(12) United States Patent (10) Patent No.: US 8,817,990 B2 Oba (45) Date of Patent: Aug

US008817990B2 (12) United States Patent (10) Patent No.: US 8,817,990 B2 Oba (45) Date of Patent: Aug. 26, 2014 (54) KERBERIZED HANDOVER KEYING (56) References Cited IMPROVEMENTS U.S. PATENT DOCUMENTS (75) Inventor: Yoshihiro Oba, Englewood Cliffs, NJ (US) 2002/014782O A1* 10, 2002 Yokote . 709,229 (73) Assignees: Toshiba America Research, Inc., 2004/0066764 A1 4, 2004 Kool et al. Washington, DC (US); Telecordia (Continued) Technologies, Inc., Piscataway, NJ (US) FOREIGN PATENT DOCUMENTS (*) Notice: Subject to any disclaimer, the term of this patent is extended or adjusted under 35 CA 2 675961 A1 T 2008 U.S.C. 154(b) by 621 days. JP 2007-528666 A 10/2007 (21) Appl. No.: 11/972.457 (Continued) (22) Filed: Jan. 10, 2008 OTHER PUBLICATIONS Tschofenig, H. et al., “Bootstrapping Kerberos”, Jul. 12, 2004, PANA O O Working Group, Internet Draft, Retrieved from "http://tools.ietforg/ (65) Prior Publication Data html/draft-tschofenig-pana-bootstrap-kerberos-00”.* US 2008/0212783 A1 Sep. 4, 2008 (Continued) Related U.S. Application Data Primary Examiner — Evans Desrosiers Assistant Examiner — Daniel Potratz (60) Provisional application No. 60/892,532, filed on Mar. (74) Attorney, Agent, or Firm — Westerman, Hattori, 1, 2007. Daniels & Adrian, LLP (51) Int. Cl. (57) ABSTRACT Hot 9. R A media-independent handover key management architec ( .01) ture is disclosed that uses Kerberos for secure key distribution HO4L 9/32 (2006.01) among a server, an authenticator, and a mobile node. In the G06F 7/04 (2006.01) preferred embodiments, signaling for key distribution is GO6F 15/16 (2006.01) based on re-keying and is decoupled from re-authentication GO6F 17/30 (2006.01) that requiresC EAP (Extensible Authentication Protocol) and GO6F 2 1/33 (2013.01) AAA (Authentication, Authorization and Accounting) sig (52) U.S. Cl. naling similar to initial network access authentication. In this CPC ............ H04L 63/0807 (2013.01); H04L 9/321 framework. the mobile node is able to obtain master session (2013.01); H04L 9/3213 (2013.01); G06F keys required for dynamically establishing the security asso 21/335 (2013.01) ciations with a set of authenticators without communicating USPC .............. 380,279.713/156.715/i7.726/16 fromwith themre-authentication, before handover. the Byproposed separating architecture re-key operation is more (58) Field of Classification Search optimized for a proactive mode of operation. It can also be CPC ..... EXAMPLE RELATIONSHIPBETWEENAAA DOMAINANDKERBEROS REALMS AAADOMAIN"mydomain.com" KERBEROS REALM KERBEROS REALM "rmydomain.com" "2mydomain.com" FIG. 16

EAP-EXTMESSAGE FORMAT WITHKERBEROS BOOTSTRAPPING CAPABILITY 1 OCTET 1 OCTET OCTET 1 OCTET CODE IDENTIFIER LENGTH TLVs (OPTIONAL) CAPABILITIES: BITO; RBIT (RE-AUTHENTICATION) BIT 1: 'C'BIT (CHANNELBINDING) BIT2: 'KBIT (KERBEROS) F.G. 17

KERBEROS BOOTSTRAPPING SEQUENCE MN (EAPPEERICLIENT) EAPSERVER EAP-REQUESTI EAP-EXT (K-1, METHOD) EAP-RESPONSE EAP-EXT (K-1, METHOD) EAP-REQUESTI EAP-EXT (K-1, KRB-BOOTAUTH) EAP-RESPONSE EAP-EXT (K-1, AUTH) KRB-BOOT EAP-SUCCESS FIG. 18 (REACTIVE MODE) F.G. 15 U.S. Patent Aug. 26, 2014 Sheet 17 of 20 US 8,817,990 B2 EXAMPLE RELATIONSHIPBETWEENAAA DOMAINANDKERBEROS REALMS AAADOMAIN"mydomain.com" KERBEROS REALM KERBEROS REALM "rmydomain.com" "2mydomain.com" FIG. 16 U.S. Patent Aug. 26, 2014 Sheet 18 of 20 US 8,817,990 B2 EAP-EXTMESSAGE FORMAT WITHKERBEROS BOOTSTRAPPING CAPABILITY 1 OCTET 1 OCTET OCTET 1 OCTET CODE IDENTIFIER LENGTH TLVs (OPTIONAL) CAPABILITIES: BITO; RBIT (RE-AUTHENTICATION) BIT 1: 'C'BIT (CHANNELBINDING) BIT2: 'KBIT (KERBEROS) F.G. 17 U.S. Patent Aug. 26, 2014 Sheet 19 of 20 US 8,817,990 B2 KERBEROS BOOTSTRAPPING SEQUENCE MN (EAPPEERICLIENT) EAPSERVER EAP-REQUESTI EAP-EXT (K-1, METHOD) EAP-RESPONSE EAP-EXT (K-1, METHOD) EAP-REQUESTI EAP-EXT (K-1, KRB-BOOTAUTH) EAP-RESPONSE EAP-EXT (K-1, AUTH) KRB-BOOT EAP-SUCCESS FIG. 18 U.S. Patent Aug. 26, 2014 Sheet 20 of 20 US 8,817,990 B2 S. s s S. US 8,817,990 B2 1. 2 KERBERIZED HANDOVER KEYING server, a router or a workstation. Messages destined for some IMPROVEMENTS other host are not passed up to the upper layers but are for warded to the other host. In the OSI and other similar models, The present application claims priority under 35 U.S.C. IP is in Layer-3, the network layer. 119 as being a Non-provisional of Provisional Application 5 Wireless Networks: Ser. No. 60/892,532, entitled Kerberized Handover Keying Wireless networks can incorporate a variety of types of Improvements, filed on Mar. 1, 2007. mobile devices, such as, e.g., cellular and wireless tele phones, PCs (personal computers), laptop computers, wear BACKGROUND able computers, cordless phones, pagers, headsets, printers, 10 PDAs, etc.

