Classifications

• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04W—WIRELESS COMMUNICATION NETWORKS
  • H04W8/00—Network data management
  • H04W8/26—Network addressing or numbering for mobility support
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L61/00—Network arrangements, protocols or services for addressing or naming
  • H04L61/50—Address allocation
  • H04L61/5092—Address allocation by self-assignment, e.g. picking addresses at random and testing if they are already in use
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L63/00—Network architectures or network communication protocols for network security
  • H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
  • H04L63/0407—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
  • H04L63/0414—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden during transmission, i.e. party's identity is protected against eavesdropping, e.g. by using temporary identifiers, but is known to the other party or parties involved in the communication
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L2101/00—Indexing scheme associated with group H04L61/00
  • H04L2101/60—Types of network addresses
  • H04L2101/604—Address structures or formats
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L2101/00—Indexing scheme associated with group H04L61/00
  • H04L2101/60—Types of network addresses
  • H04L2101/618—Details of network addresses
  • H04L2101/622—Layer-2 addresses, e.g. medium access control [MAC] addresses

Definitions

• the present application relates generally to wireless networking, and more particularly to improving the privacy and security levels of a user's interactions with the network.
• IP is a connectionless protocol.
• the connection between end points during a communication is not continuous.
• the data or messages are divided into components known as packets. Every packet is treated as an independent unit of data.
• OSI Open Systems Interconnection
• the OSI model separates the communications processes between two points in a network into seven stacked layers, with each layer adding its own set of functions. Each device handles a message so that there is a downward flow through each layer at a sending end point and an upward flow through the layers at a receiving end point.
• the programming and/or hardware that provides the seven layers of function is typically a combination of device operating systems, application software, TCP/IP and/or other transport and network protocols, and other software and hardware.
• the top four layers are used when a message passes from or to a user and the bottom three layers are used when a message passes through a device (e.g., an IP host device).
• An IP host is any device on the network that is capable of transmitting and receiving IP packets, such as a server, a router or a workstation. Messages destined for some other host are not passed up to the upper layers but are forwarded to the other host.
• IP is in Layer-3, the network layer.
• the layers of the OSI and other similar models IP is in Layer-3, the network layer.
• Layer 7 (i.e., the application layer) is a layer at which, e.g., communication partners are identified, quality of service is identified, user authentication and privacy are considered, constraints on data syntax are identified, etc.
• Layer 6 (i.e., the presentation layer) is a layer that, e.g., converts incoming and outgoing data from one presentation format to another, etc.
• Layer 5 (i.e., the session layer) is a layer that, e.g., sets up, coordinates, and terminates conversations, exchanges and dialogs between the applications, etc.
• Layer-4 (i.e., the transport layer) is a layer that, e.g., manages end-to-end control and error-checking, etc.
• Layer-3 (i.e., the network layer) is a layer that, e.g., handles routing and forwarding, etc.
• Layer-2 (i.e., the data-link layer) is a layer that, e.g., provides synchronization for the physical level, does bit-stuffing and furnishes transmission protocol knowledge and management, etc.
• the Institute of Electrical and Electronics Engineers (IEEE) sub-divides the data-link layer into two further sub-layers, the MAC (Media Access Control) layer that controls the data transfer to and from the physical layer and the LLC (Logical Link Control) layer that interfaces with the network layer and interprets commands and performs error recovery.
• Layer 1 i.e., the physical layer
• the IEEE sub-divides the physical layer into the PLCP (Physical Layer Convergence Procedure) sub-layer and the PMD (Physical Medium Dependent) sub-layer.
• Wireless networks can incorporate a variety of types of mobile devices, such as cellular and wireless telephones, PCs (personal computers), laptop computers, wearable computers, cordless phones, pagers, headsets, printers, PDAs, etc.
• mobile devices may include digital systems to secure fast wireless transmissions of voice and/or data.
• Wireless LANs in which a mobile user can connect to a local area network (LAN) through a wireless connection may be employed for wireless communications.
• Wireless communications can include communications that propagate via electromagnetic waves, such as light, infrared, radio, microwave.
• WLAN standards There are a variety of WLAN standards that currently exist, such as, e.g., Bluetooth, IEEE 802.1 1 , and HomeRF.
• IEEE 802.1 1 specifies technologies for wireless LANs and devices. Using 802.1 1 , wireless networking may be accomplished with each single base station supporting several devices. In some examples, devices may come pre-equipped with wireless hardware or a user may install a separate piece of hardware, such as a card, that may include an antenna.
• devices used in 802.1 1 typically include three notable elements, whether or not the device is an access point (AP), a mobile station (STA), a bridge, a PCMCIA card or another device: a radio transceiver; an antenna; and a MAC (Media Access Control) layer that controls packet flow between points in a network.
• AP access point
• STA mobile station
• bridge a PCMCIA card
• PCMCIA Packet Control
• MAC Media Access Control
• Wireless networks can also involve methods and protocols found in Mobile IP (Internet Protocol) systems, in PCS systems, and in other mobile network systems. With respect to Mobile IP 1 this involves a standard communications protocol created by the Internet Engineering Task Force (IETF). With Mobile IP, mobile device users can move across networks while maintaining their IP Address assigned once. See Request for Comments (RFC) 3344.
• IETF Internet Engineering Task Force
• Mobile IP enhances Internet Protocol (IP) and adds means to forward Internet traffic to mobile devices when connecting outside their home network.
• Mobile IP assigns each mobile node a home address on its home network and a care-of-address (CoA) that identifies the current location of the device within a network and its subnets. When a device is moved to a different network, it receives a new care-of address.
• a mobility agent on the home network can associate each home address with its care-of address.
• the mobile node can send the home agent a binding update each time it changes its care-of address by using a protocol such as Internet Control Message Protocol (ICMP).
• ICMP Internet Control Message Protocol
• node includes a connection point, which can include a redistribution point or an end point for data transmissions, and which can recognize, process and/or forward communications to other nodes.
• Internet routers can look at an IP address prefix or the like identifying a device's network. Then, at a network level, routers can look at a set of bits identifying a particular subnet. Then, at a subnet level, routers can look at a set of bits identifying a particular device.
• the Media Access Control (MAC) address serves as a unique identifier of a network device.
• a MAC address is assigned to a network device at the manufacturing stage (typically after having undergone a quality control inspection) by burning or writing it into a permanent location in the network device, such as in ROM. Because of the need to provide a unique MAC address for each network device, MAC address assignment has to be centrally controlled. Consequently the association of MAC addresses with purchasers or users of the network devices is possible, with the result that an observer is able to trace the movements of users based on the MAC address. This also will enable the collection of user history and profile data by an observer. This is possible even when layer 2 security is being used to encrypt the layer 2 packets.
• Every 3G device has a permanent identifier analogous to the permanent MAC address for WLAN devices.
• Every 3G device has a permanent identifier analogous to the permanent MAC address for WLAN devices.
• the base station in reply sends to the 3G device (also in the clear) a temporary identifier that the 3G device can then start using. Because the base station allocates the temporary addresses, it can ensure that a single address is not allocated to multiple devices simultaneously.
• a problem in 3G networks is the initial usage of the permanent identifier "in the clear,” i.e. in an unencrypted manner such that the permanent identifier may be observed by third parties.
• the 3G system allocates the temporary identifier only after the initial insecure transmission of the permanent identifier.
• anybody "listening to” or monitoring communications on the wireless channel continuously would be able to link the temporary address to the permanent address and from there draw inferences about the communication pattern of a device.
• TMSI Temporary Mobile Subscriber Identity
• VLR Visitor Location Register
• SGSN Serving General Packet Radio Service Support Node
• the structure and coding of the TMSI can be defined by agreement between the network operator and manufacturer to meet local needs. This implies the presence of protocols in the 3G network to ensure the uniqueness of the TMSI.
• any temporary identifier is unique within a given region that can correspond either to a single Access Point (AP), to multiple APs with the same ESSID (Extended Service Set Identifier), or to multiple APs with different ESSIDs, but which belong to the same organization and are hence accessed via a single router.
• AP Access Point
• ESSID Extended Service Set Identifier
• a method is provided of creating a temporary identifier that is used to identify a mobile device on a wireless network.
• the method can include the steps of receiving information from a network access point to which the mobile device connects to said wireless network; combining the received information with a permanent identifier assigned to the mobile device; performing a predetermined mathematical calculation on the combination of the received information and permanent identifier; and using the result of the calculation to provide a temporary identifier of the mobile device in communications over the wireless network that satisfies the above constraints.
• a mobile device which can calculate its own unique temporary MAC address for use in a wireless network and which does not require any coordination or negotiation between access points on the network.
• a wireless network wherein access points broadcast advertising information that is used by mobile devices seeking to connect to the wireless network to calculate unique temporary MAC addressed.
• FIG. 1 is a diagram of an access point and wireless mobile station interaction for generation of a temporary MAC address and mobile station authentication and association with the wireless network, in accordance with an embodiment of the present invention
• FIG. 2 is a flow diagram of a first procedure for establishing a temporary MAC address according to one embodiment of the present invention.
• FIG. 3 is a flow diagram of a second procedure for establishing a temporary
• a mobile device is able to self-allocate a temporary MAC address that is ensured to be unique in the entire region over which the mobile device may traverse.
• the concepts of the invention may be categorized into two phases: the first phase addresses the uniqueness of the temporary MAC address, and the second phase ensures both that only authorized devices can communicate via the Access Point, and that an intruder cannot trace the amount of communication in which a particular device participates.
• the Access Point 101 In this phase, with reference to Fig. 1 , it is assumed that the Access Point 101 "advertises" or broadcasts to the region for which it is responsible information 102 that identifies that region. This information 102 could be as simple as just the SSID of the AP or could include other information such as the SSID, the network ID etc. Additionally, it is possible for more than one Access Point to exist in a particular region, as in public areas such as airports, parks, public buildings, etc., wherein each Access Point would represent a different WLAN of a different service provider. In accordance with the invention, the mobile station 103 receives the information from the Access Point to which it desires to connect, and then hashes its own permanent MAC address (PMA as indicated in Fig.
• PMA permanent MAC address
• the advertised information that is considered in the hashing algorithm can be driven by policy and can be different for different regions or it can be the same for many regions such as the case would be when using the SSID. In the latter case, the same temporary MAC address would be valid over all the regions that have the same advertised information.
• Indication of this information to the mobile station can be provided by using an appropriate out-of-band communication, such as over a control channel, etc.
• the mobile station uses the calculated temporary MAC address to complete the authentication process 105 in order to connect to the wireless network to be able to send and to receive information.
• the Access Point advertises information that is pertinent to the region in which the mobile station is presently located.
• the advertised information can include, for example, information related to SSID, access router identifier, costs, capabilities of the Access Point, etc.
• the advertisement can be communicated to the mobile device either via beacons from the AP or via responses by the AP to probes transmitted by the mobile device, or any other suitable method. In accordance with the invention, some or all of this advertised information is then used to determine a temporary MAC address for the mobile device.
• the particular advertised information to be used by the mobile device can be determined by policy, and itself can be indicated in the advertisement.
• the mobile station on receiving this information will construct a string which is a concatenation of the permanent MAC address of the mobile station with the information from the advertisement that is to be included in the calculation.
• This string is then hashed using any standard hashing algorithm such as SHA-I , MD5, etc.
• SHA-I is shown in Fig. 1 for purposes of illustration.
• the 48 bits of the resultant output of the hash function then will be used as the temporary MAC address.
• the mobile station at step 203 then proceeds with the rest of the network connection process, which involves authenticating and then associating with the Access Point using technologies such as 802.1 1 i protocols, with the calculated temporary MAC address instead of the permanent MAC address that was burned into the device in the manufacturing stage.
• Phase 2 is an optional alternate embodiment and would be used if it is also desired to prevent traffic analysis in addition to anonymity.
• Phase 2 ensures that only authorized devices can communicate via the access point, and also that an intruder cannot trace the amount of communication in which a particular device participates.
• phase 1 and phase 2 need not be contiguous in terms of the message exchange.
• Each of these phases is also independent of each other.
• the mobile device is expected to use as the MAC address the value:
• HMAC (permanent MAC address, APjnfo, COUNTER) [Para 53] where the COUNTER is increased by one for each cycle.
• the HMAC value is the calculated 160 bit hash value. 48 bits of this 160 bit value to serve as the temporary MAC address (step 303).
• the exact 48 bits used as the temporary MAC address could be based on a deterministic algorithm.
• the deterministic algorithm can be as simple as always using the first 48 bits of the HMAC as the temporary MAC address, to being as complex as being a cyclic usage of the 160 bits of the hash value.
• the AP can check the transmitted temporary MAC address to verify it according to such rules. If the transmitted MAC address does not match, then the packet is dropped. Note that as a result of this procedure the MAC address can change not only from cycle to cycle but can also change during a cycle. This makes it very difficult to trace the communication pattern of a given mobile device. This implicitly assumes that there are multiple connected devices in the area concerned.
• the term "preferably” is non-exclusive and means “preferably, but not limited to.”
• means-plus-function or step-plus-function limitations will only be employed where for a specific claim limitation all of the following conditions are present in that limitation: a) "means for” or “step for” is expressly recited; b) a corresponding function is expressly recited; and c) structure, material or acts that support that structure are not recited.
• the terminology "present invention” or “invention” may be used as a reference to one or more aspect within the present disclosure.

Applications Claiming Priority (1)

Publications (2)

Family

ID=39082298

Family Applications (1)

Country Status (3)

Families Citing this family (7)

Citations (2)

Family Cites Families (4)

• 2006
  • 2006-08-18 EP EP06801960A patent/EP2060134A4/de not_active Withdrawn
  • 2006-08-18 WO PCT/US2006/032535 patent/WO2008020856A1/en active Application Filing
  • 2006-08-18 CA CA2661050A patent/CA2661050C/en not_active Expired - Fee Related

Patent Citations (2)

Non-Patent Citations (4)

Also Published As

Similar Documents

Legal Events