WO2018170061A1 - Appareil, système et procédé de sécurisation de communication sans fil - Google Patents

Appareil, système et procédé de sécurisation de communication sans fil Download PDF

Info

Publication number
WO2018170061A1
WO2018170061A1 PCT/US2018/022337 US2018022337W WO2018170061A1 WO 2018170061 A1 WO2018170061 A1 WO 2018170061A1 US 2018022337 W US2018022337 W US 2018022337W WO 2018170061 A1 WO2018170061 A1 WO 2018170061A1
Authority
WO
WIPO (PCT)
Prior art keywords
sta
public
psk
sae
authentication
Prior art date
Application number
PCT/US2018/022337
Other languages
English (en)
Inventor
Ido Ouzieli
Izoslav Tchigevsky
Stanislav GENS
Jonathan Segev
Shahar Michaelovich
Original Assignee
Intel IP Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Intel IP Corporation filed Critical Intel IP Corporation
Publication of WO2018170061A1 publication Critical patent/WO2018170061A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/061Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying further key derivation, e.g. deriving traffic keys from a pair-wise master key

Definitions

  • Embodiments described herein generally relate to securing wireless communication.
  • Some wireless communication networks may implement one or more mechanisms to support privacy during a wireless session between a station and an Access Point (AP), for example, in accordance with an IEEE 802.11 Specification.
  • AP Access Point
  • these mechanisms may not be suitable for and/or efficient for some use cases, scenarios and/or deployments.
  • FIG. 1 is a schematic block diagram illustration of a system, in accordance with some demonstrative embodiments.
  • Fig. 2 is a schematic illustration of an exchange of messages of a Secure Authentication of Equals (SAE) procedure, which may be implemented in accordance with some demonstrative embodiments.
  • SAE Secure Authentication of Equals
  • FIG. 3 is a schematic illustration of operations and messages of a procedure of setting up a secure wireless connection, in accordance with some demonstrative embodiments.
  • Fig. 4 is a schematic illustration of a capability information field, which may be implemented in accordance with some demonstrative embodiments.
  • Fig. 5 is a schematic illustration of a challenge text element, which may be implemented in accordance with some demonstrative embodiments.
  • Fig. 6 is a schematic flow-chart illustration of a method of securing wireless communication, in accordance with some demonstrative embodiments.
  • Fig. 7 is a schematic flow-chart illustration of a method of securing wireless communication, in accordance with some demonstrative embodiments.
  • Fig. 8 is a schematic illustration of a product of manufacture, in accordance with some demonstrative embodiments.
  • Discussions herein utilizing terms such as, for example, “processing”, “computing”, “calculating”, “determining”, “establishing”, “analyzing”, “checking”, or the like, may refer to operation(s) and/or process(es) of a computer, a computing platform, a computing system, or other electronic computing device, that manipulate and/or transform data represented as physical (e.g., electronic) quantities within the computer's registers and/or memories into other data similarly represented as physical quantities within the computer's registers and/or memories or other information storage medium that may store instructions to perform operations and/or processes.
  • the terms “plurality” and “a plurality”, as used herein, include, for example, “multiple” or “two or more”. For example, "a plurality of items” includes two or more items.
  • references to "one embodiment”, “an embodiment”, “demonstrative embodiment”, “various embodiments” etc. indicate that the embodiment(s) so described may include a particular feature, structure, or characteristic, but not every embodiment necessarily includes the particular feature, structure, or characteristic. Further, repeated use of the phrase “in one embodiment” does not necessarily refer to the same embodiment, although it may.
  • Some embodiments may be used in conjunction with various devices and systems, for example, a User Equipment (UE), a Mobile Device (MD), a wireless station (STA), a Personal Computer (PC), a desktop computer, a mobile computer, a laptop computer, a notebook computer, a tablet computer, a server computer, a handheld computer, a sensor device, an Internet of Things (IoT) device, a wearable device, a handheld device, a Personal Digital Assistant (PDA) device, a handheld PDA device, an on-board device, an off-board device, a hybrid device, a vehicular device, a non-vehicular device, a mobile or portable device, a consumer device, a non-mobile or non-portable device, a wireless communication station, a wireless communication device, a wireless Access Point (AP), a wired or wireless router, a wired or wireless modem, a video device, an audio device, an audio-video (A/V) device, a wired or wireless network, a wireless
  • Some embodiments may be used in conjunction with devices and/or networks operating in accordance with existing IEEE 802.11 standards (including IEEE 802.11-2016 ⁇ IEEE 802.11- 2016, IEEE Standard for Information technology— Telecommunications and information exchange between systems Local and metropolitan area networks-Specific requirements Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications, December 7, 2016); and/or IEEE 802.11az (IEEE 802.1 laz, Next Generation Positioning)) and/or future versions and/or derivatives thereof, devices and/or networks operating in accordance with existing WiFi Alliance (WFA) Specifications (including Wi-Fi Neighbor Awareness Networking (NAN) Technical Specification, Version 1.0, May 1, 2015) and/or future versions and/or derivatives thereof, devices and/or networks operating in accordance with existing WFA Peer-to-Peer (P2P) specifications (including WiFi P2P technical specification, version 1.5, August 4, 2014) and/or future versions and/or derivatives thereof, devices and/or networks operating in accordance with existing Wireless
  • Some embodiments may be used in conjunction with one way and/or two-way radio communication systems, cellular radio-telephone communication systems, a mobile phone, a cellular telephone, a wireless telephone, a Personal Communication Systems (PCS) device, a PDA device which incorporates a wireless communication device, a mobile or portable Global Positioning System (GPS) device, a device which incorporates a GPS receiver or transceiver or chip, a device which incorporates an RFID element or chip, a Multiple Input Multiple Output (MEVIO) transceiver or device, a Single Input Multiple Output (SIMO) transceiver or device, a Multiple Input Single Output (MISO) transceiver or device, a device having one or more internal antennas and/or external antennas, Digital Video Broadcast (DVB) devices or systems, multi- standard radio devices or systems, a wired or wireless handheld device, e.g., a Smartphone, a Wireless Application Protocol (WAP) device, or the like.
  • WAP Wireless Application Protocol
  • Some embodiments may be used in conjunction with one or more types of wireless communication signals and/or systems, for example, Radio Frequency (RF), Infra-Red (IR), Frequency-Division Multiplexing (FDM), Orthogonal FDM (OFDM), Orthogonal Frequency- Division Multiple Access (OFDMA), Spatial Divisional Multiple Access (SDMA), FDM Time- Division Multiplexing (TDM), Time-Division Multiple Access (TDM A), Multi-User MIMO (MU-MIMO), Extended TDMA (E-TDMA), General Packet Radio Service (GPRS), extended GPRS, Code-Division Multiple Access (CDMA), Wideband CDMA (WCDMA), CDMA 2000, single-carrier CDMA, multi-carrier CDMA, Multi-Carrier Modulation (MDM), Discrete Multi- Tone (DMT), Bluetooth®, Global Positioning System (GPS), Wi-Fi, Wi-Max, ZigBeeTM, Ultra- Wideband (UWB), Global System for Mobile communication
  • GPS
  • wireless device includes, for example, a device capable of wireless communication, a communication device capable of wireless communication, a communication station capable of wireless communication, a portable or non-portable device capable of wireless communication, or the like.
  • a wireless device may be or may include a peripheral that is integrated with a computer, or a peripheral that is attached to a computer.
  • the term “wireless device” may optionally include a wireless service.
  • the term "communicating" as used herein with respect to a communication signal includes transmitting the communication signal and/or receiving the communication signal.
  • a communication unit which is capable of communicating a communication signal, may include a transmitter to transmit the communication signal to at least one other communication unit, and/or a communication receiver to receive the communication signal from at least one other communication unit.
  • the verb communicating may be used to refer to the action of transmitting or the action of receiving.
  • the phrase "communicating a signal” may refer to the action of transmitting the signal by a first device, and may not necessarily include the action of receiving the signal by a second device.
  • the phrase “communicating a signal” may refer to the action of receiving the signal by a first device, and may not necessarily include the action of transmitting the signal by a second device.
  • Some demonstrative embodiments may be used in conjunction with a WLAN, e.g., a WiFi network.
  • Other embodiments may be used in conjunction with any other suitable wireless communication network, for example, a wireless area network, a "piconet", a WPAN, a WVAN and the like.
  • Some demonstrative embodiments may be used in conjunction with a wireless communication network communicating over a frequency band of 2.4GHz or 5GHz.
  • other embodiments may be implemented utilizing any other suitable wireless communication frequency bands, for example, an Extremely High Frequency (EHF) band (the millimeter wave (mmWave) frequency band), e.g., a frequency band within the frequency band of between 20Ghz and 300GHZ, a WLAN frequency band, a WPAN frequency band, and the like.
  • EHF Extremely High Frequency
  • circuitry may refer to, be part of, or include, an Application Specific Integrated Circuit (ASIC), an integrated circuit, an electronic circuit, a processor (shared, dedicated, or group), and/or memory (shared, dedicated, or group), that execute one or more software or firmware programs, a combinational logic circuit, and/or other suitable hardware components that provide the described functionality.
  • ASIC Application Specific Integrated Circuit
  • the circuitry may be implemented in, or functions associated with the circuitry may be implemented by, one or more software or firmware modules.
  • circuitry may include logic, at least partially operable in hardware.
  • logic may refer, for example, to computing logic embedded in circuitry of a computing apparatus and/or computing logic stored in a memory of a computing apparatus.
  • the logic may be accessible by a processor of the computing apparatus to execute the computing logic to perform computing functions and/or operations.
  • logic may be embedded in various types of memory and/or firmware, e.g., silicon blocks of various chips and/or processors.
  • Logic may be included in, and/or implemented as part of, various circuitry, e.g. radio circuitry, receiver circuitry, control circuitry, transmitter circuitry, transceiver circuitry, processor circuitry, and/or the like.
  • logic may be embedded in volatile memory and/or non- volatile memory, including random access memory, read only memory, programmable memory, magnetic memory, flash memory, persistent memory, and/or the like. Logic may be executed by one or more processors using memory, e.g., registers, buffers, stacks, and the like, coupled to the one or more processors, e.g., as necessary to execute the logic.
  • the term "antenna”, as used herein, may include any suitable configuration, structure and/or arrangement of one or more antenna elements, components, units, assemblies and/or arrays.
  • the antenna may implement transmit and receive functionalities using separate transmit and receive antenna elements.
  • the antenna may implement transmit and receive functionalities using common and/or integrated transmit/receive elements.
  • the antenna may include, for example, a phased array antenna, a single element antenna, a set of switched beam antennas, and/or the like.
  • peer to peer (PTP) communication may relate to device-to- device communication over a wireless link ("peer-to-peer link") between devices.
  • the PTP communication may include, for example, a WiFi Direct (WFD) communication, e.g., a WFD Peer to Peer (P2P) communication, wireless communication over a direct link within a Quality of Service (QoS) basic service set (BSS), a tunneled direct-link setup (TDLS) link, a STA-to- STA communication in an independent basic service set (IBSS), or the like.
  • WFD WiFi Direct
  • BSS Quality of Service
  • TDLS tunneled direct-link setup
  • IBSS independent basic service set
  • FIG. 1 schematically illustrates a block diagram of a system 100, in accordance with some demonstrative embodiments.
  • system 100 may include a wireless communication network including one or more wireless communication devices, e.g., wireless communication devices 102 and/or 140.
  • wireless communication devices 102 and/or 140 may include, for example, a UE, an MD, a STA, an AP, a PC, a desktop computer, a mobile computer, a laptop computer, an UltrabookTM computer, a notebook computer, a tablet computer, a server computer, a handheld computer, an Internet of Things (IoT) device, a sensor device, a handheld device, a wearable device, a PDA device, a handheld PDA device, an on-board device, an off-board device, a hybrid device (e.g., combining cellular phone functionalities with PDA device functionalities), a consumer device, a vehicular device, a non-vehicular device, a mobile or portable device, a non-mobile or non-portable device, a mobile phone, a cellular telephone, a PCS device, a PDA device which incorporates a wireless communication device, a mobile or portable GPS device, a DVB device, a relatively small computing device
  • devices 102 and/or 140 may include, operate as, and/or perform the functionality of one or more STAs.
  • device 102 may include at least one STA
  • device 140 may include at least one STA.
  • devices 102 and/or 140 may include, operate as, and/or perform the functionality of one or more WLAN STAs.
  • devices 102 and/or 140 may include, operate as, and/or perform the functionality of one or more Wi-Fi STAs.
  • devices 102 and/or 140 may include, operate as, and/or perform the functionality of one or more BT devices.
  • devices 102 and/or 140 may include, operate as, and/or perform the functionality of one or more Neighbor Awareness Networking (NAN) STAs.
  • NAN Neighbor Awareness Networking
  • one of wireless communication devices 102 and/or 140 may include, operate as, and/or perform the functionality of an AP STA, and/or one or more of wireless communication devices 102 and/or 140, e.g., device 102, may include, operate as, and/or perform the functionality of a non-AP STA. In other embodiments, devices 102 and/or 140 may operate as and/or perform the functionality of any other STA.
  • the AP may include a router, a PC, a server, a Hot-Spot and/or the like.
  • a station may include a logical entity that is a singly addressable instance of a medium access control (MAC) and physical layer (PHY) interface to the wireless medium (WM).
  • the STA may perform any other additional or alternative functionality.
  • an AP may include an entity that contains a station (STA), e.g., one STA, and provides access to distribution services, via the wireless medium (WM) for associated STAs.
  • the AP may perform any other additional or alternative functionality.
  • a non-access-point (non-AP) station may include a STA that is not contained within an AP.
  • the non-AP STA may perform any other additional or alternative functionality.
  • device 102 may include, for example, one or more of a processor 191, an input unit 192, an output unit 193, a memory unit 194, and/or a storage unit 195; and/or device 140 may include, for example, one or more of a processor 181, an input unit 182, an output unit 183, a memory unit 184, and/or a storage unit 185.
  • Devices 102 and/or 140 may optionally include other suitable hardware components and/or software components.
  • some or all of the components of one or more of devices 102 and/or 140 may be enclosed in a common housing or packaging, and may be interconnected or operably associated using one or more wired or wireless links. In other embodiments, components of one or more of devices 102 and/or 140 may be distributed among multiple or separate devices.
  • processor 191 and/or processor 181 may include, for example, a Central Processing Unit (CPU), a Digital Signal Processor (DSP), one or more processor cores, a single-core processor, a dual-core processor, a multiple-core processor, a microprocessor, a host processor, a controller, a plurality of processors or controllers, a chip, a microchip, one or more circuits, circuitry, a logic unit, an Integrated Circuit (IC), an Application- Specific IC (ASIC), or any other suitable multi-purpose or specific processor or controller.
  • Processor 191 executes instructions, for example, of an Operating System (OS) of device 102 and/or of one or more suitable applications.
  • Processor 181 executes instructions, for example, of an Operating System (OS) of device 140 and/or of one or more suitable applications.
  • OS Operating System
  • OS Operating System
  • input unit 192 and/or input unit 182 may include, for example, a keyboard, a keypad, a mouse, a touch-screen, a touch-pad, a track-ball, a stylus, a microphone, or other suitable pointing device or input device.
  • Output unit 193 and/or output unit 183 includes, for example, a monitor, a screen, a touch-screen, a flat panel display, a Light Emitting Diode (LED) display unit, a Liquid Crystal Display (LCD) display unit, a plasma display unit, one or more audio speakers or earphones, or other suitable output devices.
  • LED Light Emitting Diode
  • LCD Liquid Crystal Display
  • memory unit 194 and/or memory unit 184 includes, for example, a Random Access Memory (RAM), a Read Only Memory (ROM), a Dynamic RAM (DRAM), a Synchronous DRAM (SD-RAM), a flash memory, a volatile memory, a nonvolatile memory, a cache memory, a buffer, a short term memory unit, a long term memory unit, or other suitable memory units.
  • Storage unit 195 and/or storage unit 185 includes, for example, a hard disk drive, a floppy disk drive, a Compact Disk (CD) drive, a CD-ROM drive, a DVD drive, or other suitable removable or non-removable storage units.
  • Memory unit 194 and/or storage unit 195 may store data processed by device 102.
  • Memory unit 184 and/or storage unit 185 may store data processed by device 140.
  • wireless communication devices 102 and/or 140 may be capable of communicating content, data, information and/or signals via a wireless medium (WM) 103.
  • wireless medium 103 may include, for example, a radio channel, a cellular channel, a Global Navigation Satellite System (GNSS) Channel, an RF channel, a WiFi channel, an IR channel, a Bluetooth (BT) channel, and the like.
  • GNSS Global Navigation Satellite System
  • BT Bluetooth
  • wireless communication medium 103 may include a wireless communication channel over a 2.4 Gigahertz (GHz) frequency band, or a 5GHz frequency band, a miUimeterWave (mmWave) frequency band, e.g., a 60GHz frequency band, a Sub- 1 GHz (S 1G) band, and/or any other frequency band.
  • GHz 2.4 Gigahertz
  • 5GHz 5GHz
  • mmWave miUimeterWave
  • 60GHz GHz frequency band
  • S 1G Sub- 1 GHz
  • devices 102 and/or 140 may include one or more radios including circuitry and/or logic to perform wireless communication between devices 102, and/or 140 and/or one or more other wireless communication devices.
  • device 102 may include a radio 114
  • device 140 may include a radio 144.
  • radios 114 and/or 144 may include one or more wireless receivers (Rx) including circuitry and/or logic to receive wireless communication signals, RF signals, frames, blocks, transmission streams, packets, messages, data items, and/or data.
  • Rx wireless receivers
  • radio 114 may include at least one receiver 116
  • radio 144 may include at least one receiver 146.
  • radios 114 and/or 144 may include one or more wireless transmitters (Tx) including circuitry and/or logic to transmit wireless communication signals, RF signals, frames, blocks, transmission streams, packets, messages, data items, and/or data.
  • Tx wireless transmitters
  • radio 114 may include at least one transmitter 118
  • radio 144 may include at least one transmitter 148.
  • radio 114 and/or radio 144, transmitters 118 and/or 148, and/or receivers 116 and/or 146 may include circuitry; logic; Radio Frequency (RF) elements, circuitry and/or logic; baseband elements, circuitry and/or logic; modulation elements, circuitry and/or logic; demodulation elements, circuitry and/or logic; amplifiers; analog to digital and/or digital to analog converters; filters; and/or the like.
  • radio 114 and/or radio 144 may include or may be implemented as part of a wireless Network Interface Card (NIC), and the like.
  • NIC wireless Network Interface Card
  • radios 114 and/or 144 may be configured to communicate over a 2.4GHz band, a 5GHz band, an mmWave band, a S IG band, and/or any other band.
  • radios 114 and/or 144 may include, or may be associated with, one or more antennas 107 and/or 147, respectively.
  • device 102 may include a single antenna 107. In another example, device 102 may include two or more antennas 107. [0057] In one example, device 140 may include a single antenna 147. In another example, device 140 may include two or more antennas 147.
  • Antennas 107 and/or 147 may include any type of antennas suitable for transmitting and/or receiving wireless communication signals, blocks, frames, transmission streams, packets, messages and/or data.
  • antennas 107 and/or 147 may include any suitable configuration, structure and/or arrangement of one or more antenna elements, components, units, assemblies and/or arrays.
  • Antennas 107 and/or 147 may include, for example, antennas suitable for directional communication, e.g., using beamforming techniques.
  • antennas 107 and/or 147 may include a phased array antenna, a multiple element antenna, a set of switched beam antennas, and/or the like.
  • antennas 107 and/or 147 may implement transmit and receive functionalities using separate transmit and receive antenna elements.
  • antennas 107 and/or 147 may implement transmit and receive functionalities using common and/or integrated transmit/receive elements.
  • device 102 may include a controller 124
  • device 140 may include a controller 154.
  • Controller 124 may be configured to perform and/or to trigger, cause, instruct and/or control device 102 to perform, one or more communications, to generate and/or communicate one or more messages and/or transmissions, and/or to perform one or more functionalities, operations and/or procedures between devices 102, 140, and/or one or more other devices; and/or controller 154 may be configured to perform, and/or to trigger, cause, instruct and/or control device 140 to perform, one or more communications, to generate and/or communicate one or more messages and/or transmissions, and/or to perform one or more functionalities, operations and/or procedures between devices 102, 140, and/or one or more other devices, e.g., as described below.
  • controllers 124 and/or 154 may include, or may be implemented, partially or entirely, by circuitry and/or logic, e.g., one or more processors including circuitry and/or logic, memory circuitry and/or logic, Media-Access Control (MAC) circuitry and/or logic, Physical Layer (PHY) circuitry and/or logic, baseband (BB) circuitry and/or logic, a BB processor, a BB memory, Application Processor (AP) circuitry and/or logic, an AP processor, an AP memory, and/or any other circuitry and/or logic, configured to perform the functionality of controllers 124 and/or 154, respectively.
  • circuitry and/or logic e.g., one or more processors including circuitry and/or logic, memory circuitry and/or logic, Media-Access Control (MAC) circuitry and/or logic, Physical Layer (PHY) circuitry and/or logic, baseband (BB) circuitry and/or logic, a BB processor, a BB memory, Application Processor (AP) circuitry
  • controllers 124 and/or 154 may be implemented by logic, which may be executed by a machine and/or one or more processors, e.g., as described below.
  • controller 124 may include circuitry and/or logic, for example, one or more processors including circuitry and/or logic, to cause, trigger and/or control a wireless device, e.g., device 102, and/or a wireless station, e.g., a wireless STA implemented by device 102, to perform one or more operations, communications and/or functionalities, e.g., as described herein.
  • controller 124 may include at least one memory, e.g., coupled to the one or more processors, which may be configured, for example, to store, e.g., at least temporarily, at least some of the information processed by the one or more processors and/or circuitry, and/or which may be configured to store logic to be utilized by the processors and/or circuitry.
  • controller 154 may include circuitry and/or logic, for example, one or more processors including circuitry and/or logic, to cause, trigger and/or control a wireless device, e.g., device 140, and/or a wireless station, e.g., a wireless STA implemented by device 140, to perform one or more operations, communications and/or functionalities, e.g., as described herein.
  • a wireless device e.g., device 140
  • a wireless station e.g., a wireless STA implemented by device 140
  • controller 154 may include at least one memory, e.g., coupled to the one or more processors, which may be configured, for example, to store, e.g., at least temporarily, at least some of the information processed by the one or more processors and/or circuitry, and/or which may be configured to store logic to be utilized by the processors and/or circuitry.
  • at least part of the functionality of controller 124 may be implemented as part of one or more elements of radio 114, and/or at least part of the functionality of controller 154 may be implemented as part of one or more elements of radio 144.
  • the functionality of controller 124 may be implemented as part of any other element of device 102, and/or the functionality of controller 154 may be implemented as part of any other element of device 140.
  • device 102 may include a message processor 128 configured to generate, process and/or access one or more messages communicated by device 102.
  • message processor 128 may be configured to generate one or more messages to be transmitted by device 102, and/or message processor 128 may be configured to access and/or to process one or more messages received by device 102, e.g., as described below.
  • message processor 128 may include at least one first component configured to generate a message, for example, in the form of a frame, field, information element and/or protocol data unit, for example, a MAC Protocol Data Unit (MPDU); at least one second component configured to convert the message into a PHY Protocol Data Unit (PPDU), for example, by processing the message generated by the at least one first component, e.g., by encoding the message, modulating the message and/or performing any other additional or alternative processing of the message; and/or at least one third component configured to cause transmission of the message over a wireless communication medium, e.g., over a wireless communication channel in a wireless communication frequency band, for example, by applying to one or more fields of the PPDU one or more transmit waveforms.
  • message processor 128 may be configured to perform any other additional or alternative functionality and/or may include any other additional or alternative components to generate and/or process a message to be transmitted.
  • device 140 may include a message processor 158 configured to generate, process and/or access one or more messages communicated by device 140.
  • message processor 158 may be configured to generate one or more messages to be transmitted by device 140, and/or message processor 158 may be configured to access and/or to process one or more messages received by device 140, e.g., as described below.
  • message processor 158 may include at least one first component configured to generate a message, for example, in the form of a frame, field, information element and/or protocol data unit, for example, a MAC Protocol Data Unit (MPDU); at least one second component configured to convert the message into a PHY Protocol Data Unit (PPDU), for example, by processing the message generated by the at least one first component, e.g., by encoding the message, modulating the message and/or performing any other additional or alternative processing of the message; and/or at least one third component configured to cause transmission of the message over a wireless communication medium, e.g., over a wireless communication channel in a wireless communication frequency band, for example, by applying to one or more fields of the PPDU one or more transmit waveforms.
  • message processor 158 may be configured to perform any other additional or alternative functionality and/or may include any other additional or alternative components to generate and/or process a message to be transmitted.
  • message processors 128 and/or 158 may include, or may be implemented, partially or entirely, by circuitry and/or logic, e.g., one or more processors including circuitry and/or logic, memory circuitry and/or logic, Media-Access Control (MAC) circuitry and/or logic, Physical Layer (PHY) circuitry and/or logic, BB circuitry and/or logic, a BB processor, a BB memory, AP circuitry and/or logic, an AP processor, an AP memory, and/or any other circuitry and/or logic, configured to perform the functionality of message processors 128 and/or 158, respectively. Additionally or alternatively, one or more functionalities of message processors 128 and/or 158 may be implemented by logic, which may be executed by a machine and/or one or more processors, e.g., as described below.
  • At least part of the functionality of message processor 128 may be implemented as part of radio 114, and/or at least part of the functionality of message processor 158 may be implemented as part of radio 144.
  • message processor 128 may be implemented as part of controller 124, and/or at least part of the functionality of message processor 158 may be implemented as part of controller 154.
  • the functionality of message processor 128 may be implemented as part of any other element of device 102, and/or the functionality of message processor 158 may be implemented as part of any other element of device 140.
  • at least part of the functionality of controller 124 and/or message processor 128 may be implemented by an integrated circuit, for example, a chip, e.g., a System on Chip (SoC).
  • SoC System on Chip
  • the chip or SoC may be configured to perform one or more functionalities of radio 114.
  • the chip or SoC may include one or more elements of controller 124, one or more elements of message processor 128, and/or one or more elements of radio 114.
  • controller 124, message processor 128, and radio 114 may be implemented as part of the chip or SoC.
  • controller 124, message processor 128 and/or radio 114 may be implemented by one or more additional or alternative elements of device 102.
  • at least part of the functionality of controller 154 and/or message processor 158 may be implemented by an integrated circuit, for example, a chip, e.g., a SoC.
  • the chip or SoC may be configured to perform one or more functionalities of radio 144.
  • the chip or SoC may include one or more elements of controller 154, one or more elements of message processor 158, and/or one or more elements of radio 144.
  • controller 154, message processor 158, and radio 144 may be implemented as part of the chip or SoC.
  • controller 154, message processor 158 and/or radio 144 may be implemented by one or more additional or alternative elements of device 140.
  • device 102 and/or device 140 may include, operate as, perform the role of, and/or perform one or more functionalities of, one or more STAs.
  • device 102 may include at least one STA, and/or device 140.
  • wireless communication devices 102 and/or 140 may form, or may communicate as part of, a wireless local area network (WLAN).
  • WLAN wireless local area network
  • wireless communication devices 102 and/or 140 may form, or may communicate as part of, a WiFi network.
  • wireless communication devices 102 and/or 140 may form, and/or communicate as part of, any other additional or alternative network.
  • devices 102 and/or 140 may be configured to setup and/or establish a secure wireless connection, for example, a secured WiFi connection in a WiFi network and/or any other secure wireless connection in any other network, e.g., as described below.
  • a secure wireless connection for example, a secured WiFi connection in a WiFi network and/or any other secure wireless connection in any other network, e.g., as described below.
  • Some demonstrative embodiments are described herein with respect to securing wireless communication in a WiFi network, for example, by establishing a secure WiFi connection. In Other embodiments may be implemented to secure wireless communication in any other type of network, for example, by establishing any other type of secure wireless connection.
  • devices 102 and/or 140 may be configured to setup and/or establish the secure wireless connection, for example, even in public places, e.g., where a connection may typically not be secured, for example, at a WiFi layer, e.g., as described below.
  • devices 102 and/or 140 may be configured to setup and/or establish the secure wireless connection according to a protocol, which may be configured to address one or more technical problems of setting up a secure wireless connection, for example, even without any impact on user interface, with no request for configuration of a pre- shared passphrase or a certificate, without heavy infrastructure support, and/or while addressing one or more additional or alternative technical aspects, e.g., as described below.
  • a protocol which may be configured to address one or more technical problems of setting up a secure wireless connection, for example, even without any impact on user interface, with no request for configuration of a pre- shared passphrase or a certificate, without heavy infrastructure support, and/or while addressing one or more additional or alternative technical aspects, e.g., as described below.
  • devices 102 and/or 140 may be configured to setup and/or establish the secure wireless connection according to a protocol, which may be configured, for example, to utilize one or more operations and/or communications, which may be in compliance with a Secure Authentication of Equals (SAE) mechanism, e.g., which may be configured to support one or more new use-cases and/or scenarios, e.g., as described below.
  • SAE Secure Authentication of Equals
  • devices 102 and/or 140 may be configured to setup and/or establish the secure wireless connection according to a protocol, which may configure, for example, a way, in which an AP, e.g., device 140, and a STA, e.g., device 102, may report, advertize, indicate and/or signal, one or more capabilities, for example, by configuring an Authentication and Key Management (AKM) suites report in a Robust Security Network (RSN) Element (RSNE), and/or configuring an SEA flow, e.g., as described below.
  • a protocol which may configure, for example, a way, in which an AP, e.g., device 140, and a STA, e.g., device 102, may report, advertize, indicate and/or signal, one or more capabilities, for example, by configuring an Authentication and Key Management (AKM) suites report in a Robust Security Network (RSN) Element (RSNE), and/or configuring an SEA flow
  • devices 102 and/or 140 may be configured to setup and/or establish the secure wireless connection according to a protocol, which may be configured to address one or more technical problems of one or more mechanisms, for example, according to an IEEE 802.11 Specification, for supporting privacy, e.g., using encryption, during a session, e.g., a WiFi session, between a STA and an AP, e.g., as described below.
  • an 802. IX Authentication mechanism e.g., in accordance with an IEEE 802. IX Specification, may be configured for large enterprise deployments, and/or may rely on sophisticated public key infrastructures.
  • a preconfigured Pre-Shared Key (PSK) mechanism may be based on a PSK, e.g., a password, which may be entered on client devices and on the AP or wireless gateway, which may be used for providing the authentication.
  • PSK Pre-Shared Key
  • Both the 802. IX authentication and the PSK mechanisms may result in a Pairwise Master Key (PMK), which may be used, for example, as an input for a 4-way handshake process, which, in turn, may generate one or more Transient-Keys (TKs), which may be used for an actual data encryption/decryption .
  • PMK Pairwise Master Key
  • TKs Transient-Keys
  • the 802. IX authentication mechanism may require a configuration of a certificate in both the AP and the STA; and the PSK mechanism may require a configuration of a shared secret, e.g., a passphrase or password, in both the AP and the STA.
  • a shared secret e.g., a passphrase or password
  • the above mechanisms may not be suitable for and/or efficient for some use cases, scenarios and/or deployments.
  • WiFi may be made available in public places, e.g., for random visitors, for whom one or both mechanisms(802.1X and PSK) may not be applicable.
  • the connection may be typically Open', e.g., not secured, and no privacy is available, e.g., all data may be transmitted in an "open" unencrypted manner.
  • a Wireless Protected Setup (WPS) mechanism may not be suitable for and/or efficient for some use cases, scenarios and/or deployments.
  • the WPS mechanism may create a unique PSK shared between the AP and STA based on some less secure inputs with usage limited by time or physical access to the AP, such as, for example, push button, Near-Field Communication (NFC), Pin, and the like.
  • the WPS mechanism may be used, for example, for consumer products.
  • the WPS mechanism may have one or more technical problems, for example, the WPS mechanism may require physical access to an AP, and/or may not be scalable for use for public APs, e.g., since an AP cannot preserve unique keys for all STAs connected to the AP over time.
  • a Hotspot 2.0 and a Passpoint Release (Rel) 2" mechanism may not be suitable for and/or efficient for some use cases, scenarios and/or deployments.
  • the Hotspot 2.0 and Passpoint Rel 2 mechanisms may allow establishing a secure connection over special open WiFi connection or via non-WiFi connection, for example, to obtain WiFi security credentials.
  • These mechanisms may be used, for example, for Service Providers that may charge customers for the connection.
  • Service Providers may charge customers for the connection.
  • these mechanisms may have one or more technical problems, for example, as it requires heavy infrastructure, and/or may be less suitable for small businesses trying to provide a WiFi network for their customers.
  • devices 102 and/or 140 may be configured to setup and/or establish a secure wireless connection according to a protocol, which may be configured, for example, in compliance with one or more positioning protocols, for example, in accordance with a future IEEE 802.11az Specification.
  • a protocol which may be configured, for example, in compliance with one or more positioning protocols, for example, in accordance with a future IEEE 802.11az Specification.
  • a STA when arriving to a public location, e.g., a mall, a STA can initiate range measurement with multiple APs, and the APs may transmit in response ranging measurement frames, for example, Fine-Timing-Measurement (FTM) frames, to the STA, to which the STA responds with an Acknowledgement (Ack).
  • FTM Fine-Timing-Measurement
  • devices 102 and/or 140 may be configured to setup and/or establish the secure wireless connection according to a protocol, which may be configured, for example, to allow protecting and/or securing transmissions of one or more ranging frames, e.g., FTM frames, of the ranging measurement, e.g., as described below.
  • a protocol which may be configured, for example, to allow protecting and/or securing transmissions of one or more ranging frames, e.g., FTM frames, of the ranging measurement, e.g., as described below.
  • Some demonstrative embodiments are describe herein with respect to establishing a secure wireless connection, for example, to secure communication of one or more ranging messages, for example, FTM messages, e.g., as described below.
  • the secure wireless connection may be established, for example, to secure communication of any other additional or alternative type of messages.
  • devices 102 and/or 140 may be configured to communicate the ranging frames, for example, as part of a positioning and/or ranging measurement, e.g., as described below.
  • devices 102, and/or 140 may be configured to perform the positioning and/or ranging measurement, e.g., as described below.
  • devices 102, and/or 140 may be configured to perform a single user (SU) and/or a Multi User (MU) positioning and/or ranging measurement, e.g., as described below.
  • SU single user
  • MU Multi User
  • device 102 may include one or more applications configured to provide and/or to use one or more location based services, e.g., a social application, a navigation application, a location based advertising application, and/or the like.
  • device 102 may include an application 125 to be executed by device 102.
  • application 125 may use range information between devices 102 and 140, for example, to determine an estimated location of device 140, e.g., with respect to a coordinate system, e.g., a World Geodetic System 1984 (WGS84), and/or a local coordination.
  • a coordinate system e.g., a World Geodetic System 1984 (WGS84)
  • WGS84 World Geodetic System 1984
  • device 102 may include a Smartphone and device 140 may include an AP, which is located in a shop, e.g., in a shopping mall.
  • application 125 may use the range information to determine a relative location of device 102 with respect to device 140, for example, to receive sale offers from the shop.
  • device 102 may include a mobile device and device 140 may include a responding station, which is located in a parking zone, e.g., of a shopping mall.
  • application 125 may use the range information to determine a location of device 102 in the parking zone, for example, to enable a user of device 102 to find a parking area in the parking zone.
  • device 102 may include a location estimator 115 configured to perform one or more positioning measurements to be used to estimate a location of device 102, e.g., as described below.
  • location estimator 115 may be configured to determine a location of device 102, for example, using a plurality of ranges from the plurality of other STAs, e.g., by performing trilateration.
  • location estimator 115 may include circuitry and/or logic, e.g., processor circuitry and/or logic, memory circuitry and/or logic, and/or any other circuitry and/or logic, configured to perform the functionality of location estimator 115. Additionally or alternatively, one or more functionalities of location estimator 115 may be implemented by logic, which may be executed by a machine and/or one or more processors, e.g., as described below.
  • location estimator 115 may be implemented as part of controller 124.
  • functionality of location estimator 115 may be implemented as part of any other element of device 102.
  • location estimator 115 may be configured to estimate the location of device 102, for example, based on time based range measurements, for example, with device 140 and/or one or more other devices.
  • the time based range measurements may be performed using WLAN communications, e.g., WiFi.
  • WiFi Wireless Fidelity
  • using WiFi to perform the time based range measurements may enable, for example, increasing an indoor location accuracy of the location estimation of device 140, e.g., in an indoor environment.
  • the time based range measurements may include a round trip time (RTT) measurement (also referred to as Time of Flight (ToF) procedure).
  • RTT round trip time
  • ToF Time of Flight
  • a ToF value may be defined as the overall time a signal propagates from a first station, e.g., device 140, to a second station, e.g., device 102, and back to the first station.
  • a distance between the first and second stations may be determined based on the ToF value, for example, by dividing the RTT value by two and multiplying the result by the speed of light.
  • the ToF measurement procedure may include one or more operations, communications and/or measurements according to a Very High Throughput (VHT) ranging procedure.
  • VHT Very High Throughput
  • the ToF measurement procedure may include one or more operations, communications and/or measurements according to a High Efficiency (HE) ranging procedure.
  • HE High Efficiency
  • the ToF measurement procedure may include one or more operations, communications and/or measurements according to a Fine Timing Measurement (FTM) procedure.
  • FTM Fine Timing Measurement
  • the ToF measurement procedure may include one or more operations, communications and/or measurements according to any other additional or alternative positioning measurement.
  • an RTT value may be defined as the overall time a signal propagates from a first station, e.g., device 102, to a second station, e.g., device 140, and back to the first station.
  • a ToF value may be defined as the overall time a signal propagates from a first station, e.g., device 102, to a second station, e.g., device 140.
  • a distance between the first and second stations may be determined based on the RTT value, for example, by dividing the RTT value by two and multiplying the result by the speed of light, or by multiplying the ToF value by the speed of light.
  • device 102 and/or device 140 may be configured to perform one or more ranging measurements, ToF measurements, VHT ranging measurements, HE ranging measurements, FTM measurements, positioning measurements and/or communications, ranging measurements and/or communications, proximity measurements and/or communications, location estimation measurements and/or communications.
  • devices 102 and/or 140 may be configured to perform any other additional or alternative positioning measurements and/or communications, ranging measurements and/or communications, proximity measurements and/or communications, location estimation measurements and/or communications, for example, and/or according to any other additional or alternative procedure and/or protocol, e.g., an Received Signal Strength Indication (RSSI) procedure.
  • RSSI Received Signal Strength Indication
  • devices 102 and/or 140 may be configured to perform one or more VHT measurements, for example, using WLAN communications, e.g., WiFi.
  • WLAN communications e.g., WiFi.
  • WiFi Wireless Fidelity
  • using WiFi to perform time based range measurements, e.g., ranging measurements may enable, for example, increasing an indoor location accuracy of the mobile devices, e.g., in an indoor environment.
  • device 102 may perform a role of, one or more operations of, and/or one or more functionalities of, an initiating device, e.g., an initiating STA, and device 140 may perform a role of, one or more operations of, and/or one or more functionalities of, a responding device, e.g., a responding STA.
  • device 140 may include an AP, and/or device may include a non-AP STA, for example, a mobile device, e.g., a Smartphone, which may perform the ranging protocol with the AP, for example, to determine a location of the mobile device.
  • device 102 may include a positioning component 117, and/or device 140 may include a positioning component 157, which may be configured to perform one or more positioning measurements, operations and/or communications, e.g., as described below.
  • positioning components 117 and/or 157 may be configured to perform one or more operations and/or communications of a VHT ranging measurement, for example, a VHTz measurement, e.g., as described below.
  • positioning components 117 and/or 157 may be configured to perform one or more operations and/or communications of any other additional or alternative positioning measurement.
  • positioning components 117 and/or 157 may include, or may be implemented, using suitable circuitry and/or logic, e.g., controller circuitry and/or logic, processor circuitry and/or logic, memory circuitry and/or logic, and/or any other circuitry and/or logic, which may be configured to perform at least part of the functionality of positioning components 117 and/or 157. Additionally or alternatively, one or more functionalities of positioning components 117 and/or 157 may be implemented by logic, which may be executed by a machine and/or one or more processors, e.g., as described below.
  • positioning component 117 may be configured to perform one or more operations of, and/or at least part of the functionality of, message processor 128 and/or controller 124, for example, to trigger communication of one or more VHT messages, HE ranging measurements, FTM messages, and/or positioning packets, e.g., as described below.
  • positioning component 157 may be configured to perform one or more operations of, and/or at least part of the functionality of, message processor 158 and/or controller 154, for example, to trigger communication of one or more VHT messages, HE ranging measurements, FTM messages, and/or positioning packets, e.g., as described below.
  • positioning components 117 and/or 157 may be configured to trigger the ranging measurements, for example, periodically and/or or upon a request from an application executed by a device, for example, to determine an accurate location of the device.
  • positioning components 117 and/or 157 may be configured to perform one or more measurements according to a VHT ranging protocol, an HE ranging protocol, and/or an FTM protocol, e.g., as described below.
  • positioning components 117 and/or 157 may be configured to perform one or more proximity, ranging, and/or location estimation measurements, e.g., in an indoor location, based on the ranging measurements.
  • the VHT ranging measurements may provide a relatively accurate estimation of location, range and/or proximity, e.g., in an indoor location.
  • a positioning component e.g., positioning components 117 and/or 157, configured to perform measurements according to a VHT ranging protocol and/or procedure.
  • the positioning component may be configured to perform any other additional or alternative type of Time of Flight (ToF) measurements, ranging measurements, FTM measurements, HE ranging measurements, positioning measurements, proximity measurements, and/or location estimation measurements, e.g., according to any additional or alternative protocol and/or procedure.
  • TOF Time of Flight
  • devices 102 and/or 140 may be configured to setup and/or establish the secure wireless connection according to a protocol, which may be configured, for example, to allow applying ranging security, e.g., FTM security, for example, even without a certificate, e.g., by even allowing everyone who enters the venue to enjoy a secure ranging procedure, e.g., a secure FTM procedure.
  • a protocol which may be configured, for example, to provide a simple mechanism for supplying security at the WiFi layer, e.g., as described below.
  • devices 102 and/or 140 may be configured to setup and/or establish the secure wireless connection according to a protocol, which may utilize one or more operations of a Secure Authentication of Equals (SAE) mechanism, for example, in compliance with an IEEE 802.11 Specification, e.g., as described below.
  • SAE Secure Authentication of Equals
  • the SAE mechanism may use a Diffie Hellman (DH) like algorithm, for example, to establish a shared secret between two parties.
  • the algorithm may use a public key and may rely on an exchange that may be visible to a third party but does not expose the resulted shared secret.
  • the resulted shared secret can then be used, for example, as a PMK, to encrypt messages between these two parties.
  • DH Diffie Hellman
  • the SAE mechanism may be used, for example, in Independent Basic Service Set (IBSS) connections and/or with PSK authentication, e.g., a PSK passphrase may be used for the public key generation, and the resulting shared secret may be used as PMK.
  • IBSS Independent Basic Service Set
  • PSK passphrase may be used for the public key generation, and the resulting shared secret may be used as PMK.
  • one or more operations and/or messages of an SAE mechanism may be implemented, for example, to setup a secure wireless connection between a STA, e.g., device 102, and one or more APs, for example, public APs, e.g., including device 140, e.g., as described below.
  • one or more operations of a mechanism to setup a secure wireless connection may be implemented, for example, in some use cases, scenarios, and/or deployments, for example, to solve one or more technical problems, which may be related to Public APs and/or any other type of APs, e.g., as described below.
  • APs may not use WiFi security
  • WiFi data may be transmitted in a "clear", e.g., unprotected manner.
  • APs e.g., public APs
  • security/encryption for example, as such APs may not support a Certificate or a PSK installation, e.g., according to the mechanisms described above.
  • devices 102 and/or 140 may be configured to perform one or more operations of a mechanism to setup a secure wireless connection, for example, using one or more operations and/or communications of an SAE mechanism, e.g., as described below.
  • implementation of the mechanism to setup the secure wireless connection using one or more operations and/or communications of the SAE mechanism may allow devices 102 and/or 140 to setup a secure wireless connection, for example, even if the installation of the Certificate or the PSK is not really mandatory, e.g., as described below.
  • the mechanism to setup the secure wireless connection may be configured to apply one or more operations of the SAE, for example, using a pre-defined method for generating a "PSK like" passphrase (also referred to as "public PSK”), e.g., as described below.
  • a resulting PMK to be used by the STA and the AP may be secure and/or may not be compromised, for example, even in case the "public PSK" is not based on a 'random' passphrase that was configured, e.g., separately, in the AP and STA, and/or even if the "public PSK" is known to a third party eavesdropper who may listen to one or more messages of an SAE exchange between the AP and the STA, e.g., as described below.
  • the secure session protocol described herein may provide one or more advantages and/or technical solutions with respect to one or more alternative solutions, e.g., as described below.
  • a problem which may be addressed is that for simplified user experience those networks avoid using of WiFi security at all and leave WiFi connection completely unprotected, so hackers can attack devices connected to such public network using relatively simple hacks, e.g., spoofing.
  • the secure session protocol described herein may provide a solution, which may, for example, allow to create a secure WiFi connection, for example, even without any impact on user interface and/or with a one time action, for example, of obtaining a public key, e.g., as described below.
  • devices 102 and/or 140 may be configured to create a secured WiFi connection, for example, even in public places, e.g., where currently the connection is typically not secured at the WiFi layer, for example, even without any impact on the user interface, with no request for configuration of a pre-shared passphrase or a certificate, and without heavy infrastructure support, e.g., as described below.
  • devices 102 and/or 140 may be configured to create a secure wireless connection, for example, using one or more operations of an SAE mechanism, for example, in compliance with an IEEE 802.11 Specification, e.g., as described below.
  • the mechanism to setup the secure wireless connection may be configured, for example, by redefining one or more operations of the SAE mechanism, and/or by introducing one or more additional and/or alternative operations and/or communications, e.g., as described below.
  • Fig. 2 schematically illustrates an SAE procedure 200, which may be implemented in accordance with some demonstrative embodiments.
  • SAE procedure 200 may be performed between a STA 202 and an AP 240.
  • device 102 (Fig. 1) may perform the role of, one or more functionalities of, and/or one or more operations of STA 202
  • device 140 (Fig. 1) may perform the role of, one or more functionalities of, and/or one or more operations of STA 240.
  • AP 240 may transmit a probe response 214 to STA 202, for example, in response to a probe request 212 from STA 202 to AP 240.
  • AP 240 may indicate, for example, in the probe response 214, that AP 240 supports SAE authentication.
  • STA 202 may choose to apply SAE authentication with the AP 240, for example, by transmitting an SAE authentication commit message 216 to the AP 240.
  • the AP 240 may respond with a similar SAE Authentication Commit message 218 to the STA 202.
  • SAE Authentication Commit message 216 may include, for example, information calculated by STA 202; and/or SAE Authentication Commit message 218 may include, for example, information calculated by the AP 240, e.g., as described below.
  • the information in SAE Authentication Commit message 216 may be calculated by the STA 202, for example, based on a PSK passphrase (public PSK) that may be public, and an internal secret that is known only to the STA 202; and/or the information in SAE Authentication Commit message 218 may be calculated by the AP 240, for example, based on the public PSK, and an internal secret that is known only to the AP 240, e.g., as described below.
  • PSK passphrase public PSK
  • AP 240 for example, based on the public PSK, and an internal secret that is known only to the AP 240, e.g., as described below.
  • the internal secret values of the STA 202 and/or the AP 240 may, for example, never be transmitted over the air. [00168] In some demonstrative embodiments, the internal secret values of the STA 202 and/or the AP 240 cannot be calculated/revealed from SAE authentication commit messages 216 and 218.
  • the AP 240 may calculate a secure PMK value, for example, using the internal secret of the AP 240 and the information included in the SAE authentication commit message 216; and/or after the STA 202 receives SAE authentication commit message 218, the STA 202 may calculate the secure PMK value, for example, using the internal secret of the STA 202 and the information included in the SAE authentication commit message 218, e.g., as described below.
  • the resulting PMK value determined by AP 240 may be the same as the resulting PMK value determined by STA 202, for example, while each side e.g., AP 240 or STA 202, may use its own internal secret, which may be unknown to the other party,.
  • the secure PMK value may be available and shared between the AP 240 and STA 202.
  • This secure PMK value may not be available to a third party that may listen to the exchange of SAE authentication commit messages 216 and 218, for example, even if the third party knows the PSK passphrase.
  • an additional exchange of confirm messages 222 and 224 may optionally be applied between AP 240 and STA 202, for example, to make sure that indeed a shared PMK value is available.
  • the mechanism to setup the secure wireless connection may be configured, for example, by redefining one or more operations of an SAE flow, e.g., as shown in Fig. 2, and/or by introducing one or more additional and/or alternative operations and/or communications, e.g., as described below.
  • an AP for example, a "public AP", e.g., device 140, may be configured to advertise that 'Privacy' is supported, for example, instead of advertizing 'No Privacy' in its 'Capability Information field', which may be included by the AP, for example, at least in a Beacon, a Probe Response, an Association Response, a Reassociation Response, and/or any other message, e.g., as described below.
  • the AP e.g., device 140
  • the AP may be configured to advertise, for example, in a Robust Security Network (RSN) Information Element (IE) of an Authentication and Key Management (AKM) Suite, that the AP is to use SAE mechanism for generating the security keys, e.g., as described below.
  • RSN Robust Security Network
  • IE Information Element
  • ALM Authentication and Key Management
  • the AP may advertise the to use SAE mechanism for generating the security keys in any other additional or alternative field, message and/or IE.
  • the AKM suite may be configured to include one or more entries, for example, in addition to or instead of, an AKM entry, which may be used for indicating that SAE is used with PSK, e.g., as described below.
  • a new AKM may be configured to indicate that SAE is to be used with an alternative source for the public key, e.g. a MAC address of the AP, an identifier of the AP, and/or any other information, as described below.
  • an alternative source for the public key e.g. a MAC address of the AP, an identifier of the AP, and/or any other information, as described below.
  • a STA e.g., device 102
  • AP e.g., device 140
  • SAE authentication with the AP
  • PMK the resulting PMK to generate the encryption keys
  • the WiFi session will be protected, e.g., fully protected, e.g., instead of "open", for example, even without any pre- configuration and/or setting from the user side, e.g., as described below.
  • device 140 may be configured to transmit a frame, e.g., as a unicast transmission to device 102 or a broadcast transmission, including an indication that device 140 supports Privacy, and an indication that device 140 supports SAE with a public PSK mode using a public-PSK, e.g., as described below.
  • controller 154 and/or positioning component 157 may be configured to control, cause and/or trigger the station implemented by device 140 to transmit the frame including the indication that device 140 supports Privacy, and the indication that device 140 supports the SAE with the public PSK mode using the public-PSK, e.g., as described below.
  • the frame may include a beacon or a probe response, e.g., in response to a probe request from device 102.
  • the frame may include any other frame, e.g., an association response, a reassociation response, and the like.
  • an AP for example, a public AP, e.g., device 140
  • a public AP e.g., device 140
  • the indication that 'Privacy' is supported may be included in any other additional or alternative field.
  • an AP for example, a public AP, e.g., device 140, may be configured to generate and/or transmit more frames and/or responses, e.g., a probe response, in which the AP may advertise that SAE with "public PSK" is supported.
  • device 140 may be configured to generate the frame including an AKM suite in an RSN Element (RSNE), e.g., as described below.
  • RSNE RSN Element
  • the AKM suite may include the indication that the device 140 supports the SAE using the public PSK mode, e.g., as described below.
  • message processor 158 may be configured to generate and cause transmitter 148 to transmit one or more frames and/or responses, e.g., a probe response, in which device 140 may advertise that SAE using the public PSK mode is supported.
  • the AP may report that SAE with "public PSK" is supported, for example, by including an AKM suite, e.g., a new AKM Suite, in the RSNE, e.g., as described below.
  • an AKM suite e.g., a new AKM Suite
  • any other AKM suite for example, one or more fields of an AKM suite, and/or any other field, entry, and/or element may be implemented to provide the indication that SAE with "public PSK" is supported.
  • the AKM suite to indicate that SAE with "public PSK” is supported e.g., the "new" AKM, may be in addition to, instead of and/or similar to an AKM entry for indicating that SAE is used with PSK.
  • the AKM suite may have an AKM Suite type, which is between 14- 255. In other embodiments, the AKM suite may have any other AKM Suite type.
  • the AKM suite to indicate that SAE with "public PSK” is supported may be configured to indicate that SAE is to be used with an alternative source for a public key, e.g., a public PSK, for example, an identifier of the AP, e.g., the MAC address of the AP, e.g., as described below.
  • a public key e.g., a public PSK
  • any additional or alternative information e.g., in addition to or instead of the MAC address of the APs, may be used to define and/or determine the public key.
  • device 140 may configured to generate the frame, which is to indicate that SAE with "public PSK" is supported, including an indication of the public-PSK, e.g., as described below.
  • the indication of the public-PSK may include an indication that a preconfigured value is to be used as the public PSK, e.g., as described below.
  • the indication of the public-PSK may include an indication that the public PSK is to be determined based on one or more parameters, for example, a MAC address of the AP and/or a MAC address of the STA, e.g., as described below.
  • the indication of the public-PSK may include a value, e.g., a preconfigured value or a random value, to be used as the public PSK, e.g., as described below.
  • the indication of the public-PSK may include an indication that a preconfigured value, e.g., a constant value, may be used as the public PSK.
  • the preconfigured value may be defined in a standard and/or protocol.
  • the AP when an AP indicates that the AP supports SAE with a public PSK mode, the AP shall use a preconfigured public-PSK, e.g., a constant public-PSK, for the SAE, e.g., with any STA.
  • a preconfigured public-PSK e.g., a constant public-PSK
  • a STA when a STA receives from an AP an indication that the AP supports SAE with a public PSK mode, the STA shall use a preconfigured public-PSK, e.g., a constant public- PSK, for the SAE with the AP.
  • device 102 may receive the frame from device 102 including the indication that device 140 supports Privacy, and the indication that device 140 supports the SAE with the public PSK mode using the public-PSK, e.g., as described below.
  • controller 124 and/or positioning component 117 may be configured to control, cause and/or trigger the station implemented by device 102 to receive from device 140 the frame including the indication that device 140 supports Privacy, and the indication that device 140 supports the SAE with the public PSK mode using the public-PSK, e.g., as described below.
  • a STA may receive and/or process the one or more frames from an AP, e.g., device 140, e.g., the probe response, including the new "public PSK" AKM suite in the RSNE of the Probe response .
  • controller 124 and/or positioning component 117 may be configured to control, cause and/or trigger the station implemented by device 102 to determine a public-PSK to be used for implementing an SAE mechanism with device 140, e.g., as described below.
  • the public-PSK may be based on random information, e.g., as described below.
  • the public-PSK may be based on an identifier of device 140, and/or an identifier of device 102, e.g., as described below.
  • the public-PSK may be based on a Medium Access Control (MAC) address of device 140, and/or a MAC address of device 102, e.g., as described below.
  • the public-PSK may be based on random information concatenated by a MAC address of device 140, and a MAC address of device 102, e.g., as described below.
  • the random information may include a random value.
  • the public-PSK may be based on any other alternative or additional information.
  • controller 124 and/or positioning component 117 may be configured to control, cause and/or trigger the station implemented by device 102 to transmit a first SAE Authentication Commit message to device 140, e.g., as described below.
  • the first SAE Authentication Commit message may include first encrypted information including a secret key of device 102 encrypted according to an SAE encryption mechanism with the public-PSK, e.g. as described below.
  • the SAE encryption mechanism may include a Diffie-Hellman encryption mechanism, e.g., as described below. In other embodiments, the SAE encryption mechanism may include any other additional or alternative encryption mechanism.
  • the first SAE Authentication Commit message may include public-PSK information, which may indicate a public PSK to be used for the SAE mechanism, e.g., as described below.
  • the public-PSK information may include the random value.
  • the public-PSK information may include an indication that the public PSK is to be determined based on the MAC address of device 102 and/or the MAC address of device 140. [00217] In some demonstrative embodiments, the public-PSK information may include an indication that the public PSK is to include a preconfigured value.
  • controller 124 and/or positioning component 117 may be configured to control, cause and/or trigger the station implemented by device 102 to determine the public-PSK based on the public-PSK information, e.g., as described below.
  • the first SAE Authentication Commit message may include a Challenge Text Element including the public-PSK information, e.g., as described below.
  • the Challenge Text Element including the public-PSK information may include an element ID of 16, e.g., as described below.
  • the Challenge Text Element may include any other element ID.
  • the Challenge Text Element may include a challenge text field including the public-PSK information, e.g., as described below.
  • a STA e.g., device 102
  • the STA may generate a message, for example, a first SAE Authentication Commit message, e.g., a 802.11 SAE Authentication Commit message, to be transmitted towards the AP.
  • a first SAE Authentication Commit message e.g., a 802.11 SAE Authentication Commit message
  • the first SAE Authentication Commit message may include one or more elements and/or fields, for example, which may be similar to and/or in compliance with an SAE Authentication Commit message that is generated as part of a PSK- SAE process, e.g., SAE Authentication Commit message 216 (Fig. 2), and/or may be configured with one or more changes and/or differences, e.g., as described below.
  • the first SAE Authentication Commit message shall contain the Challenge Text Element, for example, in accordance with a Challenge Text Element, e.g., the Element ID 16.
  • the first SAE Authentication Commit message may use the Challenge Text Element, e.g., the Element ID 16, which may be defined and/or used during a Wired Equivalent Privacy (WEP) Shared Key authentication, and/or which may currently not be used for other authentication modes.
  • WEP Wired Equivalent Privacy
  • the Challenge Text Element shall contain a random text, which may be concatenated with the identifier of the AP, e.g., the MAC address of the AP, and the identifier of the STA, e.g., the MAC address of the STA, for example, to generate the public PSK, e.g., a 256 bits long "public PSK". In other embodiments, any other additional or alternative information may be used to generate the public PSK.
  • the STA may have already calculated and/or used the resulting 256 bits long "public PSK", for example, for the generation of the additional information that may be included in the first SAE Authentication Commit message as the Challenge Text Element.
  • the first SAE Authentication Commit message may include some or all of the information described above and/or additional and/or alternative fields and/or elements.
  • the AP e.g., device 140
  • the AP may be configured to receive and/or process the first SAE Authentication Commit message from the STA, e.g., device 102.
  • controller 154 and/or positioning component 157 may be configured to control, cause and/or trigger the station implemented by device 140 to process the first SAE Authentication Commit message, e.g., from device 102, including the first encrypted information including the secret key of device 102 encrypted according to the SAE encryption mechanism with the public-PSK, e.g., as described below.
  • controller 154 and/or positioning component 157 may be configured to control, cause and/or trigger the station implemented by device 140 to determine the public-PSK based on the public-PSK information, which may, for example, be included in, or indicated by the first SAE Authentication Commit message, e.g., as described below.
  • controller 154 and/or positioning component 157 may be configured to control, cause and/or trigger the station implemented by device 140 to transmit a second SAE Authentication Commit message to device 102, e.g., as described below.
  • the second SAE Authentication Commit message may include second encrypted information including a secret key of device 140 encrypted according to the SAE encryption mechanism with the public-PSK, e.g., as described below.
  • the second SAE Authentication Commit message may include the public-PSK information.
  • the second SAE Authentication Commit message may include the Challenge Text Element including the public-PSK information.
  • the Challenge Text Element in the second SAE Authentication Commit message may include the challenge text field including the public-PSK information, e.g., as described below.
  • the AP shall respond with the second, e.g., matching, SAE Authentication Commit message towards the STA, e.g., device 102.
  • the second SAE Authentication Commit message from the AP may include one or more elements and/or fields, for example, which may be similar to and/or in compliance with an SAE Authentication Commit message that may be generated by an AP as part of a PSK-SAE process, e.g., SAE Authentication Commit message 218 (Fig. 2), and/or may be configured with one or more changes and/or differences, e.g., as described below.
  • the second SAE Authentication Commit message from the AP shall contain the Challenge Text Element, for example, the same Challenge Text Element, e.g., Element ID 16, that was reported by the STA, for example, in the first SAE Authentication Commit message, e.g., with exactly the same content. In other embodiments, at least part of the content in the second SAE Authentication Commit message may be different.
  • including the same Challenge Text Element in the second SAE Authentication Commit message from the AP may allow to indicate that both sides, e.g., the STA and the AP, used the same public PSK, e.g., the 256 bits long "public PSK".
  • device 102 may receive the second SAE Authentication Commit message from device 140, e.g., as described below.
  • controller 124 and/or positioning component 117 may be configured to control, cause and/or trigger the station implemented by device 102 to process the second SAE Authentication Commit message, e.g., from device 140.
  • the second SAE Authentication Commit message may include the second encrypted information including the secret key of device 140 encrypted according to the SAE encryption mechanism with the public-PSK, e.g., as described above.
  • the AP and/or STA may be configured to perform one or more operations and/or communications, for example, in addition to, e.g., after, communicating the first and second SAE Authentication Commit messages between the AP to the STA, e.g., in compliance with a PSK-SAE process.
  • devices 102 and 140 may be configured to generate one or more security keys to secure communication of one or more messages between devices 102 and 140, for example, based on a Pairwise Master Key (PMK).
  • controller 124 and/or positioning component 117 may be configured to control, cause and/or trigger the station implemented by device 102 to generate the one or more security keys to secure communication of the one or more messages with device 140 based on the PMK, e.g., as described below
  • device 102 may determine the PMK, for example, based on the second encrypted information, e.g., in the second SAE Authentication Commit message from device 140, and the secret key of device 102, e.g., as described below.
  • controller 154 and/or positioning component 147 may be configured to control, cause and/or trigger the station implemented by device 140 to generate the one or more security keys to secure communication of the one or more messages with device 140 based on the PMK, e.g., as described below
  • device 140 may determine the PMK, for example, based on the first encrypted information, e.g., in the first SAE Authentication Commit message from device 102, and the secret key of device 140,e g., as described below.
  • a Confirm exchange may optionally be applied, for example, following the Commit exchange, e.g., of the first and second SAE Authentication Commit messages.
  • the AP and the STA may perform a 4-way handshake, for example, using the PMK, for example, following the Confirm Exchange.
  • the AP and the STA may perform one or more operations to generate security encryption keys, e.g., unicast and/or groupcast keys, for example, following the 4-way handshake.
  • devices 102 and 140 may use the security keys generated based on the PMK to secure communication of one or more messages including one or more FTM messages.
  • devices 102 and/or 140 may generate the one or more security keys to secure communication of the one or more FTM messages, for example, as part of an FTM procedure, e.g., as described above.
  • devices 102 and/or 140 may generate the one or more security keys to secure communication of any other additional or alternative type of messages to be communicated between devices 102 and 140.
  • Fig. 3 schematically illustrates operations and messages of a procedure 300 of setting up a secure wireless connection, in accordance with some demonstrative embodiments.
  • one or more operations of procedure 300 may be performed between a STA 302 and an AP 340, e.g., a public AP.
  • a STA 302 e.g., a public AP.
  • device 102 Fig. 1
  • device 140 Fig. 1
  • device 140 may perform the role of, one or more functionalities of, and/or one or more operations of STA 340.
  • AP 340 may transmit a probe response 314 to STA 302, for example, in response to a probe request 312 from STA 302 to AP 340.
  • AP 340 shall use a new AKM Suite in an RSN Element in Probe Response 314, e.g., as well as Beacons and/or one or more other additional or alternative frames from AP 340, for example, to report that AP340 is to support SAE with a public PSK mode using a public-PSK, in which, for example, a PSK is not pre-configured in the AP and/or STA, e.g., as described above.
  • STA 302 e.g., identifies that the AP 340, e.g., with which it wishes to associate, supports the public PSK mode using the public-PSK
  • the STA 302 shall perform one or more operations 330, e.g., as described below.
  • STA 302 may determine a public PSK to be used with the AP 340.
  • STA 302 may generate a random text that is concatenated with the MAC address of AP340 and the MAC address of STA 302 , for example, to generate a public PSK, , e.g., a 256-bit long, "public PSK”.
  • the STA 302 may Use the "public PSK", for example, in the same manner as a "regular” SAE flow, e.g., using the "public PSK" along with an internal secret to generate additional information, which may be carried within an SAE Authentication Commit message to AP 340.
  • STA 302 may transmit to AP 340 an SAE Authentication Commit message 316 including the random text and the "regular" SAE additional info.
  • SAE Authentication Commit message 316 may include the Challenge Text Element, e.g., element ID 16, including the public- PSK information, e.g., the random text that was used by STA 302 to generate the 256 bits long, "public PSK”.
  • AP 340 may perform one or more operations 332, e.g., as described below.
  • AP 340 may determine a public PSK to be used with the STA 302. [00265] In some demonstrative embodiments, AP 340 may use the random text and concatenate it with the MAC address of AP 340 and the MAC address of STA 302, for example, to generate the, e.g., 256-bit long, "public PSK".
  • AP 340 may use the "public PSK", for example, in the same manner as “regular” SAE flow, e.g., using the "public PSK” along with an internal secret to generate additional information, which may be carried within an SAE Authentication Commit message to STA 302.
  • AP 340 may transmit to STA 302 an SAE Authentication Commit message 318 including the random text as well as the "regular" SAE additional info.
  • the SAE Authentication Commit message 318 may include the Challenge Text Element, e.g., element ID 16, including the public-PSK information, e.g., the random text that was used by AP 340 and the STA 302 for generating the public PSK, e.g., the 256 bits long, "public PSK”.
  • AP 340 and/or STA 302 may be configured to complete an SAE key generation process, e.g., as described above.
  • AP 340 and/or STA 302 may exchange confirm messages 322, for example, to coOnfirm the generation of the PMK based on the SAE exchange, e.g., as described above.
  • AP 340 and/or STA 302 may perform a 4-way handshake exchange 324, for example, to determine one or moire security keys based on the PMK, e.g., as described above.
  • AP 340 and/or STA 302 may be able to perform a secure data exchange 326 using the security keys, e.g., as described above.
  • any additional and/or alternative information and/or method may be selected, defined, applied and/or implemented for the "public PSK" generation.
  • a new AKM Suite entry may be configured to use the "public PSK", and/or the public PSK may be used in one or more operations of the flow described above to utilize the SAE mechanism.
  • Fig. 4 schematically illustrates a capability information field 400, which may be implemented in accordance with some demonstrative embodiments.
  • device 140 may transmit a frame including capability information field 400 to device 102 (Fig. 1), for example, to indicate that device 140 (Fig. 1) supports Privacy.
  • capability information field 400 may include a privacy field 402 including a value to indicate that Privacy is supported.
  • Fig. 5 schematically illustrates a challenge text element 500, which may be implemented in accordance with some demonstrative embodiments.
  • device 102 may transmit to device 140 (Fig. 1) an SAE Authentication Commit message, e.g., as described above, including the Challenge Text Element 500, which may be configured to include the public-PSK information to be used for determining the public PSK.
  • SAE Authentication Commit message e.g., as described above, including the Challenge Text Element 500, which may be configured to include the public-PSK information to be used for determining the public PSK.
  • device 140 may transmit to device 102 (Fig. 1) an SAE Authentication Commit message, e.g., as described above, including the Challenge Text Element 500, which may be configured to include the public-PSK information to be used for determining the public PSK.
  • SAE Authentication Commit message e.g., as described above, including the Challenge Text Element 500, which may be configured to include the public-PSK information to be used for determining the public PSK.
  • Challenge Text Element 500 may include a Challenge Text Element field 502 including the public-PSK information.
  • Fig. 6 schematically illustrates a method of securing wireless communication, in accordance with some demonstrative embodiments.
  • a wireless communication system e.g., system 100 (Fig. 1); a wireless communication device, e.g., devices 102 and/or 140 (Fig. 1); a controller, e.g., controllers 124 and/or 154 (Fig. 1); a positioning component, e.g., positioning components 117 and/or 157 (Fig. 1); a location estimator, e.g., location estimator 115 (Fig.
  • a radio e.g., radios 114 and/or 144 (Fig. 1); a message processor, e.g., message processor 128 (Fig. 1) and/or message processor 158 (Fig. 1), a transmitter, e.g., transmitters 118 and/or 148 (Fig. 1); and/or a receiver, e.g., receivers 116 and/or 146 (Fig. 1).
  • the method may include transmitting from a first STA a frame including an indication that the first STA supports Privacy, and an indication that the first STA supports SAE with a PSK mode using a public-PSK.
  • positioning component 157 (Fig. 1) and/or controller 154 (Fig. 1) may control, cause and/or trigger device 140 (Fig. 1) to transmit the frame including the indication that device 140 (Fig. 1) supports Privacy, and the indication that 140 (Fig. 1) supports SAE with the PSK mode using the public-PSK, e.g., as described above.
  • the method may include processing a first SAE Authentication Commit message from a second STA, the first SAE Authentication Commit message including first encrypted information including a secret key of the second STA encrypted according to a SAE encryption mechanism with the public-PSK.
  • positioning component 157 (Fig. 1) and/or controller 154 (Fig. 1) may control, cause and/or trigger device 140 (Fig. 1) to process the first SAE Authentication Commit message from device 102 (Fig. 1), the first SAE Authentication Commit message including the first encrypted information including the secret key of 102 (Fig. 1) encrypted according to the SAE encryption mechanism with the public-PSK, e.g., as described above.
  • the method may include transmitting a second SAE Authentication Commit message to the second STA, the second SAE Authentication Commit message including second encrypted information including a secret key of the first STA encrypted according to the SAE encryption mechanism with the public-PSK.
  • positioning component 157 (Fig. 1) and/or controller 154 (Fig. 1) may control, cause and/or trigger device 140 (Fig. 1) to transmit the second SAE Authentication Commit message to the device 102 (Fig. 1), the second SAE Authentication Commit message including the second encrypted information including the secret key of device 140 (Fig. 1) encrypted according to the SAE encryption mechanism with the public-PSK, e.g., as described above.
  • the method may include generating one or more security keys to secure communication of one or more messages with the second STA based on a PMK, the PMK is based on the first encrypted information and the secret key of the first STA.
  • positioning component 157 (Fig. 1) and/or controller 154 (Fig. 1) may control, cause and/or trigger device 140 (Fig. 1) to generate the one or more security keys to secure the communication of the one or more messages with device 140 (Fig. 1) based on the PMK, which is based on the first encrypted information and the secret key of device 140 (Fig. 1), e.g., as described above.
  • Fig. 7 schematically illustrates a method of securing wireless communication, in accordance with some demonstrative embodiments.
  • a wireless communication system e.g., system 100 (Fig. 1); a wireless communication device, e.g., devices 102 and/or 140 (Fig. 1); a controller, e.g., controllers 124 and/or 154 (Fig. 1); a positioning component, e.g., positioning components 117 and/or 157 (Fig. 1); a location estimator, e.g., location estimator 115 (Fig.
  • a radio e.g., radios 114 and/or 144 (Fig. 1); a message processor, e.g., message processor 128 (Fig. 1) and/or message processor 158 (Fig. 1), a transmitter, e.g., transmitters 118 and/or 148 (Fig. 1); and/or a receiver, e.g., receivers 116 and/or 146 (Fig. 1).
  • the method may include receiving at a first STA a frame from a second STA, the frame including an indication that the second STA supports Privacy, and an indication that the second STA supports SAE with a public PSK mode using a public-PSK.
  • positioning component 117 (Fig. 1) and/or controller 124 (Fig. 1) may control, cause and/or trigger device 102 (Fig. 1) to receive the frame from device 140 (Fig. 1), the frame including the indication that device 140 (Fig. 1) supports Privacy, and the indication that device 140 (Fig. 1) supports SAE with the PSK mode using the public-PSK, e.g., as described above.
  • the method may include transmitting a first SAE Authentication Commit message to the second STA, the first SAE Authentication Commit message including first encrypted information including a secret key of the first STA encrypted according to a SAE encryption mechanism with the public-PSK.
  • positioning component 117 (Fig. 1) and/or controller 124 (Fig. 1) may control, cause and/or trigger device 102 (Fig. 1) to transmit the first SAE Authentication Commit message to 140 (Fig. 1), the first SAE Authentication Commit message including the first encrypted information including the secret key of 102 (Fig. 1) encrypted according to the SAE encryption mechanism with the public-PSK, e.g., as described above.
  • the method may include processing a second SAE Authentication Commit message from the second STA, the second SAE Authentication Commit message including second encrypted information including a secret key of the second STA encrypted according to the SAE encryption mechanism with the public-PSK.
  • positioning component 117 (Fig. 1) and/or controller 124 (Fig. 1) may control, cause and/or trigger device 102 (Fig. 1) to process the second SAE Authentication Commit message from the device 140 (Fig. 1), the second SAE Authentication Commit message including the second encrypted information including the secret key of device 140 (Fig. 1) encrypted according to the SAE encryption mechanism with the public-PSK, e.g., as described above.
  • the method may include generating one or more security keys to secure communication of one or more messages with the second STA based on a PMK, the PMK is based on the second encrypted information and the secret key of the first STA.
  • positioning component 117 (Fig. 1) and/or controller 124 (Fig. 1) may control, cause and/or trigger device 102 (Fig. 1) to generate the one or more security keys to secure the communication of the one or more messages with device 140 (Fig. 1) based on the PMK, which is based on the second encrypted information and the secret key of device 102 (Fig. 1), e.g., as described above.
  • Product 800 may include one or more tangible computer-readable (“machine readable”) non-transitory storage media 802, which may include computer-executable instructions, e.g., implemented by logic 804, operable to, when executed by at least one processor, e.g., computer processor, enable the at least one processor to implement one or more operations at device 102 (Fig. 1), device 140 (Fig. 1), controllers 124 and/or 154 (Fig. 1), positioning components 117 and/or 157 (Fig. 1), location estimator 115 (Fig. 1), radios 114 and/or 144 (Fig. 1), message processor 128 (Fig.
  • non-transitory machine- readable media medium
  • computer-readable non-transitory storage media medium
  • product 800 and/or storage media 802 may include one or more types of computer-readable storage media capable of storing data, including volatile memory, non-volatile memory, removable or non-removable memory, erasable or nonerasable memory, writeable or re-writeable memory, and the like.
  • storage media 1402 may include, RAM, DRAM, Double-Data-Rate DRAM (DDR-DRAM), SDRAM, static RAM (SRAM), ROM, programmable ROM (PROM), erasable programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), Compact Disk ROM (CD-ROM), Compact Disk Recordable (CD-R), Compact Disk Rewriteable (CD-RW), flash memory (e.g., NOR or NAND flash memory), content addressable memory (CAM), polymer memory, phase- change memory, ferroelectric memory, silicon-oxide-nitride-oxide- silicon (SONOS) memory, a disk, a floppy disk, a hard drive, an optical disk, a magnetic disk, a card, a magnetic card, an optical card, a tape, a cassette, and the like.
  • RAM random access memory
  • DDR-DRAM Double-Data-Rate DRAM
  • SDRAM static RAM
  • ROM read-only memory
  • PROM
  • the computer-readable storage media may include any suitable media involved with downloading or transferring a computer program from a remote computer to a requesting computer carried by data signals embodied in a carrier wave or other propagation medium through a communication link, e.g., a modem, radio or network connection.
  • logic 804 may include instructions, data, and/or code, which, if executed by a machine, may cause the machine to perform a method, process and/or operations as described herein.
  • the machine may include, for example, any suitable processing platform, computing platform, computing device, processing device, computing system, processing system, computer, processor, or the like, and may be implemented using any suitable combination of hardware, software, firmware, and the like.
  • logic 804 may include, or may be implemented as, software, a software module, an application, a program, a subroutine, instructions, an instruction set, computing code, words, values, symbols, and the like.
  • the instructions may include any suitable type of code, such as source code, compiled code, interpreted code, executable code, static code, dynamic code, and the like.
  • the instructions may be implemented according to a predefined computer language, manner or syntax, for instructing a processor to perform a certain function.
  • the instructions may be implemented using any suitable high-level, low-level, object-oriented, visual, compiled and/or interpreted programming language, such as C, C++, Java, BASIC, Matlab, Pascal, Visual BASIC, assembly language, machine code, and the like.
  • Example 1 includes an apparatus comprising logic circuitry configured to cause a first wireless communication station (STA) to transmit a frame comprising an indication that the first STA supports Privacy, and an indication that the first STA supports Secure Authentication of Equals (SAE) with a public Pre-Shared-Key (PSK) mode using a public-PSK; process a first SAE Authentication Commit message from a second STA, the first SAE Authentication Commit message comprising first encrypted information comprising a secret key of the second STA encrypted according to a SAE encryption mechanism with the public-PSK; transmit a second SAE Authentication Commit message to the second STA, the second SAE Authentication Commit message comprising second encrypted information comprising a secret key of the first STA encrypted according to the SAE encryption mechanism with the public-PSK; and generate one or more security keys to secure communication of one or more messages with the second STA based on a Pairwise Master Key (PMK), the PMK is based on the first encrypted information and the secret
  • PMK
  • Example 2 includes the subject matter of Example 1, and optionally, wherein the first SAE Authentication Commit message comprises public-PSK information, the apparatus configured to cause the first STA to determine the public-PSK based on the public-PSK information.
  • Example 3 includes the subject matter of Example 2, and optionally, wherein the public-PSK information comprises a random value.
  • Example 4 includes the subject matter of Example 2 or 3, and optionally, wherein the second SAE Authentication Commit message comprises the public-PSK information.
  • Example 5 includes the subject matter of any one of Examples 2-4, and optionally, wherein the first SAE Authentication Commit message comprises a Challenge Text Element comprising the public-PSK information.
  • Example 6 includes the subject matter of Example 1, and optionally, wherein the frame comprises an indication of the public-PSK.
  • Example 7 includes the subject matter of any one of Examples 1-6, and optionally, wherein the public-PSK is based on at least one of an identifier of the first STA, or an identifier of the second STA.
  • Example 8 includes the subject matter of any one of Examples 1-7, and optionally, wherein the public-PSK is based on at least one of a Medium Access Control (MAC) address of the first STA, or a MAC address of the second STA.
  • MAC Medium Access Control
  • Example 9 includes the subject matter of any one of Examples 1-8, and optionally, wherein the public-PSK is based on random information concatenated by a Medium Access Control (MAC) address of the first STA, and a MAC address of the second STA.
  • Example 10 includes the subject matter of any one of Examples 1-9, and optionally, wherein the frame comprises an Authentication and Key Management (AKM) suite in a Robust Security Network (RSN) Element (RSNE), the AKM suite comprising the indication that the first STA supports SAE using the public PSK mode.
  • AKM Authentication and Key Management
  • RSN Robust Security Network
  • RSNE Robust Security Network
  • Example 11 includes the subject matter of any one of Examples 1-10, and optionally, wherein the SAE encryption mechanism comprises a Diffie-Hellman encryption mechanism.
  • Example 12 includes the subject matter of any one of Examples 1-11, and optionally, wherein the frame comprises a probe response or a beacon.
  • Example 13 includes the subject matter of any one of Examples 1-12, and optionally, wherein the first STA comprises an Access Point (AP) STA.
  • Example 14 includes the subject matter of any one of Examples 1-13, and optionally, wherein the one or more messages comprise one or more Fine Timing Measurement (FTM) messages.
  • FTM Fine Timing Measurement
  • Example 15 includes the subject matter of any one of Examples 1-14, and optionally, comprising a radio, one or more antennas, a memory and a processor.
  • Example 16 includes a system of wireless communication comprising a first wireless communication station (STA), the first STA comprising one or more antennas; a radio; a memory; a processor; and a controller configured to cause the first STA to transmit a frame comprising an indication that the first STA supports Privacy, and an indication that the first STA supports Secure Authentication of Equals (SAE) with a public Pre-Shared-Key (PSK) mode using a public-PSK; process a first SAE Authentication Commit message from a second STA, the first SAE Authentication Commit message comprising first encrypted information comprising a secret key of the second STA encrypted according to a SAE encryption mechanism with the public-PSK; transmit a second SAE Authentication Commit message to the second STA, the second SAE Authentication Commit message comprising second
  • Example 17 includes the subject matter of Example 16, and optionally, wherein the first SAE Authentication Commit message comprises public-PSK information, the controller is configured to cause the first STA to determine the public-PSK based on the public-PSK information.
  • Example 18 includes the subject matter of Example 17, and optionally, wherein the public-PSK information comprises a random value.
  • Example 19 includes the subject matter of Example 17 or 18, and optionally, wherein the second SAE Authentication Commit message comprises the public-PSK information.
  • Example 20 includes the subject matter of any one of Examples 17-19, and optionally, wherein the first SAE Authentication Commit message comprises a Challenge Text Element comprising the public-PSK information.
  • Example 21 includes the subject matter of Example 16, and optionally, wherein the frame comprises an indication of the public-PSK.
  • Example 22 includes the subject matter of any one of Examples 16-21, and optionally, wherein the public-PSK is based on at least one of an identifier of the first STA, or an identifier of the second STA.
  • Example 23 includes the subject matter of any one of Examples 16-22, and optionally, wherein the public-PSK is based on at least one of a Medium Access Control (MAC) address of the first STA, or a MAC address of the second STA.
  • MAC Medium Access Control
  • Example 24 includes the subject matter of any one of Examples 16-23, and optionally, wherein the public-PSK is based on random information concatenated by a Medium Access Control (MAC) address of the first STA, and a MAC address of the second STA.
  • Example 25 includes the subject matter of any one of Examples 16-24, and optionally, wherein the frame comprises an Authentication and Key Management (AKM) suite in a Robust Security Network (RSN) Element (RSNE), the AKM suite comprising the indication that the first STA supports SAE using the public PSK mode.
  • AKM Authentication and Key Management
  • RSN Robust Security Network
  • RSNE Robust Security Network
  • Example 26 includes the subject matter of any one of Examples 16-25, and optionally, wherein the SAE encryption mechanism comprises a Diffie-Hellman encryption mechanism.
  • Example 27 includes the subject matter of any one of Examples 16-26, and optionally, wherein the frame comprises a probe response or a beacon.
  • Example 28 includes the subject matter of any one of Examples 16-27, and optionally, wherein the first STA comprises an Access Point (AP) STA.
  • AP Access Point
  • Example 29 includes the subject matter of any one of Examples 16-28, and optionally, wherein the one or more messages comprise one or more Fine Timing Measurement (FTM) messages.
  • FTM Fine Timing Measurement
  • Example 30 includes a method to be performed at a first wireless communication station (STA), the method comprising transmitting a frame comprising an indication that the first STA supports Privacy, and an indication that the first STA supports Secure Authentication of Equals (SAE) with a public Pre-Shared-Key (PSK) mode using a public-PSK; processing a first SAE Authentication Commit message from a second STA, the first SAE Authentication Commit message comprising first encrypted information comprising a secret key of the second STA encrypted according to a SAE encryption mechanism with the public-PSK; transmitting a second SAE Authentication Commit message to the second STA, the second SAE Authentication Commit message comprising second encrypted information comprising a secret key of the first STA encrypted according to the SAE encryption mechanism with the public-PSK; and generating one or more security keys to secure communication of one or more messages with the second STA based on a Pairwise Master Key (PMK), the PMK is based on the first encrypted information
  • PMK
  • Example 32 includes the subject matter of Example 31, and optionally, wherein the public-PSK information comprises a random value.
  • Example 33 includes the subject matter of Example 31 or 32, and optionally, wherein the second SAE Authentication Commit message comprises the public-PSK information.
  • Example 34 includes the subject matter of any one of Examples 31-33, and optionally, wherein the first SAE Authentication Commit message comprises a Challenge Text Element comprising the public-PSK information.
  • Example 35 includes the subject matter of Example 30, and optionally, wherein the frame comprises an indication of the public-PSK.
  • Example 36 includes the subject matter of any one of Examples 30-35, and optionally, wherein the public-PSK is based on at least one of an identifier of the first STA, or an identifier of the second STA.
  • Example 37 includes the subject matter of any one of Examples 30-36, and optionally, wherein the public-PSK is based on at least one of a Medium Access Control (MAC) address of the first STA, or a MAC address of the second STA.
  • MAC Medium Access Control
  • Example 38 includes the subject matter of any one of Examples 30-37, and optionally, wherein the public-PSK is based on random information concatenated by a Medium Access Control (MAC) address of the first STA, and a MAC address of the second STA.
  • Example 39 includes the subject matter of any one of Examples 30-38, and optionally, wherein the frame comprises an Authentication and Key Management (AKM) suite in a Robust Security Network (RSN) Element (RSNE), the AKM suite comprising the indication that the first STA supports SAE using the public PSK mode.
  • AKM Authentication and Key Management
  • RSN Robust Security Network
  • RSNE Robust Security Network
  • Example 40 includes the subject matter of any one of Examples 30-39, and optionally, wherein the SAE encryption mechanism comprises a Diffie-Hellman encryption mechanism.
  • Example 41 includes the subject matter of any one of Examples 30-40, and optionally, wherein the frame comprises a probe response or a beacon.
  • Example 42 includes the subject matter of any one of Examples 30-41, and optionally, wherein the first STA comprises an Access Point (AP) STA.
  • Example 43 includes the subject matter of any one of Examples 30-42, and optionally, wherein the one or more messages comprise one or more Fine Timing Measurement (FTM) messages.
  • FTM Fine Timing Measurement
  • Example 44 includes a product comprising one or more tangible computer-readable non-transitory storage media comprising computer-executable instructions operable to, when executed by at least one processor, enable the at least one processor to cause a first wireless communication station (STA) to transmit a frame comprising an indication that the first STA supports Privacy, and an indication that the first STA supports Secure Authentication of Equals (SAE) with a public Pre-Shared-Key (PSK) mode using a public-PSK; process a first SAE Authentication Commit message from a second STA, the first SAE Authentication Commit message comprising first encrypted information comprising a secret key of the second STA encrypted according to a SAE encryption mechanism with the public-PSK; transmit a second SAE Authentication Commit message to the second STA, the second SAE Authentication Commit message comprising second encrypted information comprising a secret key of the first STA encrypted according to the SAE encryption mechanism with the public-PSK; and generate one or more security keys to secure communication
  • STA
  • Example 45 includes the subject matter of Example 44, and optionally, wherein the first SAE Authentication Commit message comprises public-PSK information, the instructions, when executed, cause the first STA to determine the public-PSK based on the public-PSK information.
  • Example 46 includes the subject matter of Example 45, and optionally, wherein the public-PSK information comprises a random value.
  • Example 47 includes the subject matter of Example 45 or 46, and optionally, wherein the second SAE Authentication Commit message comprises the public-PSK information.
  • Example 48 includes the subject matter of any one of Examples 45-47, and optionally, wherein the first SAE Authentication Commit message comprises a Challenge Text Element comprising the public-PSK information.
  • Example 49 includes the subject matter of Example 44, and optionally, wherein the frame comprises an indication of the public-PSK.
  • Example 50 includes the subject matter of any one of Examples 44-49, and optionally, wherein the public-PSK is based on at least one of an identifier of the first STA, or an identifier of the second STA.
  • Example 51 includes the subject matter of any one of Examples 44-50, and optionally, wherein the public-PSK is based on at least one of a Medium Access Control (MAC) address of the first STA, or a MAC address of the second STA.
  • Example 52 includes the subject matter of any one of Examples 44-51, and optionally, wherein the public-PSK is based on random information concatenated by a Medium Access Control (MAC) address of the first STA, and a MAC address of the second STA.
  • MAC Medium Access Control
  • Example 53 includes the subject matter of any one of Examples 44-52, and optionally, wherein the frame comprises an Authentication and Key Management (AKM) suite in a Robust Security Network (RSN) Element (RSNE), the AKM suite comprising the indication that the first STA supports SAE using the public PSK mode.
  • AKM Authentication and Key Management
  • RSN Robust Security Network
  • RSNE Robust Security Network
  • Example 54 includes the subject matter of any one of Examples 44-53, and optionally, wherein the SAE encryption mechanism comprises a Diffie-Hellman encryption mechanism.
  • Example 55 includes the subject matter of any one of Examples 44-54, and optionally, wherein the frame comprises a probe response or a beacon.
  • Example 56 includes the subject matter of any one of Examples 44-55, and optionally, wherein the first STA comprises an Access Point (AP) STA.
  • AP Access Point
  • Example 57 includes the subject matter of any one of Examples 44-56, and optionally, wherein the one or more messages comprise one or more Fine Timing Measurement (FTM) messages.
  • FTM Fine Timing Measurement
  • Example 58 includes an apparatus of wireless communication by a first wireless communication station (STA), the apparatus comprising means for transmitting a frame comprising an indication that the first STA supports Privacy, and an indication that the first STA supports Secure Authentication of Equals (SAE) with a public Pre-Shared-Key (PSK) mode using a public-PSK; means for processing a first SAE Authentication Commit message from a second STA, the first SAE Authentication Commit message comprising first encrypted information comprising a secret key of the second STA encrypted according to a SAE encryption mechanism with the public-PSK; means for transmitting a second SAE Authentication Commit message to the second STA, the second SAE Authentication Commit message comprising second encrypted information comprising a secret key of the first STA encrypted according to the SAE encryption mechanism with the public-PSK; and means for generating one or more security keys to secure communication of one or more messages with the second STA based on a Pairwise Master Key (PMK), the PMK
  • PMK
  • Example 60 includes the subject matter of Example 59, and optionally, wherein the public-PSK information comprises a random value.
  • Example 61 includes the subject matter of Example 59 or 60, and optionally, wherein the second SAE Authentication Commit message comprises the public-PSK information.
  • Example 62 includes the subject matter of any one of Examples 59-61, and optionally, wherein the first SAE Authentication Commit message comprises a Challenge Text Element comprising the public-PSK information.
  • Example 63 includes the subject matter of Example 58, and optionally, wherein the frame comprises an indication of the public-PSK.
  • Example 64 includes the subject matter of any one of Examples 58-63, and optionally, wherein the public-PSK is based on at least one of an identifier of the first STA, or an identifier of the second STA.
  • Example 65 includes the subject matter of any one of Examples 58-64, and optionally, wherein the public-PSK is based on at least one of a Medium Access Control (MAC) address of the first STA, or a MAC address of the second STA.
  • MAC Medium Access Control
  • Example 66 includes the subject matter of any one of Examples 58-65, and optionally, wherein the public-PSK is based on random information concatenated by a Medium Access Control (MAC) address of the first STA, and a MAC address of the second STA.
  • MAC Medium Access Control
  • Example 67 includes the subject matter of any one of Examples 58-66, and optionally, wherein the frame comprises an Authentication and Key Management (AKM) suite in a Robust Security Network (RSN) Element (RSNE), the AKM suite comprising the indication that the first STA supports SAE using the public PSK mode.
  • AKM Authentication and Key Management
  • RSN Robust Security Network
  • RSNE Robust Security Network
  • Example 68 includes the subject matter of any one of Examples 58-67, and optionally, wherein the SAE encryption mechanism comprises a Diffie-Hellman encryption mechanism.
  • Example 69 includes the subject matter of any one of Examples 58-68, and optionally, wherein the frame comprises a probe response or a beacon.
  • Example 70 includes the subject matter of any one of Examples 58-69, and optionally, wherein the first STA comprises an Access Point (AP) STA.
  • AP Access Point
  • Example 71 includes the subject matter of any one of Examples 58-70, and optionally, wherein the one or more messages comprise one or more Fine Timing Measurement (FTM) messages.
  • FTM Fine Timing Measurement
  • Example 72 includes an apparatus comprising logic circuitry configured to cause a first wireless communication station (STA) to receive a frame from a second STA, the frame comprising an indication that the second STA supports Privacy, and an indication that the second STA supports Secure Authentication of Equals (SAE) with a public Pre-Shared-Key (PSK) mode using a public-PSK; transmit a first SAE Authentication Commit message to the second STA, the first SAE Authentication Commit message comprising first encrypted information comprising a secret key of the first STA encrypted according to a SAE encryption mechanism with the public-PSK; process a second SAE Authentication Commit message from the second STA, the second SAE Authentication Commit message comprising second encrypted information comprising a secret key of the second STA encrypted according to the SAE encryption mechanism with the public-PSK; and generate one or more security keys to secure communication of one or more messages with the second STA based on a Pairwise Master Key (PMK), the PMK is based
  • Example 73 includes the subject matter of Example 72, and optionally, wherein the first SAE Authentication Commit message comprises public-PSK information, the apparatus configured to cause the first STA to determine the public-PSK based on the public-PSK information.
  • Example 74 includes the subject matter of Example 73, and optionally, wherein the public-PSK information comprises a random value.
  • Example 75 includes the subject matter of Example 73 or 74, and optionally, wherein the second SAE Authentication Commit message comprises the public-PSK information.
  • Example 76 includes the subject matter of any one of Examples 73-75, and optionally, wherein the first SAE Authentication Commit message comprises a Challenge Text Element comprising the public-PSK information.
  • Example 77 includes the subject matter of Example 72, and optionally, wherein the frame comprises an indication of the public-PSK, the apparatus configured to cause the first STA to determine the public-PSK based on the indication of the public-PSK.
  • Example 78 includes the subject matter of any one of Examples 72-77, and optionally, wherein the public-PSK is based on at least one of an identifier of the first STA, or an identifier of the second STA.
  • Example 79 includes the subject matter of any one of Examples 72-78, and optionally, wherein the public-PSK is based on at least one of a Medium Access Control (MAC) address of the first STA, or a MAC address of the second STA.
  • Example 80 includes the subject matter of any one of Examples 72-79, and optionally, wherein the public-PSK is based on random information concatenated by a Medium Access Control (MAC) address of the first STA, and a MAC address of the second STA.
  • MAC Medium Access Control
  • Example 81 includes the subject matter of any one of Examples 72-80, and optionally, wherein the frame comprises an Authentication and Key Management (AKM) suite in a Robust Security Network (RSN) Element (RSNE), the AKM suite comprising the indication that the second STA supports SAE using the public PSK mode.
  • AKM Authentication and Key Management
  • RSN Robust Security Network
  • RSNE Robust Security Network
  • Example 82 includes the subject matter of any one of Examples 72-81, and optionally, wherein the SAE encryption mechanism comprises a Diffie-Hellman encryption mechanism.
  • Example 83 includes the subject matter of any one of Examples 72-82, and optionally, wherein the frame comprises a probe response or a beacon.
  • Example 84 includes the subject matter of any one of Examples 72-83, and optionally, wherein the first STA comprises a non-Access Point (non-AP) STA, and the second STA comprises an AP STA.
  • non-AP non-Access Point
  • Example 85 includes the subject matter of any one of Examples 72-84, and optionally, wherein the one or more messages comprise one or more Fine Timing Measurement (FTM) messages.
  • FTM Fine Timing Measurement
  • Example 86 includes the subject matter of any one of Examples 72-85, and optionally, comprising a radio, one or more antennas, a memory and a processor.
  • Example 87 includes a system of wireless communication comprising a first wireless communication station (STA), the first STA comprising one or more antennas; a radio; a memory; a processor; and a controller configured to cause the first STA to receive a frame from a second STA, the frame comprising an indication that the second STA supports Privacy, and an indication that the second STA supports Secure Authentication of Equals (SAE) with a public Pre-Shared-Key (PSK) mode using a public-PSK; transmit a first SAE Authentication Commit message to the second STA, the first SAE Authentication Commit message comprising first encrypted information comprising a secret key of the first STA encrypted according to a SAE encryption mechanism with the public-PSK; process a second SAE Authentication Commit message from the second STA, the second SAE Authentication Commit message comprising second encrypted information comprising a secret key of the second STA encrypted according to the SAE encryption mechanism with the public-PSK; and generate one or more
  • Example 88 includes the subject matter of Example 87, and optionally, wherein the first SAE Authentication Commit message comprises public-PSK information, the controller is configured to cause the first STA to determine the public-PSK based on the public-PSK information.
  • Example 89 includes the subject matter of Example 88, and optionally, wherein the public-PSK information comprises a random value.
  • Example 90 includes the subject matter of Example 88 or 89, and optionally, wherein the second SAE Authentication Commit message comprises the public-PSK information.
  • Example 91 includes the subject matter of any one of Examples 88-90, and optionally, wherein the first SAE Authentication Commit message comprises a Challenge Text Element comprising the public-PSK information.
  • Example 92 includes the subject matter of Example 87, and optionally, wherein the frame comprises an indication of the public-PSK, the controller is configured to cause the first STA to determine the public-PSK based on the indication of the public-PSK.
  • Example 93 includes the subject matter of any one of Examples 87-92, and optionally, wherein the public-PSK is based on at least one of an identifier of the first STA, or an identifier of the second STA.
  • Example 94 includes the subject matter of any one of Examples 87-93, and optionally, wherein the public-PSK is based on at least one of a Medium Access Control (MAC) address of the first STA, or a MAC address of the second STA.
  • MAC Medium Access Control
  • Example 95 includes the subject matter of any one of Examples 87-94, and optionally, wherein the public-PSK is based on random information concatenated by a Medium Access Control (MAC) address of the first STA, and a MAC address of the second STA.
  • MAC Medium Access Control
  • Example 96 includes the subject matter of any one of Examples 87-95, and optionally, wherein the frame comprises an Authentication and Key Management (AKM) suite in a Robust Security Network (RSN) Element (RSNE), the AKM suite comprising the indication that the second STA supports SAE using the public PSK mode.
  • AKM Authentication and Key Management
  • RSN Robust Security Network
  • RSNE Robust Security Network
  • Example 97 includes the subject matter of any one of Examples 87-96, and optionally, wherein the SAE encryption mechanism comprises a Diffie-Hellman encryption mechanism.
  • Example 98 includes the subject matter of any one of Examples 87-97, and optionally, wherein the frame comprises a probe response or a beacon.
  • Example 99 includes the subject matter of any one of Examples 87-98, and optionally, wherein the first STA comprises a non-Access Point (non-AP) STA, and the second STA comprises an AP STA.
  • non-AP non-Access Point
  • Example 100 includes the subject matter of any one of Examples 87-99, and optionally, wherein the one or more messages comprise one or more Fine Timing Measurement (FTM) messages.
  • FTM Fine Timing Measurement
  • Example 101 includes a method to be performed at a first wireless communication station (STA), the method comprising receiving a frame from a second STA, the frame comprising an indication that the second STA supports Privacy, and an indication that the second STA supports Secure Authentication of Equals (SAE) with a public Pre-Shared-Key (PSK) mode using a public-PSK; transmitting a first SAE Authentication Commit message to the second STA, the first SAE Authentication Commit message comprising first encrypted information comprising a secret key of the first STA encrypted according to a SAE encryption mechanism with the public-PSK; processing a second SAE Authentication Commit message from the second STA, the second SAE Authentication Commit message comprising second encrypted information comprising a secret key of the second STA encrypted according to the SAE encryption mechanism with the public-PSK; and generating one or more security keys to secure communication of one or more messages with the second STA based on a Pairwise Master Key (PMK), the PMK is
  • SAE
  • Example 102 includes the subject matter of Example 101, and optionally, wherein the first SAE Authentication Commit message comprises public-PSK information, the method comprising determining the public-PSK based on the public-PSK information.
  • Example 103 includes the subject matter of Example 102, and optionally, wherein the public-PSK information comprises a random value.
  • Example 104 includes the subject matter of Example 102 or 103, and optionally, wherein the second SAE Authentication Commit message comprises the public-PSK information.
  • Example 105 includes the subject matter of any one of Examples 102-104, and optionally, wherein the first SAE Authentication Commit message comprises a Challenge Text Element comprising the public-PSK information.
  • Example 106 includes the subject matter of Example 101, and optionally, wherein the frame comprises an indication of the public-PSK, the method comprising determining the public- PSK based on the indication of the public-PSK.
  • Example 107 includes the subject matter of any one of Examples 101-106, and optionally, wherein the public-PSK is based on at least one of an identifier of the first STA, or an identifier of the second STA.
  • Example 108 includes the subject matter of any one of Examples 101-107, and optionally, wherein the public-PSK is based on at least one of a Medium Access Control (MAC) address of the first STA, or a MAC address of the second STA.
  • MAC Medium Access Control
  • Example 109 includes the subject matter of any one of Examples 101-108, and optionally, wherein the public-PSK is based on random information concatenated by a Medium Access Control (MAC) address of the first STA, and a MAC address of the second STA.
  • MAC Medium Access Control
  • Example 110 includes the subject matter of any one of Examples 101-109, and optionally, wherein the frame comprises an Authentication and Key Management (AKM) suite in a Robust Security Network (RSN) Element (RSNE), the AKM suite comprising the indication that the second STA supports SAE using the public PSK mode.
  • Example 111 includes the subject matter of any one of Examples 101-110, and optionally, wherein the SAE encryption mechanism comprises a Diffie-Hellman encryption mechanism.
  • Example 112 includes the subject matter of any one of Examples 101-111, and optionally, wherein the frame comprises a probe response or a beacon.
  • Example 113 includes the subject matter of any one of Examples 101-112, and optionally, wherein the first STA comprises a non-Access Point (non-AP) STA, and the second STA comprises an AP STA.
  • non-AP non-Access Point
  • Example 114 includes the subject matter of any one of Examples 101-113, and optionally, wherein the one or more messages comprise one or more Fine Timing Measurement (FTM) messages.
  • FTM Fine Timing Measurement
  • Example 115 includes a product comprising one or more tangible computer-readable non-transitory storage media comprising computer-executable instructions operable to, when executed by at least one processor, enable the at least one processor to cause a first wireless communication station (STA) to receive a frame from a second STA, the frame comprising an indication that the second STA supports Privacy, and an indication that the second STA supports Secure Authentication of Equals (SAE) with a public Pre-Shared-Key (PSK) mode using a public-PSK; transmit a first SAE Authentication Commit message to the second STA, the first SAE Authentication Commit message comprising first encrypted information comprising a secret key of the first STA encrypted according to a SAE encryption mechanism with the public- PSK; process a second SAE Authentication Commit message from the second STA, the second SAE Authentication Commit message comprising second encrypted information comprising a secret key of the second STA encrypted according to the SAE encryption mechanism with the public-PSK; and generate
  • Example 116 includes the subject matter of Example 115, and optionally, wherein the first SAE Authentication Commit message comprises public-PSK information, the instructions, when executed, cause the first STA to determine the public-PSK based on the public-PSK information.
  • Example 117 includes the subject matter of Example 116, and optionally, wherein the public-PSK information comprises a random value.
  • Example 118 includes the subject matter of Example 116 or 117, and optionally, wherein the second SAE Authentication Commit message comprises the public-PSK information.
  • Example 119 includes the subject matter of any one of Examples 116-118, and optionally, wherein the first SAE Authentication Commit message comprises a Challenge Text Element comprising the public-PSK information.
  • Example 120 includes the subject matter of Example 115, and optionally, wherein the frame comprises an indication of the public-PSK, the instructions, when executed, cause the first STA to determine the public-PSK based on the indication of the public-PSK.
  • Example 121 includes the subject matter of any one of Examples 115-120, and optionally, wherein the public-PSK is based on at least one of an identifier of the first STA, or an identifier of the second STA.
  • Example 122 includes the subject matter of any one of Examples 115-121, and optionally, wherein the public-PSK is based on at least one of a Medium Access Control (MAC) address of the first STA, or a MAC address of the second STA.
  • MAC Medium Access Control
  • Example 123 includes the subject matter of any one of Examples 115-122, and optionally, wherein the public-PSK is based on random information concatenated by a Medium Access Control (MAC) address of the first STA, and a MAC address of the second STA.
  • MAC Medium Access Control
  • Example 124 includes the subject matter of any one of Examples 115-123, and optionally, wherein the frame comprises an Authentication and Key Management (AKM) suite in a Robust Security Network (RSN) Element (RSNE), the AKM suite comprising the indication that the second STA supports SAE using the public PSK mode.
  • AKM Authentication and Key Management
  • RSN Robust Security Network
  • RSNE Robust Security Network
  • Example 125 includes the subject matter of any one of Examples 115-124, and optionally, wherein the SAE encryption mechanism comprises a Diffie-Hellman encryption mechanism.
  • Example 126 includes the subject matter of any one of Examples 115-125, and optionally, wherein the frame comprises a probe response or a beacon.
  • Example 127 includes the subject matter of any one of Examples 115-126, and optionally, wherein the first STA comprises a non-Access Point (non-AP) STA, and the second STA comprises an AP STA.
  • Example 128 includes the subject matter of any one of Examples 115-127, and optionally, wherein the one or more messages comprise one or more Fine Timing Measurement (FTM) messages.
  • FTM Fine Timing Measurement
  • Example 129 includes an apparatus of wireless communication by a first wireless communication station (STA), the apparatus comprising means for receiving a frame from a second STA, the frame comprising an indication that the second STA supports Privacy, and an indication that the second STA supports Secure Authentication of Equals (SAE) with a public Pre-Shared-Key (PSK) mode using a public-PSK; means for transmitting a first SAE Authentication Commit message to the second STA, the first SAE Authentication Commit message comprising first encrypted information comprising a secret key of the first STA encrypted according to a SAE encryption mechanism with the public-PSK; means for processing a second SAE Authentication Commit message from the second STA, the second SAE Authentication Commit message comprising second encrypted information comprising a secret key of the second STA encrypted according to the SAE encryption mechanism with the public - PSK; and means for generating one or more security keys to secure communication of one or more messages with the second STA based on a Pairwise Master
  • Example 130 includes the subject matter of Example 129, and optionally, wherein the first SAE Authentication Commit message comprises public-PSK information, the apparatus comprising means for determining the public-PSK based on the public-PSK information.
  • Example 131 includes the subject matter of Example 130, and optionally, wherein the public-PSK information comprises a random value.
  • Example 132 includes the subject matter of Example 130 or 131, and optionally, wherein the second SAE Authentication Commit message comprises the public-PSK information.
  • Example 133 includes the subject matter of any one of Examples 130-132, and optionally, wherein the first SAE Authentication Commit message comprises a Challenge Text Element comprising the public-PSK information.
  • Example 134 includes the subject matter of Example 129, and optionally, wherein the frame comprises an indication of the public-PSK, the apparatus comprising means for determining the public-PSK based on the indication of the public-PSK.
  • Example 135 includes the subject matter of any one of Examples 129-134, and optionally, wherein the public-PSK is based on at least one of an identifier of the first STA, or an identifier of the second STA.
  • Example 136 includes the subject matter of any one of Examples 129-135, and optionally, wherein the public-PSK is based on at least one of a Medium Access Control (MAC) address of the first STA, or a MAC address of the second STA.
  • MAC Medium Access Control
  • Example 137 includes the subject matter of any one of Examples 129-136, and optionally, wherein the public-PSK is based on random information concatenated by a Medium Access Control (MAC) address of the first STA, and a MAC address of the second STA.
  • Example 138 includes the subject matter of any one of Examples 129-137, and optionally, wherein the frame comprises an Authentication and Key Management (AKM) suite in a Robust Security Network (RSN) Element (RSNE), the AKM suite comprising the indication that the second STA supports SAE using the public PSK mode.
  • AKM Authentication and Key Management
  • RSN Robust Security Network
  • RSNE Robust Security Network
  • Example 139 includes the subject matter of any one of Examples 129-138, and optionally, wherein the SAE encryption mechanism comprises a Diffie-Hellman encryption mechanism.
  • Example 140 includes the subject matter of any one of Examples 129-139, and optionally, wherein the frame comprises a probe response or a beacon.
  • Example 141 includes the subject matter of any one of Examples 129-140, and optionally, wherein the first STA comprises a non-Access Point (non-AP) STA, and the second STA comprises an AP STA.
  • non-AP non-Access Point
  • Example 142 includes the subject matter of any one of Examples 129-141, and optionally, wherein the one or more messages comprise one or more Fine Timing Measurement (FTM) messages.
  • FTM Fine Timing Measurement

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Selon la présente invention, par exemple, une première STA peut être configurée pour transmettre une trame comprenant une indication que la première STA prend en charge la confidentialité, et une SAE avec un mode PSK public utilisant un PSK public; pour traiter un premier message de validation d'authentification SAE d'une seconde STA comprenant des premières informations chiffrées comprenant une clé secrète de la seconde STA cryptée selon un mécanisme de chiffrement SAE avec le PSK public; pour transmettre un second message de validation d'authentification SAE à la seconde STA comprenant des secondes informations chiffrées comprenant une clé secrète de la première STA cryptée selon le mécanisme de chiffrement SAE avec le PSK public; et pour générer une ou de plusieurs clés de sécurité pour sécuriser la communication d'un ou de plusieurs messages avec la seconde STA sur la base d'un PMK, qui est basé sur les premières informations chiffrées et la clé secrète de la première STA.
PCT/US2018/022337 2017-03-15 2018-03-14 Appareil, système et procédé de sécurisation de communication sans fil WO2018170061A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201762471481P 2017-03-15 2017-03-15
US62/471,481 2017-03-15

Publications (1)

Publication Number Publication Date
WO2018170061A1 true WO2018170061A1 (fr) 2018-09-20

Family

ID=63522594

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2018/022337 WO2018170061A1 (fr) 2017-03-15 2018-03-14 Appareil, système et procédé de sécurisation de communication sans fil

Country Status (1)

Country Link
WO (1) WO2018170061A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20210350320A1 (en) * 2018-09-27 2021-11-11 Intel Corporation Automated delivery device and method for delivering a package
US11523277B2 (en) * 2019-06-14 2022-12-06 Samsung Electronics Co., Ltd. Method of dynamically provisioning a key for authentication in relay device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080063204A1 (en) * 2006-09-07 2008-03-13 Motorola, Inc. Method and system for secure processing of authentication key material in an ad hoc wireless network
WO2014035606A1 (fr) * 2012-08-29 2014-03-06 Qualcomm Incorporated Brouillage d'une adresse mac
US20150071443A1 (en) * 2013-09-10 2015-03-12 Qualcomm Incorporated Systems and methods for fast initial link setup security optimizations for psk & sae security modes
US9344895B2 (en) * 2012-09-18 2016-05-17 Huizhou TC Mobile Communication Co., Ltd Method and system for securely accessing portable hotspot for intelligent mobile phones
WO2016074707A1 (fr) * 2014-11-12 2016-05-19 Nokia Solutions And Networks Oy Procédé, appareil, et système

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080063204A1 (en) * 2006-09-07 2008-03-13 Motorola, Inc. Method and system for secure processing of authentication key material in an ad hoc wireless network
WO2014035606A1 (fr) * 2012-08-29 2014-03-06 Qualcomm Incorporated Brouillage d'une adresse mac
US9344895B2 (en) * 2012-09-18 2016-05-17 Huizhou TC Mobile Communication Co., Ltd Method and system for securely accessing portable hotspot for intelligent mobile phones
US20150071443A1 (en) * 2013-09-10 2015-03-12 Qualcomm Incorporated Systems and methods for fast initial link setup security optimizations for psk & sae security modes
WO2016074707A1 (fr) * 2014-11-12 2016-05-19 Nokia Solutions And Networks Oy Procédé, appareil, et système

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20210350320A1 (en) * 2018-09-27 2021-11-11 Intel Corporation Automated delivery device and method for delivering a package
US11523277B2 (en) * 2019-06-14 2022-12-06 Samsung Electronics Co., Ltd. Method of dynamically provisioning a key for authentication in relay device

Similar Documents

Publication Publication Date Title
US9763046B2 (en) Apparatus, system and method of Fine Timing Measurement (FTM)
US20160286395A1 (en) Apparatus, system and method of securing communication between wireless devices
CN108271187B (zh) 执行飞行时间(ToF)测量的装置、系统和方法
US9913109B2 (en) Apparatus, system and method of NAN multicast group
EP2995066B1 (fr) Appareil et procede de configuration d'un groupe poste a poste (p2p) de plateforme de services d'application (asp)
US10009430B2 (en) Apparatus, system and method of fine timing measurement (FTM)
US10212630B2 (en) Apparatus, system and method of fast basic service set (BSS) transition (FT)
US11943824B2 (en) Apparatus, system and method of transmitting a multiple basic service set identifier (BSSID) element
US20150195710A1 (en) Apparatus, method and system of obfuscating a wireless communication network identifier
US20210120586A1 (en) Apparatus, system and method of communicating a multi-link element
US20180359633A1 (en) Neighbor Awareness Networking Device Pairing
US11343696B2 (en) Apparatus, system and method of ranging measurement with secure long training field (LTF)
US11089167B2 (en) Apparatus, system and method of internet connectivity via a relay station
US20150173109A1 (en) Apparatus, method and system of communicating via an application service platform (asp) session
WO2018170061A1 (fr) Appareil, système et procédé de sécurisation de communication sans fil
WO2019045765A1 (fr) Appareil, système et procédé de communication de réseau sensible au voisinage (nan) sécurisé
US9763124B2 (en) Apparatus, system and method of performing a wireless association
WO2014182270A1 (fr) Appareil, système et procédé de communication d'informations de localisation pour une estimation de position
EP3498027B1 (fr) Trame de refus d'envoi pour accès par canaux multiples
US20230308506A1 (en) Apparatus, system, and method of peer-to-peer (p2p) communication

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18767534

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18767534

Country of ref document: EP

Kind code of ref document: A1