WO2007127547A2 - Method and system for propagating mutual authentication data in wireless communication networks - Google Patents
Method and system for propagating mutual authentication data in wireless communication networks Download PDFInfo
- Publication number
- WO2007127547A2 WO2007127547A2 PCT/US2007/064390 US2007064390W WO2007127547A2 WO 2007127547 A2 WO2007127547 A2 WO 2007127547A2 US 2007064390 W US2007064390 W US 2007064390W WO 2007127547 A2 WO2007127547 A2 WO 2007127547A2
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- node
- network
- nodes
- authentication
- operating
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/069—Authentication using certificates or pre-shared keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/166—Implementing security features at a particular protocol layer at the transport layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W84/00—Network topologies
- H04W84/18—Self-organising networks, e.g. ad-hoc networks or sensor networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W88/00—Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
- H04W88/02—Terminal devices
- H04W88/04—Terminal devices adapted for relaying to or from another terminal or user
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W92/00—Interfaces specially adapted for wireless communication networks
- H04W92/16—Interfaces between hierarchically similar devices
- H04W92/18—Interfaces between hierarchically similar devices between terminal devices
Definitions
- the present invention relates generally to establishing trust between wireless network nodes, and in particular to propagating mutual authentication data between nodes operating in different wireless communication networks.
- EAP Extensible Authentication Protocol
- EAPOL EAP Over Local Area Network
- the authentication process involves several EAPOL packets being transmitted and received, beginning with an EAP Start packet and finishing with either an EAP Success message packet or an EAP Failure message packet.
- the authentication server stores the authentication credentials of a mobile device (typically called a supplicant) that is being authenticated.
- Authentication servers also can be connected to other authentication servers to obtain supplicant authentication credentials that are not stored locally.
- FIG. 1 is a schematic diagram illustrating network interactions used to propagate authentication data across networks, according to an embodiment of the present invention.
- FIG. 2 is a general flow diagram illustrating a method for propagating mutual authentication data through both a first ad hoc wireless communication network and a second ad hoc wireless communication network, according to an embodiment of the present invention.
- FIG. 3 is a block diagram illustrating components of a network node, according to an embodiment of the present invention.
- embodiments of the invention described herein may be comprised of one or more conventional processors and unique stored program instructions that control the one or more processors to implement, in conjunction with certain non-processor circuits, some, most, or all of the functions of propagating mutual authentication data in wireless communication networks as described herein.
- the non-processor circuits may include, but are not limited to, a radio receiver, a radio transmitter, signal drivers, clock circuits, power source circuits, and user input devices. As such, these functions may be - A -
- One embodiment of the present invention employs nodes from two independent ad hoc wireless networks to propagate authentication data through both networks.
- two independent response teams may arrive at an incident scene where the two teams will need to operate together.
- the incident scene may include for example a crime scene, a fire scene, an accident scene, a biological or a chemical hazard scene, or any other type of emergency or otherwise critical scene.
- the first response team comprises police officers and the second response team comprises firefighters.
- the police officers communicate with each other using a first secure ad hoc wireless network
- the firefighters communicate with each other using a second secure ad hoc wireless network.
- an embodiment of the present invention enables mutual authentication data to be propagated using multi-hop communications through both secure ad hoc wireless networks, so that the police officers and the firefighters can securely communicate with each other. That results effectively in a single "super network" that comprises nodes from both secure ad hoc wireless networks.
- FIG. 1 a schematic diagram illustrates network interactions used to propagate authentication data across networks, according to an embodiment of the present invention.
- Two nodes 100-n i.e., 100-1, 100-2 are shown as members of a first secure ad hoc wireless communication network 105 defined by line 110.
- Four other nodes 115-n i.e., 115-1, 115-2, 115-3, 115-4) are shown as members of a second secure ad hoc wireless communication network 120 defined by line 125.
- the nodes 100-n may be associated with a group of police officers and the nodes 115-n may be associated with a group of firefighters, where both groups have arrived at an incident scene and need to communicate with each other.
- Each node 100-n, 115-n may comprise, for example, a wireless device such as a mobile telephone, a personal digital assistant (PDA), a notebook computer, or the like. Initially, the nodes 100-n may be unable to securely communicate with the nodes 115-n because no mutual authentication has occurred between the first network 105 and the second network 120.
- PDA personal digital assistant
- the node 115-1 operating in the second network 120 completes a mutual authentication process with the node 100-2 operating in the first network 105.
- the police officer associated with the node 100-2 and the firefighter associated with the node 115-1 can meet face-to-face and agree that their respective networks 105, 120 should trust each other and should be combined into a single super network.
- the super network will comprise all of the nodes 100-n and all of the nodes 115-n, enabling secure communications between both networks 105, 120.
- mutual authentication enables a node 100-n operating in the network 105 to act as an intermediate node in a multi-hop communication between two nodes 115-n operating in the network 120.
- the mutual authentication process can include a user of the node 100-2 manually authorizing trust of a certificate issued by a trust anchor associated with the other network 120. Similarly, a user of the node 115-1 manually authorizes trust of a certificate issued by a trust anchor associated with the other network 105. After the manual authentication completes, the certificates can be exchanged between the node 100-2 and the node 115-1 using for example a transport layer security (TLS) protocol.
- TLS transport layer security
- the node 100-2 and the node 115-1 propagate authentication related information throughout both the network 105 and the network 120.
- the node 115-1 can transmit a unification message to the node 100-1, which is operating in the network 105.
- the unification message informs the node 100-1 that the node 115-1 is capable of communicating both with nodes 115-n and with nodes 100-n.
- the unification message can comprise an authentication certificate, such as a certificate conforming to an International Telecommunication Union (ITU) X.509 standard.
- ITU International Telecommunication Union
- the node 115-1 thus uses the unification message to advertise that it can act as a trust bridge between the network 105 and the network 120.
- the unification message can be transmitted to the node 100-1 as a broadcast message.
- a broadcast message can comprise a beacon that includes a service set identifier (SSID) of the network 105.
- SSID service set identifier
- the node 100-1 In response to the unification message, the node 100-1 also can seek to become mutually authenticated with both networks 105, 120. That can be accomplished by relaying authentication messages, through the node 115-1, between the node 100-1 and the node 100-2. Similar relaying of authentication messages can then occur through other nodes 100-n, 115-n until all of the nodes 100-n, 115-n are mutually authenticated with both networks 105, 120.
- such relaying of authentication messages can be performed as described in United States Patent Application Serial Number 11/108999, filed on April 19, 2005, entitled “System And Methods For Providing Multi-Hop Access In A Communications Network", assigned to the assignee of the present invention, which application is hereby incorporated by reference herein in its entirety.
- Such relaying of authentication messages is defined herein as an IEEE 802. IX relay authentication method.
- a general flow diagram illustrates a method 200 for propagating mutual authentication data through both a first ad hoc wireless communication network and a second ad hoc wireless communication network, according to an embodiment of the present invention.
- a first node operating in the first network and a second node operating in the second network are mutually authenticated.
- a user of the node 100-2, operating in the network 105 manually authorizes trust of a certificate issued by a trust anchor associated with the other network 120.
- a user of the node 115-1 operating in the network 120, manually authorizes trust of a certificate issued by a trust anchor associated with the other network 105.
- a unification message is transmitted from the first node to a third node operating in the second network, where the unification message indicates that the first node is authenticated with the second network.
- the node 115-1 can transmit a unification message to the node 100-1, which is operating in the network 105.
- the unification message informs the node 100-1 that the node 115-1 is capable of communicating both with nodes 115-n and with nodes 100-n.
- the third node and the second node are mutually authenticated by relaying authentication messages through the first node.
- the node 100-1, performing as the third node described in step 215 also can seek to become mutually authenticated with both networks 105, 120. That can be accomplished by relaying authentication messages, through the node 115-1, between the node 100-1 and the node 100-2.
- a fourth node operating in the first network and a fifth node operating in the first network are mutually authenticated.
- a plurality of additional nodes operating in the first network are mutually authenticated, using the method steps described above, with a plurality of additional nodes operating in the second network.
- FIG. 3 a block diagram illustrates components of a network node, such as a node 100-n or a node 115-n, according to an embodiment of the present invention.
- a network node such as a node 100-n or a node 115-n
- a system of a node 100-n or a node 115-n can include a processor 305 such as a standard microprocessor or application specific integrated circuit (ASIC) operatively coupled to a memory 310.
- ASIC application specific integrated circuit
- the memory 310 comprises a computer readable medium such as a random access memory (e.g., static random access memory (SRAM)), read only memory (e.g., programmable read only memory (PROM), or erasable programmable read only memory (EPROM)), or hybrid memory (e.g., FLASH) as is well known in the art.
- the medium then comprises computer readable program code components that, when processed by the processor 305, are configured to cause the execution of the above described steps of the method 200. Communications such as those involved in the method 200 are then transmitted from or received by a transceiver 315 that is operatively coupled to the processor 305.
- Advantages of the present invention thus include enabling two independent ad hoc wireless communication networks to be mutually authenticated. That effectively results in a single super network, where nodes from a first network can securely communicate with nodes from a second network, using multi-hop communications through nodes from both the first and second networks. Further, those skilled in the art will appreciate that the teachings of the present invention also enable three or more independent ad hoc wireless communication networks to be mutually authenticated. Authentication related information can be propagated through the networks using authentication certificates, so that a node that is mutually authenticated with more than one network can identify a chain of trust that links to established trust anchors associated with each network.
Abstract
Description
Claims
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
BRPI0710765-0A BRPI0710765A2 (en) | 2006-04-25 | 2007-03-20 | Method and system for propagating mutual authentication data in wireless communication networks |
GB0820635A GB2453059B (en) | 2006-04-25 | 2007-03-20 | Method and system for propagating mutual authentication data in wireless communication networks |
CN2007800146923A CN101427236B (en) | 2006-04-25 | 2007-03-20 | Method and system for propagating mutual authentication data in wireless communication networks |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US11/380,118 US7561551B2 (en) | 2006-04-25 | 2006-04-25 | Method and system for propagating mutual authentication data in wireless communication networks |
US11/380,118 | 2006-04-25 |
Publications (3)
Publication Number | Publication Date |
---|---|
WO2007127547A2 true WO2007127547A2 (en) | 2007-11-08 |
WO2007127547A3 WO2007127547A3 (en) | 2008-11-20 |
WO2007127547A4 WO2007127547A4 (en) | 2009-01-22 |
Family
ID=38619419
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/US2007/064390 WO2007127547A2 (en) | 2006-04-25 | 2007-03-20 | Method and system for propagating mutual authentication data in wireless communication networks |
Country Status (5)
Country | Link |
---|---|
US (1) | US7561551B2 (en) |
CN (1) | CN101427236B (en) |
BR (1) | BRPI0710765A2 (en) |
GB (1) | GB2453059B (en) |
WO (1) | WO2007127547A2 (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7561551B2 (en) | 2006-04-25 | 2009-07-14 | Motorola, Inc. | Method and system for propagating mutual authentication data in wireless communication networks |
GB2456290A (en) * | 2007-10-05 | 2009-07-15 | Iti Scotland Ltd | Distributed protocol for authorization |
US8862881B2 (en) | 2006-05-30 | 2014-10-14 | Motorola Solutions, Inc. | Method and system for mutual authentication of wireless communication network nodes |
Families Citing this family (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE102006036107A1 (en) * | 2006-04-11 | 2007-10-18 | Siemens Ag | Procedure for determining a task permit |
US8321678B2 (en) * | 2006-10-17 | 2012-11-27 | Sap Ag | System and method to send a message using multiple authentication mechanisms |
US8316422B2 (en) * | 2006-10-17 | 2012-11-20 | Sap Ag | Propagation of principal authentication data in a mediated communication scenario |
US8302160B2 (en) * | 2006-10-17 | 2012-10-30 | Sap Ag | Propagation of authentication data in an intermediary service component |
US7738503B2 (en) * | 2007-02-02 | 2010-06-15 | Palm, Inc. | Multi-way, peer-to-peer synchronization |
US8161283B2 (en) * | 2007-02-28 | 2012-04-17 | Motorola Solutions, Inc. | Method and device for establishing a secure route in a wireless network |
US20090164785A1 (en) * | 2007-12-20 | 2009-06-25 | Motorola, Inc. | Method for authentication in a communication network |
US8539225B2 (en) * | 2008-04-30 | 2013-09-17 | Motorola Solutions, Inc. | Method and device for dynamic deployment of trust bridges in an ad hoc wireless network |
US8839357B2 (en) * | 2010-12-22 | 2014-09-16 | Canon U.S.A., Inc. | Method, system, and computer-readable storage medium for authenticating a computing device |
CN113498055B (en) * | 2020-03-20 | 2022-08-26 | 维沃移动通信有限公司 | Access control method and communication equipment |
CN115834093A (en) * | 2021-09-17 | 2023-03-21 | 华为技术有限公司 | Block chain-based network node control method and system and consensus node |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030135734A1 (en) * | 2002-01-14 | 2003-07-17 | Fagan Robert H. | Secure mutual authentication system |
US20030226017A1 (en) * | 2002-05-30 | 2003-12-04 | Microsoft Corporation | TLS tunneling |
Family Cites Families (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7174018B1 (en) * | 1999-06-24 | 2007-02-06 | Nortel Networks Limited | Security framework for an IP mobility system using variable-based security associations and broker redirection |
US8719562B2 (en) * | 2002-10-25 | 2014-05-06 | William M. Randle | Secure service network and user gateway |
JP3420196B2 (en) * | 2000-09-29 | 2003-06-23 | 株式会社東芝 | Network communication device and bridge device |
US7694330B2 (en) * | 2003-05-23 | 2010-04-06 | Industrial Technology Research Institute | Personal authentication device and system and method thereof |
US7600113B2 (en) * | 2004-02-20 | 2009-10-06 | Microsoft Corporation | Secure network channel |
US20070291669A1 (en) * | 2004-03-17 | 2007-12-20 | Perkinson Terry D | Method and apparatus for a hybrid network service |
US9686669B2 (en) * | 2004-04-08 | 2017-06-20 | Nokia Technologies Oy | Method of configuring a mobile node |
US7411911B2 (en) * | 2005-04-08 | 2008-08-12 | Cisco Technology, Inc. | Network availability status detection device and method |
US7676676B2 (en) * | 2005-11-14 | 2010-03-09 | Motorola, Inc. | Method and apparatus for performing mutual authentication within a network |
US20070286362A1 (en) * | 2006-03-23 | 2007-12-13 | Greg Coleson | System and method for managing customer messages |
US7561551B2 (en) | 2006-04-25 | 2009-07-14 | Motorola, Inc. | Method and system for propagating mutual authentication data in wireless communication networks |
-
2006
- 2006-04-25 US US11/380,118 patent/US7561551B2/en active Active
-
2007
- 2007-03-20 WO PCT/US2007/064390 patent/WO2007127547A2/en active Application Filing
- 2007-03-20 GB GB0820635A patent/GB2453059B/en active Active
- 2007-03-20 BR BRPI0710765-0A patent/BRPI0710765A2/en not_active IP Right Cessation
- 2007-03-20 CN CN2007800146923A patent/CN101427236B/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030135734A1 (en) * | 2002-01-14 | 2003-07-17 | Fagan Robert H. | Secure mutual authentication system |
US20030226017A1 (en) * | 2002-05-30 | 2003-12-04 | Microsoft Corporation | TLS tunneling |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7561551B2 (en) | 2006-04-25 | 2009-07-14 | Motorola, Inc. | Method and system for propagating mutual authentication data in wireless communication networks |
US8862881B2 (en) | 2006-05-30 | 2014-10-14 | Motorola Solutions, Inc. | Method and system for mutual authentication of wireless communication network nodes |
GB2456290A (en) * | 2007-10-05 | 2009-07-15 | Iti Scotland Ltd | Distributed protocol for authorization |
GB2456290B (en) * | 2007-10-05 | 2011-03-30 | Iti Scotland Ltd | Distributed protocol for authorisation |
Also Published As
Publication number | Publication date |
---|---|
GB2453059A (en) | 2009-03-25 |
US7561551B2 (en) | 2009-07-14 |
WO2007127547A3 (en) | 2008-11-20 |
BRPI0710765A2 (en) | 2011-06-07 |
CN101427236A (en) | 2009-05-06 |
US20070248050A1 (en) | 2007-10-25 |
CN101427236B (en) | 2011-06-29 |
GB2453059B (en) | 2010-12-01 |
GB0820635D0 (en) | 2008-12-17 |
WO2007127547A4 (en) | 2009-01-22 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7561551B2 (en) | Method and system for propagating mutual authentication data in wireless communication networks | |
CN110999356B (en) | Network security management method and device | |
RU2446606C1 (en) | Method of access with authentication and access system with authentication in wireless multi-hop network | |
CN100539536C (en) | In method that is connected to diverting call between the WLAN (wireless local area network) of mobile network and management equipment | |
EP2063567B1 (en) | A network access authentication and authorization method and an authorization key updating method | |
US8862881B2 (en) | Method and system for mutual authentication of wireless communication network nodes | |
CN102111766B (en) | Network accessing method, device and system | |
KR100952783B1 (en) | System and methods for providing multi-hop access in a communications network | |
EP2247131A1 (en) | A method, device and system of id based wireless multi-hop network autentication access | |
KR101068424B1 (en) | Inter-working function for a communication system | |
TW200922238A (en) | Methods and devices for establishing security associations and performing handoff autentication in wireless communications systems | |
US8161283B2 (en) | Method and device for establishing a secure route in a wireless network | |
CN101120534A (en) | System, method and devices for authentication in a wireless local area network (wlan) | |
EP2022282A2 (en) | Method and system for providing cellular assisted secure communications of a plurality of ad hoc devices | |
CN101262670A (en) | Mobile device, communication system and connection establishment method | |
JP2006345205A (en) | Wireless lan connection control method, wireless lan connection control system, and setting wireless relay device | |
CN101637003B (en) | For the system and method being authenticated for wireless emergency service | |
EP2234438B1 (en) | Wireless personal area network accessing method | |
US10142840B2 (en) | Method and apparatus for operating a user client wireless communication device on a wireless wide area network | |
US20100023752A1 (en) | Method and device for transmitting groupcast data in a wireless mesh communication network | |
US10142834B2 (en) | Method and apparatus for operating a user client wireless communication device on a wireless wide area network | |
CN101150472A (en) | Authentication method, authentication server and terminal in WIMAX | |
JP5091963B2 (en) | Communication station, certificate authority, and authentication method | |
KR20090002328A (en) | Method for joining new device in wireless sensor network | |
WO2008107772A2 (en) | Efficient techniques for error detection and authentication in wireless networks |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 07758899 Country of ref document: EP Kind code of ref document: A2 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 200780014692.3 Country of ref document: CN |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
ENP | Entry into the national phase |
Ref document number: 0820635 Country of ref document: GB Kind code of ref document: A Free format text: PCT FILING DATE = 20070320 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 0820635.1 Country of ref document: GB |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 07758899 Country of ref document: EP Kind code of ref document: A2 |
|
ENP | Entry into the national phase |
Ref document number: PI0710765 Country of ref document: BR Kind code of ref document: A2 Effective date: 20081024 |