WO2013052037A1 - Système et procédé d'accès à un réseau sans fil - Google Patents

Système et procédé d'accès à un réseau sans fil Download PDF

Info

Publication number
WO2013052037A1
WO2013052037A1 PCT/US2011/054772 US2011054772W WO2013052037A1 WO 2013052037 A1 WO2013052037 A1 WO 2013052037A1 US 2011054772 W US2011054772 W US 2011054772W WO 2013052037 A1 WO2013052037 A1 WO 2013052037A1
Authority
WO
WIPO (PCT)
Prior art keywords
communications
module
network
access
protected node
Prior art date
Application number
PCT/US2011/054772
Other languages
English (en)
Inventor
Yannick Koehler
Original Assignee
Hewlett-Packard Development Company, Lp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hewlett-Packard Development Company, Lp filed Critical Hewlett-Packard Development Company, Lp
Priority to PCT/US2011/054772 priority Critical patent/WO2013052037A1/fr
Publication of WO2013052037A1 publication Critical patent/WO2013052037A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • H04W12/088Access security using filters or firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/10Connection setup

Definitions

  • communications can be established between remote devices accessing the network and data sources or sites operating in conjunction with the secure network.
  • FIG. 1 illustrates an example system and remote interface that facilitates wireless network access.
  • FIG. 2 illustrates an example of a remote device operating in
  • FIG. 3 illustrates an example of a wireless system that includes a remote interface, access point, and controller.
  • FIG. 4 illustrates an example of a method to facilitate wireless network access.
  • FIG. 5 illustrates an alternative example of a method for
  • FIG. 1 illustrates an example system 100 and network application 1 10 that facilitates wireless network access.
  • the system 100 includes an executable module 120 that includes computer executable instructions 130 that define the network application 1 10 (e.g., browser), wherein the executable module 120 can be provided as a non-transitory computer readable medium having computer
  • a wireless driver 140 is provided with the network application 1 10 to initially enable an unsecured channel of
  • An access manager 180 is employed to establish a secure channel of communications 190 with the protected node 160 based on an attempt to access the network 154 or the protected node 160 via the wireless driver 140.
  • the network application 1 10 can include a browser (See FIG. 2) to access to the protected node 160 via the wireless driver 140, wherein the browser invokes the access manager 180 to subsequently establish the secure channel of communications 190 after initial unsecured communications at 150.
  • the access manager 180 can be a plug-in module that is loaded when the browser is opened, wherein the plug-in module is employed to establish the secure channel of communications 190.
  • the plug-in module could operate a security protocol module (e.g., 802.1 x module) to establish the secure channel of communications 190.
  • the network application 1 10 can also establish communications with an unprotected node 194 if desired across the secured channel.
  • the term protected refers to network nodes that cannot be fully accessed until further security protocol exchanges have occurred that establish the secure channel 190.
  • the system 100 provides a hybrid approach to network access that is not available with existing access models. Completely unsecure models are susceptible to attack whereas completely secure models require that the user understand complex and cumbersome network configurations before gaining access to the network 154. Thus, the system 100 provides a middle ground between existing models where users can access the network 154 initially without
  • unsecure networks provide the possibility for users to present their services/offers and customize the network experience. This customization cannot generally be made available in a secure model, thus the hybrid model allows for both security and customization (e.g., customized portal experience).
  • such hybrid functionality could be implemented as a change to clients (or devices) of the network 154.
  • a plug-in can automatically be loaded as the access manager 180 on the network application 1 10 when an attempt is made to access the network 154 or the protected node 160.
  • manager 180 would then be responsible for establishing the secure channel 190 with the access point 174 thus mitigating any changes to existing network clients (or devices) and facilitating automated security configuration between nodes which in turn mitigates users from having to implement complex security configurations themselves.
  • the controller 178 provides an internal web server and controls access points 174 such as will be described below with respect to FIG. 3.
  • a validate server certificates (VSC) option can be configured for guest access having a wireless service set identifier (SSID) and initially configured for non-encrypted access to the network 154.
  • the user of the network applicationl 10 can then associate freely with the network 154 without having to configure its wireless client (or device) with complex security settings. Then, at the first attempt to access the network 154 or protected node 160, the user can be automatically redirected to a web page served by the controller 178 that instructs the user of the specific settings related to the particular network 154.
  • the web page can contain javascript or activeX for an 802.1 x client (or security module), for example, and can configure different parameters for the user with suitable settings.
  • the user of the network application 1 10 is then asked for their respective credential information and the exchange can be performed in one example by an 802.1 x protocol using a secure method such as Protected Extensible Authentication Protocol (PEAP) or Extensible Authentication Protocol with Tunneled Transport Layered Security (EAP-TTLS), for example.
  • PEAP Protected Extensible Authentication Protocol
  • EAP-TTLS Tunneled Transport Layered Security
  • the controller 178 receives a master session encryption key and can pass it on to the corresponding access point 174 using a basic protocol (e.g., RADIUS).
  • a basic protocol e.g., RADIUS
  • the controller 178 and access point 174 can be configured to support an encrypted management tunnel.
  • the access point 174 When the access point 174 receives the encryption information, it switches an associated encryption engine from clear to the appropriate mode (e.g., AES or TKIP) based on its configuration for the respective user's MAC address making any subsequent network access as secure as a full 802.1 x (or other security protocol) enterprise encryption, for example.
  • AES Access Security
  • TKIP Temporal Key Integrity
  • FIG. 2 illustrates an example of a remote device 200 operating in accordance with a wireless network 210.
  • the network 210 can be implemented, for example, as the Internet. Nodes on the network 210 can communicate via a communications protocol, such as Transmission Control Protocol/Internet Protocol (TCP/IP), Internet Protocol version 6 (IPv6), and so forth.
  • a memory 220 is provided for storing computer executable instructions.
  • the remote device 200 can also include, for example, a processing unit 224 (e.g., a processor core) for accessing the memory 220 and executing computer executable instructions.
  • a processing unit 224 e.g., a processor core
  • device 200 includes a wireless driver 230 to enable an unsecured channel of communications to the network 210 (and subsequently secured communications), wherein the network provides access to a protected node 234 or unprotected node 236 via an access point 238 and controller 239.
  • a browser 240 selects the protected node 234 across the unsecured channel of communications to the network 210.
  • An access module 250 (e.g., plug-in module or internal application) can be loaded when the browser 240 selects the protected node 234 across the unsecured channel of communications to the network 210.
  • a security protocol module 260 is operated by the access module 250 to establish an encrypted channel of communications with the protected node 234 or unprotected node 236 via the access point 238 and controller 239. After desired security has been achieved, further attempts to access the network 210 or protected node 234 are in accordance with the security established (e.g., encrypted channel utilized going forward between remote device 200 and access point 238).
  • the remote device 200 can be
  • wireless devices e.g., cell phones, PDA's
  • stand-alone computers e.g., PDA's
  • peripherals e.g., printers, scanners
  • FIG. 3 illustrates an example of a wireless system 300 that includes a remote interface 310, an access point 312, and network controller 314, wherein the remote interface 310 and access point 312 communicate via wireless
  • the remote interface 310 includes a wireless driver 320 for establishing the wireless
  • a browser 322 is employed to interact with networks and nodes across the wireless connection 316 and a plug-in module 324 operates with the browser to facilitate automated secure channel configurations.
  • An 802.1 x is employed to interact with networks and nodes across the wireless connection 316 and a plug-in module 324 operates with the browser to facilitate automated secure channel configurations.
  • module 326 configures security for the remote interface 310 and an
  • encryption/decryption module 328 supports encrypted communications after security exchanges and authorization have completed.
  • the wireless access point 312 includes an access point wireless driver 330 for wireless network communications and an access point
  • An access point Ethernet driver 334 is provided for connection to the network
  • a RADIUS client 336 is employed for establishing a network user account and an 802.1 x server 338 is provided to communicate with the 802.1 x module 326 on the remote interface 310.
  • the network controller 314 includes a controller Ethernet driver 340 for communications to the access point Ethernet driver 334.
  • An Access Control List (ACL) 342 is provided to determine which nodes are protected and which nodes are not and a RADIUS Server 344 interacts with the RADIUS client 336 to provide a network user account 346.
  • An HTTP & Web server 348 provides access to an internal set of web pages referred to as a portal.
  • the portal is optional and can also be delivered by an external HTTP server.
  • the Web server portion of the server 348 provides data (e.g., set of pages referred to as the portal) to communicate with the client such as querying credentials, presenting the services/network, and showing its current status in the network, for example.
  • the server 348 can also include HTML processing.
  • the network controller 314 can also provide a firewall 360 for controller security and HTML module 370 to process web information.
  • the access point 312 broadcasts the network 316 as unprotected (e.g., no encryption utilized).
  • a wireless client such as the remote interface 310 selects the network 316 and associates with it via the browser 322 to receive the IP configuration from a DHCP server (not shown).
  • the user accesses the network 316 using the browser 322 and requesting a site such as "example.com.”
  • the network controller 314 intercepts this HTML request to
  • example.com to validate if the user has rights to access “example.com” using the ACL 342. If the user is unknown based on the request, they can be redirected to a service announcement web page served by the web server 350.
  • example.com there is a location that allows the user to enter their credentials to the network 316 in order for the network to recognize them and ultimately provide access to "example.com” or other additional secure nodes they are entitled to access.
  • the plug-in module 324 associated with the browser 322 can detect and intercept the submission of credentials.
  • the browser plug-in 324 could alternatively also be non-browser specific code listening in on the network stack and intercepting any attempt to login to extract the credentials. This can allow simplifying the design by having a single module handling all browsers in a similar manner.
  • the plug-in module 324 can then turn the credentials over to the 802.1 x module 326 (e.g., located in the client's PC).
  • a web server can be provided inside the client (operating the remote interface 310), where the controller 314 would provide a page to the client that indicates when a user click/selection has submitted post information with their username / password and thus could be sent to the client's own IP address to a specific port such as 9025, for example.
  • An internal web server could be installed on the client to listen at this port and intercept incoming posts and then start the access manager with the received information.
  • the 802.1 x module exchanges 802.1 x packets with the access point 312 over wireless connection 316 using Extensible Authentication Protocol Over LAN protocol ((EAPOL) defined in the 802.1 x standard)), for example.
  • the access point 312, on reception, can convert 802.1 x packets into RADIUS and send the packets to the network controller 314.
  • the network controller 314 can validate if the user is correct and provide a proper response.
  • the respective 802.1 x exchange is generally more secure than existing HTML login processes and HTTP authentication. It uses similar encryption technology to HTTPS but has the desirable side-effect of not requiring all controllers to have their own Secure Socket Layer (SSL) certificate and therefore reduces the cost of ownership to the user.
  • SSL Secure Socket Layer
  • a key exchange (e.g., part of 802.1 x standard) can be triggered.
  • the remote interface 310 e.g., client
  • the access point 312 can also start flagging that the respective user is an encrypted user and thus only communicate to this client with encrypted traffic both for unicast and broadcast. Unencrypted traffic remains however for other non-flagged clients the access point 312 has associated.
  • broadcast packets are not encrypted, whereas unicast packets are encrypted.
  • FIG. 4 illustrates an example method 400 to facilitate wireless network access.
  • the method 400 includes initiating an unsecured connection to a wireless network at 410. This could include opening an unsecured channel of
  • the method 400 includes selecting a protected node from the unsecured connection at 420. Such selection could occur via a browser component or other network application, for example.
  • the method 400 includes initiating a security protocol exchange upon selection of the protected node at 430.
  • the security protocol exchange can be initiated by a plug-in module that is loaded an activated when a browser selects a protected node or network, for example.
  • the method 400 includes utilizing encrypted communications to the protected node after the security protocol exchange has completed. This could include employment of an encryption and decryption engine to support such communications.
  • the security protocol exchange can also employ an 802.1 x protocol to support the encrypted communications to the protected node.
  • FIG. 5 illustrates an example of an alternative method 500 for communications between a network interface 510 and a client interface 514 that operates on a remote device.
  • the network interface broadcasts a beacon signal for an open network.
  • the beacon can include an SSID as described above (e.g., SSID: MyNetwork, OPEN: No Encryption).
  • the client interface 514 associates to the network such as selecting the network from a menu.
  • the client interface requests and receives an IP configuration from the network interface 510.
  • the client interface 514 opens a respective browser, it receives an HTML service page and a plug-in module from the network
  • the client interface 514 provides network credentials (e.g., username and password) which are intercepted by the plug-in module. This can also trigger an 802.1 x authentication.
  • a secure credentials exchange occurs between the network interface 510 and client interface 514 via an 802.1 x protocol.
  • an encryption key exchange occurs between the network interface 510 and the client interface 514.
  • the network interface 510 and client interface 514 communicate via an encrypted protocol such as Wireless Protocol Access (WPA or WPA-2), for example, where further traffic can be facilitated via a global encryption key and is authenticated only for the particular user who has followed such procedure as outlined according to the method 500.
  • WPA Wireless Protocol Access
  • WPA-2 Wireless Protocol Access
  • the term “includes” means includes but not limited to, the term “including” means including but not limited to.
  • the term “based on” means based at least in part on. Additionally, where the disclosure or claims recite “a,” “an,” “a first,” or “another” element, or the equivalent thereof, it should be interpreted to include one or more than one such element, neither requiring nor excluding two or more such elements.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Small-Scale Networks (AREA)

Abstract

Un pilote sans fil (140) active un canal non sécurisé (150) de télécommunications par rapport à un réseau (154), ledit réseau (154) fournissant un accès à un noeud protégé (160). Un gestionnaire d'accès (180) établit, par l'intermédiaire du pilote sans fil (140), un canal sécurisé (190) de télécommunications avec le noeud protégé (160) sur la base d'une tentative d'accès au noeud protégé (160).
PCT/US2011/054772 2011-10-04 2011-10-04 Système et procédé d'accès à un réseau sans fil WO2013052037A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/US2011/054772 WO2013052037A1 (fr) 2011-10-04 2011-10-04 Système et procédé d'accès à un réseau sans fil

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/US2011/054772 WO2013052037A1 (fr) 2011-10-04 2011-10-04 Système et procédé d'accès à un réseau sans fil

Publications (1)

Publication Number Publication Date
WO2013052037A1 true WO2013052037A1 (fr) 2013-04-11

Family

ID=48044018

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2011/054772 WO2013052037A1 (fr) 2011-10-04 2011-10-04 Système et procédé d'accès à un réseau sans fil

Country Status (1)

Country Link
WO (1) WO2013052037A1 (fr)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060224893A1 (en) * 2005-04-04 2006-10-05 Intermec Ip Corp. Secure wireless communication apparatus and method for electronic devices incorporating pushed pins
US20080070571A1 (en) * 2006-09-18 2008-03-20 Samsung Electronics Co., Ltd. System and method for providing secure network access in fixed mobile converged telecommunications networks
US20100316221A1 (en) * 2008-01-17 2010-12-16 China Iwncomm Co.,Ltd secure transmission method for broadband wireless multimedia network broadcasting communication
US20110179473A1 (en) * 2010-01-15 2011-07-21 Samsung Electronics Co., Ltd. Method and apparatus for secure communication between mobile devices

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060224893A1 (en) * 2005-04-04 2006-10-05 Intermec Ip Corp. Secure wireless communication apparatus and method for electronic devices incorporating pushed pins
US20080070571A1 (en) * 2006-09-18 2008-03-20 Samsung Electronics Co., Ltd. System and method for providing secure network access in fixed mobile converged telecommunications networks
US20100316221A1 (en) * 2008-01-17 2010-12-16 China Iwncomm Co.,Ltd secure transmission method for broadband wireless multimedia network broadcasting communication
US20110179473A1 (en) * 2010-01-15 2011-07-21 Samsung Electronics Co., Ltd. Method and apparatus for secure communication between mobile devices

Similar Documents

Publication Publication Date Title
CN107534651B (zh) 用于传送会话标识符的方法及设备
US10299126B2 (en) Enabling secured wireless access at hotspot by providing user-specific access credential for secure SSID during sign-up process conducted over open wireless network
US9098678B2 (en) Streaming video authentication
US8392712B1 (en) System and method for provisioning a unique device credential
US8589675B2 (en) WLAN authentication method by a subscriber identifier sent by a WLAN terminal
US8893255B1 (en) Device authentication using device-specific proxy addresses
US11489826B2 (en) Multi-factor authorization for IEEE 802.1x-enabled networks
US8756690B2 (en) Extensible authentication protocol attack detection systems and methods
KR20060017594A (ko) 안전한 무선 랜 액세스 기술
CA3011453A1 (fr) Procede permettant d'obtenir un reseau wi-fi virtuel comportant un tunnel securise
US11277399B2 (en) Onboarding an unauthenticated client device within a secure tunnel
US11805416B2 (en) Systems and methods for multi-link device privacy protection
US20150249639A1 (en) Method and devices for registering a client to a server
US10917406B2 (en) Access control method and system, and switch
CN111034240B (zh) 网络通信的以及与其相关的改进
WO2013052037A1 (fr) Système et procédé d'accès à un réseau sans fil
Kovačić et al. Improving the security of access to network resources using the 802.1 x standard in wired and wireless environments
Stakenburg et al. Underexposed risks of public Wi-Fi hotspots
CN102868672A (zh) 认证和访问控制系统及方法
Kasiulynas Radius Authentication in wireless lab environment
Carthern et al. Wireless LAN (WLAN)

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11873765

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 11873765

Country of ref document: EP

Kind code of ref document: A1