EP2060134A1 - Dynamische temporäre mac-adressenerzeugung in drahtlosen netzen - Google Patents
Dynamische temporäre mac-adressenerzeugung in drahtlosen netzenInfo
- Publication number
- EP2060134A1 EP2060134A1 EP06801960A EP06801960A EP2060134A1 EP 2060134 A1 EP2060134 A1 EP 2060134A1 EP 06801960 A EP06801960 A EP 06801960A EP 06801960 A EP06801960 A EP 06801960A EP 2060134 A1 EP2060134 A1 EP 2060134A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- mobile device
- network
- mac address
- access point
- temporary
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W8/00—Network data management
- H04W8/26—Network addressing or numbering for mobility support
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5092—Address allocation by self-assignment, e.g. picking addresses at random and testing if they are already in use
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0407—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
- H04L63/0414—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden during transmission, i.e. party's identity is protected against eavesdropping, e.g. by using temporary identifiers, but is known to the other party or parties involved in the communication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2101/00—Indexing scheme associated with group H04L61/00
- H04L2101/60—Types of network addresses
- H04L2101/604—Address structures or formats
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2101/00—Indexing scheme associated with group H04L61/00
- H04L2101/60—Types of network addresses
- H04L2101/618—Details of network addresses
- H04L2101/622—Layer-2 addresses, e.g. medium access control [MAC] addresses
Definitions
- the present application relates generally to wireless networking, and more particularly to improving the privacy and security levels of a user's interactions with the network.
- IP is a connectionless protocol.
- the connection between end points during a communication is not continuous.
- the data or messages are divided into components known as packets. Every packet is treated as an independent unit of data.
- OSI Open Systems Interconnection
- the OSI model separates the communications processes between two points in a network into seven stacked layers, with each layer adding its own set of functions. Each device handles a message so that there is a downward flow through each layer at a sending end point and an upward flow through the layers at a receiving end point.
- the programming and/or hardware that provides the seven layers of function is typically a combination of device operating systems, application software, TCP/IP and/or other transport and network protocols, and other software and hardware.
- the top four layers are used when a message passes from or to a user and the bottom three layers are used when a message passes through a device (e.g., an IP host device).
- An IP host is any device on the network that is capable of transmitting and receiving IP packets, such as a server, a router or a workstation. Messages destined for some other host are not passed up to the upper layers but are forwarded to the other host.
- IP is in Layer-3, the network layer.
- the layers of the OSI and other similar models IP is in Layer-3, the network layer.
- Layer 7 (i.e., the application layer) is a layer at which, e.g., communication partners are identified, quality of service is identified, user authentication and privacy are considered, constraints on data syntax are identified, etc.
- Layer 6 (i.e., the presentation layer) is a layer that, e.g., converts incoming and outgoing data from one presentation format to another, etc.
- Layer 5 (i.e., the session layer) is a layer that, e.g., sets up, coordinates, and terminates conversations, exchanges and dialogs between the applications, etc.
- Layer-4 (i.e., the transport layer) is a layer that, e.g., manages end-to-end control and error-checking, etc.
- Layer-3 (i.e., the network layer) is a layer that, e.g., handles routing and forwarding, etc.
- Layer-2 (i.e., the data-link layer) is a layer that, e.g., provides synchronization for the physical level, does bit-stuffing and furnishes transmission protocol knowledge and management, etc.
- the Institute of Electrical and Electronics Engineers (IEEE) sub-divides the data-link layer into two further sub-layers, the MAC (Media Access Control) layer that controls the data transfer to and from the physical layer and the LLC (Logical Link Control) layer that interfaces with the network layer and interprets commands and performs error recovery.
- Layer 1 i.e., the physical layer
- the IEEE sub-divides the physical layer into the PLCP (Physical Layer Convergence Procedure) sub-layer and the PMD (Physical Medium Dependent) sub-layer.
- Wireless networks can incorporate a variety of types of mobile devices, such as cellular and wireless telephones, PCs (personal computers), laptop computers, wearable computers, cordless phones, pagers, headsets, printers, PDAs, etc.
- mobile devices may include digital systems to secure fast wireless transmissions of voice and/or data.
- Wireless LANs in which a mobile user can connect to a local area network (LAN) through a wireless connection may be employed for wireless communications.
- Wireless communications can include communications that propagate via electromagnetic waves, such as light, infrared, radio, microwave.
- WLAN standards There are a variety of WLAN standards that currently exist, such as, e.g., Bluetooth, IEEE 802.1 1 , and HomeRF.
- IEEE 802.1 1 specifies technologies for wireless LANs and devices. Using 802.1 1 , wireless networking may be accomplished with each single base station supporting several devices. In some examples, devices may come pre-equipped with wireless hardware or a user may install a separate piece of hardware, such as a card, that may include an antenna.
- devices used in 802.1 1 typically include three notable elements, whether or not the device is an access point (AP), a mobile station (STA), a bridge, a PCMCIA card or another device: a radio transceiver; an antenna; and a MAC (Media Access Control) layer that controls packet flow between points in a network.
- AP access point
- STA mobile station
- bridge a PCMCIA card
- PCMCIA Packet Control
- MAC Media Access Control
- Wireless networks can also involve methods and protocols found in Mobile IP (Internet Protocol) systems, in PCS systems, and in other mobile network systems. With respect to Mobile IP 1 this involves a standard communications protocol created by the Internet Engineering Task Force (IETF). With Mobile IP, mobile device users can move across networks while maintaining their IP Address assigned once. See Request for Comments (RFC) 3344.
- IETF Internet Engineering Task Force
- Mobile IP enhances Internet Protocol (IP) and adds means to forward Internet traffic to mobile devices when connecting outside their home network.
- Mobile IP assigns each mobile node a home address on its home network and a care-of-address (CoA) that identifies the current location of the device within a network and its subnets. When a device is moved to a different network, it receives a new care-of address.
- a mobility agent on the home network can associate each home address with its care-of address.
- the mobile node can send the home agent a binding update each time it changes its care-of address by using a protocol such as Internet Control Message Protocol (ICMP).
- ICMP Internet Control Message Protocol
- node includes a connection point, which can include a redistribution point or an end point for data transmissions, and which can recognize, process and/or forward communications to other nodes.
- Internet routers can look at an IP address prefix or the like identifying a device's network. Then, at a network level, routers can look at a set of bits identifying a particular subnet. Then, at a subnet level, routers can look at a set of bits identifying a particular device.
- the Media Access Control (MAC) address serves as a unique identifier of a network device.
- a MAC address is assigned to a network device at the manufacturing stage (typically after having undergone a quality control inspection) by burning or writing it into a permanent location in the network device, such as in ROM. Because of the need to provide a unique MAC address for each network device, MAC address assignment has to be centrally controlled. Consequently the association of MAC addresses with purchasers or users of the network devices is possible, with the result that an observer is able to trace the movements of users based on the MAC address. This also will enable the collection of user history and profile data by an observer. This is possible even when layer 2 security is being used to encrypt the layer 2 packets.
- Every 3G device has a permanent identifier analogous to the permanent MAC address for WLAN devices.
- Every 3G device has a permanent identifier analogous to the permanent MAC address for WLAN devices.
- the base station in reply sends to the 3G device (also in the clear) a temporary identifier that the 3G device can then start using. Because the base station allocates the temporary addresses, it can ensure that a single address is not allocated to multiple devices simultaneously.
- a problem in 3G networks is the initial usage of the permanent identifier "in the clear,” i.e. in an unencrypted manner such that the permanent identifier may be observed by third parties.
- the 3G system allocates the temporary identifier only after the initial insecure transmission of the permanent identifier.
- anybody "listening to” or monitoring communications on the wireless channel continuously would be able to link the temporary address to the permanent address and from there draw inferences about the communication pattern of a device.
- TMSI Temporary Mobile Subscriber Identity
- VLR Visitor Location Register
- SGSN Serving General Packet Radio Service Support Node
- the structure and coding of the TMSI can be defined by agreement between the network operator and manufacturer to meet local needs. This implies the presence of protocols in the 3G network to ensure the uniqueness of the TMSI.
- any temporary identifier is unique within a given region that can correspond either to a single Access Point (AP), to multiple APs with the same ESSID (Extended Service Set Identifier), or to multiple APs with different ESSIDs, but which belong to the same organization and are hence accessed via a single router.
- AP Access Point
- ESSID Extended Service Set Identifier
- a method is provided of creating a temporary identifier that is used to identify a mobile device on a wireless network.
- the method can include the steps of receiving information from a network access point to which the mobile device connects to said wireless network; combining the received information with a permanent identifier assigned to the mobile device; performing a predetermined mathematical calculation on the combination of the received information and permanent identifier; and using the result of the calculation to provide a temporary identifier of the mobile device in communications over the wireless network that satisfies the above constraints.
- a mobile device which can calculate its own unique temporary MAC address for use in a wireless network and which does not require any coordination or negotiation between access points on the network.
- a wireless network wherein access points broadcast advertising information that is used by mobile devices seeking to connect to the wireless network to calculate unique temporary MAC addressed.
- FIG. 1 is a diagram of an access point and wireless mobile station interaction for generation of a temporary MAC address and mobile station authentication and association with the wireless network, in accordance with an embodiment of the present invention
- FIG. 2 is a flow diagram of a first procedure for establishing a temporary MAC address according to one embodiment of the present invention.
- FIG. 3 is a flow diagram of a second procedure for establishing a temporary
- a mobile device is able to self-allocate a temporary MAC address that is ensured to be unique in the entire region over which the mobile device may traverse.
- the concepts of the invention may be categorized into two phases: the first phase addresses the uniqueness of the temporary MAC address, and the second phase ensures both that only authorized devices can communicate via the Access Point, and that an intruder cannot trace the amount of communication in which a particular device participates.
- the Access Point 101 In this phase, with reference to Fig. 1 , it is assumed that the Access Point 101 "advertises" or broadcasts to the region for which it is responsible information 102 that identifies that region. This information 102 could be as simple as just the SSID of the AP or could include other information such as the SSID, the network ID etc. Additionally, it is possible for more than one Access Point to exist in a particular region, as in public areas such as airports, parks, public buildings, etc., wherein each Access Point would represent a different WLAN of a different service provider. In accordance with the invention, the mobile station 103 receives the information from the Access Point to which it desires to connect, and then hashes its own permanent MAC address (PMA as indicated in Fig.
- PMA permanent MAC address
- the advertised information that is considered in the hashing algorithm can be driven by policy and can be different for different regions or it can be the same for many regions such as the case would be when using the SSID. In the latter case, the same temporary MAC address would be valid over all the regions that have the same advertised information.
- Indication of this information to the mobile station can be provided by using an appropriate out-of-band communication, such as over a control channel, etc.
- the mobile station uses the calculated temporary MAC address to complete the authentication process 105 in order to connect to the wireless network to be able to send and to receive information.
- the Access Point advertises information that is pertinent to the region in which the mobile station is presently located.
- the advertised information can include, for example, information related to SSID, access router identifier, costs, capabilities of the Access Point, etc.
- the advertisement can be communicated to the mobile device either via beacons from the AP or via responses by the AP to probes transmitted by the mobile device, or any other suitable method. In accordance with the invention, some or all of this advertised information is then used to determine a temporary MAC address for the mobile device.
- the particular advertised information to be used by the mobile device can be determined by policy, and itself can be indicated in the advertisement.
- the mobile station on receiving this information will construct a string which is a concatenation of the permanent MAC address of the mobile station with the information from the advertisement that is to be included in the calculation.
- This string is then hashed using any standard hashing algorithm such as SHA-I , MD5, etc.
- SHA-I is shown in Fig. 1 for purposes of illustration.
- the 48 bits of the resultant output of the hash function then will be used as the temporary MAC address.
- the mobile station at step 203 then proceeds with the rest of the network connection process, which involves authenticating and then associating with the Access Point using technologies such as 802.1 1 i protocols, with the calculated temporary MAC address instead of the permanent MAC address that was burned into the device in the manufacturing stage.
- Phase 2 is an optional alternate embodiment and would be used if it is also desired to prevent traffic analysis in addition to anonymity.
- Phase 2 ensures that only authorized devices can communicate via the access point, and also that an intruder cannot trace the amount of communication in which a particular device participates.
- phase 1 and phase 2 need not be contiguous in terms of the message exchange.
- Each of these phases is also independent of each other.
- the mobile device is expected to use as the MAC address the value:
- HMAC (permanent MAC address, APjnfo, COUNTER) [Para 53] where the COUNTER is increased by one for each cycle.
- the HMAC value is the calculated 160 bit hash value. 48 bits of this 160 bit value to serve as the temporary MAC address (step 303).
- the exact 48 bits used as the temporary MAC address could be based on a deterministic algorithm.
- the deterministic algorithm can be as simple as always using the first 48 bits of the HMAC as the temporary MAC address, to being as complex as being a cyclic usage of the 160 bits of the hash value.
- the AP can check the transmitted temporary MAC address to verify it according to such rules. If the transmitted MAC address does not match, then the packet is dropped. Note that as a result of this procedure the MAC address can change not only from cycle to cycle but can also change during a cycle. This makes it very difficult to trace the communication pattern of a given mobile device. This implicitly assumes that there are multiple connected devices in the area concerned.
- the term "preferably” is non-exclusive and means “preferably, but not limited to.”
- means-plus-function or step-plus-function limitations will only be employed where for a specific claim limitation all of the following conditions are present in that limitation: a) "means for” or “step for” is expressly recited; b) a corresponding function is expressly recited; and c) structure, material or acts that support that structure are not recited.
- the terminology "present invention” or “invention” may be used as a reference to one or more aspect within the present disclosure.
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/US2006/032535 WO2008020856A1 (en) | 2006-08-18 | 2006-08-18 | Dynamic temporary mac address generation in wireless networks |
Publications (2)
Publication Number | Publication Date |
---|---|
EP2060134A1 true EP2060134A1 (de) | 2009-05-20 |
EP2060134A4 EP2060134A4 (de) | 2012-08-01 |
Family
ID=39082298
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP06801960A Withdrawn EP2060134A4 (de) | 2006-08-18 | 2006-08-18 | Dynamische temporäre mac-adressenerzeugung in drahtlosen netzen |
Country Status (3)
Country | Link |
---|---|
EP (1) | EP2060134A4 (de) |
CA (1) | CA2661050C (de) |
WO (1) | WO2008020856A1 (de) |
Families Citing this family (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP2451227B1 (de) * | 2010-09-09 | 2013-05-08 | Panasonic Corporation | Drahtlose kommunikationsvorrichtung, drahtloses kommunikationssystem und drahtloses kommunikationsverfahren |
US9609571B2 (en) | 2012-08-29 | 2017-03-28 | Qualcomm Incorporated | Systems and methods for securely transmitting and receiving discovery and paging messages |
US8923516B2 (en) * | 2012-08-29 | 2014-12-30 | Qualcomm Incorporated | Systems and methods for securely transmitting and receiving discovery and paging messages |
US9130754B2 (en) | 2012-08-29 | 2015-09-08 | Qualcomm Incorporated | Systems and methods for securely transmitting and receiving discovery and paging messages |
US9094820B2 (en) | 2012-08-29 | 2015-07-28 | Qualcomm Incorporated | Systems and methods for securely transmitting and receiving discovery and paging messages |
CN105228144B (zh) * | 2014-06-16 | 2019-04-19 | 华为技术有限公司 | 基于临时mac地址的接入方法、装置及系统 |
US10452861B2 (en) | 2015-11-05 | 2019-10-22 | Samsung Electronics Co., Ltd. | Method, UE and network node for protecting user privacy in networks |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2003061203A1 (en) * | 2002-01-18 | 2003-07-24 | Nokia Corporation | Addressing in wireless local area networks |
US20060120317A1 (en) * | 2004-12-06 | 2006-06-08 | Meshnetworks, Inc. | Scheme for MAC address privacy in infrastructure-based multi-hop wireless networks |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR100503470B1 (ko) * | 2003-08-13 | 2005-07-27 | 삼성전자주식회사 | 디스트리뷰션시스템에서 빠른 dad 수행을 위해 정보를관리하는 빠른 dad 관리자 및 이를 이용한 빠른 dad수행방법 |
US7171203B2 (en) * | 2004-01-07 | 2007-01-30 | Research In Motion Limited | Apparatus, and associated method, for facilitating selection by a mobile node of a network through which to communicate |
US7301914B2 (en) * | 2004-06-15 | 2007-11-27 | Motorola, Inc. | Method and apparatus for sending a multicast message |
US20060029027A1 (en) * | 2004-08-09 | 2006-02-09 | Adrian Buckley | Apparatus, and associated method, for facilitating communications by a mobile node in a multiple network radio communication system having interworking capability |
-
2006
- 2006-08-18 EP EP06801960A patent/EP2060134A4/de not_active Withdrawn
- 2006-08-18 WO PCT/US2006/032535 patent/WO2008020856A1/en active Application Filing
- 2006-08-18 CA CA2661050A patent/CA2661050C/en not_active Expired - Fee Related
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2003061203A1 (en) * | 2002-01-18 | 2003-07-24 | Nokia Corporation | Addressing in wireless local area networks |
US20060120317A1 (en) * | 2004-12-06 | 2006-06-08 | Meshnetworks, Inc. | Scheme for MAC address privacy in infrastructure-based multi-hop wireless networks |
Non-Patent Citations (4)
Title |
---|
EDNEY J: "Temporary MAC Addresses for Anonymity", IEEE, PISCATAWAY, NJ, USA, 14 March 2002 (2002-03-14), pages 1-5, XP040383749, * |
GRUTESER M ET AL: "ENHANCING LOCATION PRIVACY IN WIRELESS LAN THROUGH DISPOSABLE INTERFACE IDENTIFIERS: A QUANTITATIVE ANALYSIS", WMASH 2003. PROCEEDINGS OF THE 1ST. ACM INTERNATIONAL WORKSHOP ON WIRELESS MOBILE APPLICATIONS AND SERVICES ON WLAN HOTSPOTS. SAN DIEGO, CA, SEPT. 19, 2003; [PROCEEDINGS OF THE ACM INTERNATIONAL WORKSHOP ON WIRELESS MOBILE APPLICATIONS AND SERVICES O, 19 September 2003 (2003-09-19), pages 46-55, XP001046685, DOI: 10.1145/941326.941334 ISBN: 978-1-58113-768-2 * |
NARTEN T ET AL: "RFC 3041: Privacy Extensions for Stateless Address Autonconfiguration in IPv6", IETF REQUEST FOR COMMENTS, XX, XX, 1 January 2001 (2001-01-01), pages 1-17, XP002181525, * |
See also references of WO2008020856A1 * |
Also Published As
Publication number | Publication date |
---|---|
EP2060134A4 (de) | 2012-08-01 |
WO2008020856A1 (en) | 2008-02-21 |
CA2661050A1 (en) | 2008-02-21 |
CA2661050C (en) | 2013-10-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8009626B2 (en) | Dynamic temporary MAC address generation in wireless networks | |
JP4000933B2 (ja) | 無線情報伝送システム及び無線通信方法、無線端末装置 | |
US9402216B2 (en) | Methods, media, and devices for moving a connection from one point of access to another point of access | |
JP4769815B2 (ja) | 未知の無線端末のための制限付きwlanアクセス | |
CN101848508B (zh) | 使用预认证、预配置和/或虚拟软切换的移动体系结构 | |
JP5503620B2 (ja) | 通信システムおよびアクセスネットワーク情報転送マネージャ | |
JP5771603B2 (ja) | メディア独立ハンドオーバプロトコルセキュリティ | |
US8549293B2 (en) | Method of establishing fast security association for handover between heterogeneous radio access networks | |
US8059599B1 (en) | Gateway assignment function | |
CN103327022A (zh) | 用于pana的独立于媒体的预认证支持的框架 | |
CA2661050C (en) | Dynamic temporary mac address generation in wireless networks | |
CA2675837A1 (en) | Solving pana bootstrapping timing problem | |
KR101533550B1 (ko) | 통화 질의용 시스템 및 방법 | |
Banh | Quantification, characterisation and impact evaluation of mobile IPv6 hand off times |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
17P | Request for examination filed |
Effective date: 20090318 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LI LT LU LV MC NL PL PT RO SE SI SK TR |
|
AX | Request for extension of the european patent |
Extension state: AL BA HR MK RS |
|
RIC1 | Information provided on ipc code assigned before grant |
Ipc: H04W 84/04 20090101AFI20090417BHEP |
|
DAX | Request for extension of the european patent (deleted) | ||
RBV | Designated contracting states (corrected) |
Designated state(s): DE FR GB |
|
RAP1 | Party data changed (applicant data changed or rights of an application transferred) |
Owner name: KABUSHIKI KAISHA TOSHIBA Owner name: TELCORDIA TECHNOLOGIES, INC. |
|
A4 | Supplementary search report drawn up and despatched |
Effective date: 20120629 |
|
RIC1 | Information provided on ipc code assigned before grant |
Ipc: H04L 29/12 20060101ALI20120625BHEP Ipc: H04L 29/06 20060101AFI20120625BHEP |
|
17Q | First examination report despatched |
Effective date: 20130327 |
|
GRAP | Despatch of communication of intention to grant a patent |
Free format text: ORIGINAL CODE: EPIDOSNIGR1 |
|
RIC1 | Information provided on ipc code assigned before grant |
Ipc: H04W 8/26 20090101ALI20160921BHEP Ipc: H04L 29/12 20060101ALI20160921BHEP Ipc: H04L 29/06 20060101AFI20160921BHEP |
|
INTG | Intention to grant announced |
Effective date: 20161025 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: GRANT OF PATENT IS INTENDED |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN |
|
18D | Application deemed to be withdrawn |
Effective date: 20170307 |