Classifications

• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F15/00—Digital computers in general; Data processing equipment in general
  • G06F15/16—Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L1/00—Arrangements for detecting or preventing errors in the information received
  • H04L1/20—Arrangements for detecting or preventing errors in the information received using signal quality detector
  • H04L1/205—Arrangements for detecting or preventing errors in the information received using signal quality detector jitter monitoring
• • H—ELECTRICITY
  • H03—ELECTRONIC CIRCUITRY
  • H03M—CODING; DECODING; CODE CONVERSION IN GENERAL
  • H03M7/00—Conversion of a code where information is represented by a given sequence or number of digits to a code where the same, similar or subset of information is represented by a different sequence or number of digits
  • H03M7/30—Compression; Expansion; Suppression of unnecessary data, e.g. redundancy reduction
  • H03M7/46—Conversion to or from run-length codes, i.e. by representing the number of consecutive digits, or groups of digits, of the same kind by a code word and a digit indicative of that kind
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L7/00—Arrangements for synchronising receiver with transmitter
  • H04L7/0054—Detection of the synchronisation error by features other than the received signal transition
  • H04L7/0066—Detection of the synchronisation error by features other than the received signal transition detection of error based on transmission code rule

Definitions

• the invention relates to a method for providing configuration changes in a network access point, and in particular, provides a method in a WLAN environment where an access point and a stationary computer or a mobile terminal maintaining a web browser utilizes an ActiveX control or a plug-in to enhance a security mechanism without relying on HTTPS protection during remote management and administration processing.
• the context of the present invention is to securely access networks, such as the World Wide Web, through another network, including wireless local area networks or (WLAN) employing the IEEE 802. lx architecture, having an access point that provides access for a stationary computer or a mobile terminal devices and to other networks, such as hard wired local area and global networks, such as the Internet.
• WLAN wireless local area networks
• Advancements in WLAN technology have resulted in the publicly accessible wireless communication at rest stops, cafes, libraries and similar public facilities ("hot spots").
• public WLANs offer mobile communication device users access to a private data network, such as a corporate intranet, or a public data network such as the Internet, peer-to-peer communication and live wireless TV broadcasting.
• a stationery computer or a mobile terminal communicates with an authentication server, using a web browser operating with the Hyper Text Transfer Protocol Secured Sockets (HTTPS) protocol insures that anyone on the path between the mobile terminal and the authentication server cannot trespass upon or steal confidential user information.
• HTTPS Hyper Text Transfer Protocol Secured Sockets
• Remote system management/administration is a key requirement on any type of computer systems.
• HTTP protocol web browsers
• HTTPS is the natural choice.
• embedded systems such as WLAN access points
• the resource requirement on HTTPS may be too great consuming large amounts of storage space and requires corresponding overhead support and CPU power.
• these limitations have historically prevented the development of a practical solution to a secure browser based administration mechanism. For example, most of today's commercially available wireless access points do not protect the remote administration exchanges between the browsers and the access points. A would be hacker might easily obtain administrator passwords and damage the access points.
• HTTPS is designed for communication protocols where neither a browser nor a web server have pre-established authentication codes such as confidential passwords known only by the client terminal and the authentication server. This assumption of confidentiality is absolutely necessary in the web applications in which tens of millions of browsers may access millions of servers, but do not have a prior trust relationship. Thus a large use HTTPS requires a certificate on the server to provide a secure negotiation between the browser and the server, and the establishment of a shared secret code for subsequent HTTP communication. In the remote system administration case, the administrator and the remote device can pre-share a secret, thus removing one source of overhead associated with HTTPS communication. However, since the web browser does not offer the necessary secure communication mechanism based on such a shared secret, it would be a desirable feature for a processor to provide the security through the use of an ActiveX control or functionally equivalent plug-in.
• the invention herein provides a method for improving security during a remote administration exchange between a client device using a browser and an access point of a network.
• the invention provides a method for securely exchanging administration change requests between a client device and an access point of a wireless network (WLAN).
• the WLAN may comprise a network that complies with IEEE 802.11 standards.
• the administration change involves the use of parameters for ensuring that received administration information is received from an appropriate client terminal.
• a request for administration management file such as a web page
• the access point of the network also generates and transmits to the client terminal a first parameter, for example, a random number.
• the first parameter may be generated in response to a challenge following the request for the administration management file.
• a new parameter is generated from certain parameters.
• the parameters may include the first parameter, which may be a random number generated by the access point.
• the new parameter may be generated from several parameters, including a password associated with the client terminal, the first parameter, and a string parameter, which may, for example, be generated from the new administration information.
• the new parameter is transmitted from the client terminal to the access point, which then generates a corresponding new parameter using the parameters used by the client terminal. If the parameters match, the access point accepts the new administration information and implements them. In this manner, greater security is provided by using a verification parameter with the new administration information, which verification parameter is generated using parameters that are known to the client terminal and the access point.
• an administrator utilizes a browser to request an administrative web page form, typically designed as a Hyper Text Markup Language (HTML) form, from a remote computer, such as a local web server, which contains fields where the administrator can provide information relevant to obtaining a secure communication with the network.
• the web page form includes fill-in management information, which when complete is submitted to the remote computer by invoking a real time operator, such as may be provided by a Javascript code, to package the information into a string.
• the real time operator invokes a plug-in security function having a predetermined character string as one parameter; prompting the security function to communicate with a remote system.
• the remote system Upon receiving the form information, the remote system generates a random number and stores the number for future reference. It also communicates the number to the administrator.
• the administrator security function concatenates the random number, an administrator password (previously stored in the plug-in) and the string parameter.
• a digest such as a Message 5 digest (MD5)
• MD5 Message 5 digest
• the process includes utilizing the real time operator such as Javascript to then embed the result from the security function into the form containing the management information and sends the form to the remote computer, thereby completing the submission.
• the remote computer utilizes the stored random number, the password and the received data to generate an MD5 digest. If the digest matches the received digest then the requested administration is granted and the system is appropriately updated.
• the remote computer In subsequent communication where management information is to be communicated from the administrator to the remote computer, the remote computer first generates a random number to be thereafter utilized by the administrator in a Message 5 digest (MD5). In each case, the remote system digest is then compared to the received digest and if the digest matches the received digest, then the requested administration request is granted and the system is updated accordingly.
• MD5 Message 5 digest
• FIG. 1 is a block diagram of a communications system for practicing the method of the present invention.
• FIG. 2 is a flow diagram of an embodiment of the present invention for securing a communication access.
• FIG. 3 a is a flow diagram of an embodiment of the present invention for securing a communication access.
• FIG. 3b is a flow diagram of an embodiment of the present invention for securing a communication access.
• circuits and associated blocks and arrows represent functions of the process according to the present invention which may be implemented as electrical circuits and associated wires or data busses, which transport electrical signals.
• one or more associated arrows may represent communication (e.g., data flow) between software routines, particularly when the present method or apparatus of the present invention is implemented as a digital process.
• the invention provides a method for a web browser based remote administration system to maintain its security by utilizing an ActiveX control or a plug-in, without relying on HTTPS protection to transact management information.
• the invention does not burden the embedded system and thus is ideally suited for the remote administration of embedded systems.
• the invention provides a method to calculate a security code base upon identical algorithms in the administrative system having the browser and the embedded system.
• an operator packages the control information as a string and invokes the security function in the plug-in with the string as a parameter.
• the security function returns the result, the operator sends the form data together with a coded digest to the remote system.
• the digest may be embedded in the form data, for example, as a hidden field.
• one or more mobile terminals represented by 140 1 through 140 n communicate via wireless medium 124 to an access point 130 n , local computer 120, in association with firewalls 122 and one or more virtual operators 150 1-n , such as authentication server 150 n . .
• Communication from terminals 140 1-n typically require accessing a secured data base or other resources, utilizing the Internet 110 and associated communication paths 154 and 152 that require a high degree of security from unauthorized entities, such as would be hackers.
• the IEEE 802. Ix architecture encompasses several components and services that interact to provide station mobility transparent to the higher layers of a network stack.
• the IEEE 802. Ix network defines AP stations such as access points
• This invention proposes a method for implementing in a wireless medium 124 a secure communication means between a client terminal 140 n> an access point 130 n, local server 120 and an authentication server 150.
• the an access 160 enables each stationary or mobile terminals 140 1-n> to securely access the WLAN 115 by authenticating and thereafter providing a means to create the administrative forms that ensure a secure traffic flow between both the terminal as well as its communication system components, through such gateways 121, firewalls 122 that may exist as part of the larger network and communication paths 152 and 154 which denote HTTP and non-HTTP communication routing.
• the manner in which the access 160 enables such secure access can best be understood by reference to FIG. 1.
• the sequence of interactions that occurs over time among a stationary or wireless communication devices, say terminal 140 n, the public WLAN 115, the local web server 120, and the authentication server 150 is described under the convention of an IEEE 802. Ix protocol, wherein the access point 130 n of FIG. 1 maintains a controlled port and an uncontrolled port, through which the access point exchanges information, with the terminals 140 1-n .
• the controlled port maintained by the access point 130 n serves as the entryway for non-authentication information, such as data traffic to pass through the WLAN 115 and the terminals 140 1-n .
• the access points 130 1-n keep the respective controlled port closed in accordance with the IEEE 802. Ix protocol until the authentication of the pertinent terminal 140 1-n communicates.
• the access points 130 1-n always maintain the respective uncontrolled port open to permit the mobile terminals 140 1-n to exchange authentication data with an authentication server 150.
• an administrator utilizes terminals 140 1-n and a browser to request 210 an administrative web page form, typically designed as an Hyper Text Markup Language
• HTML HyperText Markup Language
• the web page form filled-in with requested management information which when complete 220 is submitted 225 to the remote computer 150 by invoking a real time operator, such as may be provided by a JavaScript code, to package 230 the information into a string.
• the real time operator invokes a plug-in security function 235 having a predetermined character string as one parameter; prompting 240 the security function to communicate 250 with a remote system 150.
• the remote system 150 Upon receiving 320 the form information, the remote system 150 generates a random number 330 and stores the number 335 for future reference. It also communicates 340 the number to the administrator 140 1-n .
• the administrator 140 1-n security function concatenates 260 the random number, an administrator password (previously stored in the in the plug-in) and the string parameter. Thereafter, a digest, such as a Message 5 digest (MD5), is generated 270 for the concatenated result and is returned to the security function.
• MD5 Message 5 digest
• the process includes utilizing the real time operator such as JavaScript to then embed the result from the security function into the form containing the management information and sends 275 the form to remote computer 150, thereby completing the submission.
• the remote computer utilizes the stored random number, the password and the received data to generate 350 a MD5 digest. If the digest matches 355 the received digest then the requested administration is granted 360 and the system is appropriately updated. If there is no match access is denied 356.
• the remote computer 150 first generates a random number to be thereafter utilized by the administrator in a Message 5 digest (MD5). In each case, the remote system digest is then compared to the received digest and if the digest matches the received digest, then the requested administration request is granted and the system is updated accordingly.
• MD5 Message 5 digest

Landscapes

• Engineering & Computer Science (AREA)
• Theoretical Computer Science (AREA)
• Computer Hardware Design (AREA)
• Software Systems (AREA)
• Signal Processing (AREA)
• Computer Networks & Wireless Communication (AREA)
• Quality & Reliability (AREA)
• Physics & Mathematics (AREA)
• General Engineering & Computer Science (AREA)
• General Physics & Mathematics (AREA)
• Small-Scale Networks (AREA)
• Data Exchanges In Wide-Area Networks (AREA)
• Computer And Data Communications (AREA)
• Storage Device Security (AREA)

Priority Applications (4)

Applications Claiming Priority (2)

Publications (2)

Family

ID=33029898

Family Applications (1)

Country Status (6)

Families Citing this family (2)

Citations (1)

• 2004
  • 2004-03-11 KR KR1020057017130A patent/KR20050119119A/ko not_active Application Discontinuation
  • 2004-03-11 MX MXPA05009878A patent/MXPA05009878A/es not_active Application Discontinuation
  • 2004-03-11 CN CNA2004800118811A patent/CN1784673A/zh active Pending
  • 2004-03-11 WO PCT/US2004/007411 patent/WO2004084019A2/en active Search and Examination
  • 2004-03-11 EP EP04719781A patent/EP1604294A2/en not_active Withdrawn
  • 2004-03-11 JP JP2006507071A patent/JP2006520501A/ja not_active Withdrawn

Patent Citations (1)

Also Published As

Similar Documents

Legal Events