) * 2005-03-31 2006-10-04 BRITISH TELECOMMUNICATIONS public limited company Location based authentication
WO2006103390A1 (en) * 2005-03-31 2006-10-05 British Telecommunications Public Limited Company Proximity based authentication using tokens
US11308477B2 (en) 2005-04-26 2022-04-19 Spriv Llc Method of reducing fraud in on-line transactions
US11556932B2 (en) 2007-05-29 2023-01-17 Spriv Llc System for user authentication
US11354667B2 (en) 2007-05-29 2022-06-07 Spriv Llc Method for internet user authentication
US11792314B2 (en) 2010-03-28 2023-10-17 Spriv Llc Methods for acquiring an internet user's consent to be located and for authenticating the location information
CN105981348A (en) * 2014-02-07 2016-09-28 微软技术许可有限责任公司 Securely determining the location of a user
WO2015119870A1 (en) * 2014-02-07 2015-08-13 Microsoft Technology Licensing, Llc Securely determining the location of a user
US11818287B2 (en) 2017-10-19 2023-11-14 Spriv Llc Method and system for monitoring and validating electronic transactions
US11936803B2 (en) 2019-12-22 2024-03-19 Spriv Llc Authenticating the location of an internet user

Also Published As

Publication number Publication date
US20040190718A1 (en) 2004-09-30
US6978023B2 (en) 2005-12-20
US7983677B2 (en) 2011-07-19
US20060078122A1 (en) 2006-04-13
US7764794B2 (en) 2010-07-27
US20100093374A1 (en) 2010-04-15

Similar Documents

Publication Publication Date Title
US6978023B2 (en) Apparatus and method for location based wireless client authentication
KR102098137B1 (en) System and method for setting real-time location
Tippenhauer et al. Id-based secure distance bounding and localization
US20150138013A1 (en) Apparatus and method for positioning wlan terminal
US20090017839A1 (en) Wireless network with enhanced security by real-time identification of a location of a received packet source
Adelstein et al. Physically locating wireless intruders
Gill et al. Passive techniques for detecting session hijacking attacks in IEEE 802.11 wireless networks
Altaweel et al. Evildirect: A new wi-fi direct hijacking attack and countermeasures
Heo et al. FMS-AMS: Secure proximity-based authentication for wireless access in Internet of Things
Lackner et al. Combating wireless LAN MAC-layer address spoofing with fingerprinting methods
Zhang et al. Secure localization in wireless sensor networks
Malaney Securing Wi-Fi networks with position verification: extended version
Pandey et al. A low-cost robust localization scheme for WLAN
Ma et al. A non-sense authentication scheme of wlan based on rssi location fingerprint
Agrawal et al. Secure mobile computing
Velmurugan et al. Elliptical Curve Cryptography based Secure Location Verification in clustered WSN
CN113455019B (en) System for trusted distance measurement
WO2023097492A1 (en) Method for verifying an identity of an electronic device and related device
Han et al. Proactive attacker localization in wireless LAN
Rahimi An Indoor Geo-Fencing Based Access Control System for Wireless Networks
Saelim et al. A new algorithm for location-based access control using IAPP in WLANs
Hasan et al. Protecting Regular and Social Network Users in a Wireless Network by Detecting Rogue Access Point: Limitations and Countermeasures
Henry et al. Reducing FTM ranging and location attack exposure with crowd-wisdom
Aldasouqi et al. Detecting and Localizing Wireless Network Attacks Techniques
Nandhini et al. Trust based Robust Position Estimation in wireless sensor networks

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): BW GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
122 Ep: pct application non-entry in european phase