Abstract: A system and method that allows a device to complete a single complete authentication sequence to a AAA server resulting in as many secure sessions required for the different applications or subsystems determined by the client's identity and the AAA server's policy. As the device is authenticated, it is determined where there are other sessions for the device. The sessions are established by generating unique new keying material that is passed to each session. This can be accomplished by (a) the authenticator or AAA server issuing the keys and distributing them to both the supplicant and applications (via their authenticators); or (b) authenticator or the AAA server mutually generating the session unique keys with the supplicant that are then distributed to the applications (via their authenticators).

Abstract: A Machine Authentication PAC (Protected Access Credential) serves as machine credentials to obtain network access without requiring server storage and management of the additional set of credentials. The first time authentication is performed, user authentication is executed. After the supplicant and server have mutually authenticated each other and satisfied other validations, the supplicant requests a Machine Authentication PAC from the server. The Server randomly generates a cryptographic key (Device Key) and sends it to the supplicant along with an encrypted ticket, comprising the Device Key and other information and encrypted with a key only known to the Server. The supplicant caches the Machine Authentication PAC in its non-volatile memory for future use. When the machine needs to access certain network services before a user is available, the supplicant uses the Machine Authentication PAC to gain authorization for the machine to limited access on the network, without requiring user input.

Abstract: A method and system for performing pre-authentication across inter-subnets. A pre-authentication request is received by a first access point associated with a first subnet from a mobile node requesting that is requesting pre-authentication with a second access point associated with a second subnet. The request is forwarded by the access point to a first authenticator that is the authenticator for the first subnet. The first authenticator obtains from a root infrastructure node the address for a second authenticator that is the authenticator for the second access point. The first authenticator then pre-authenticates the mobile node with the second authenticator by sending a message to the address for the second authenticator.

Abstract: A method for protecting a wireless network against spoofed MAC address attacks. A database is used for storing MAC address and user identity bindings. When a new request to access the network is received, the MAC address and user identity of the request is compared to the stored MAC address and user identity bindings. If a new request has an existing MAC address, but not the corresponding user identity, then the request will be denied. The bindings database contains the MAC Address, User identity bindings for wireless nodes and/or, for wired nodes. The MAC address, User identity bindings contained in the bindings database may be automatically learned or statically configured.

Abstract: The present invention is contemplates an automatic, secure AP configuration protocol. Public/private keys and public key (PK) methods are used to automatically establish a mutual trust relationship and a secure channel between an AP and at least one configuration server. An AP automatically forwards a location identifier to the configuration server, and the configuration server delivers common, AP specific, and location specific configuration parameters to the AP.

Abstract: A method for multicast load balancing in a wireless network having a plurality of access points. The method includes setting a maximum Internet protocol multicast bandwidth for the access points, receiving an admissions control request from a client at one of the access points, and determining whether the admissions control request from the client is for an admitted or unadmitted multicast stream at the access point. The access point is responsive to the admissions control request for the admitted multicast stream by servicing the admitted multicast stream and to the admissions control request for the unadmitted multicast stream by servicing the unadmitted multicast stream where the bandwidth required for the unadmitted multicast stream, plus that portion of the access point bandwidth currently used for all existing downlink multicast streams, does not exceed the maximum internet protocol multicast bandwidth for the access point.

Abstract: A wireless station prepares to roam by pre-authenticating itself with a neighboring access point. The wireless station sends a rekey request, which can include an incremented rekey number. The wireless station receives a rekey response. The rekey response can include the incremented rekey number. Because the wireless station is pre-authenticated, after it roams it only needs to perform a two-way handshake with a new access point to establish secure communications with the new access point. The two-way handshake starts by the wireless station sending a reassociation request to the neighboring access point, the reassociation request comprising the incremented rekey number established during pre-authentication. The wireless station receives a reassociation response from the neighboring access point. To protect against replay attacks, the neighboring access point can verify the rekey number sent in the reassociation request matches the rekey number sent in the rekey response.

Abstract: A method is disclosed for enabling stateless server-based pre-shared secrets. Based on a local key that is not known to a client, a server encrypts the client's state information. The client's state information may include, for example, the client's authentication credentials, the client's authorization characteristics, and a shared secret key that the client uses to derive session keys. By any of a variety of mechanisms, the encrypted client state information is provided to the client. The server may free memory that stored the client's state information. When the server needs the client's state information, the client sends, to the server, the encrypted state information that the client stored. The server decrypts the client state information using the local key. Because each client stores that client's own state information in encrypted form, the server does not need to store any client's state information permanently.

Abstract: A detection-based defense to a wireless network. Elements of the infrastructure, e.g., access points or scanning-only access points, detect intruders by detecting spoofed frames, such as from rogue access points. Access points include a signature, such as a message integrity check, with their management frames in a manner that enables neighboring access points to be able to validate the management frames, and to detect spoofed frames. When a neighboring access point receives a management frame, obtains a key for the access point sending the frame, and validates the management frame using the key.

Abstract: A method and system for pre-authenticating a pre-establishing key management on a roaming device prior to reassociation to facilitate fast hand-off in a wireless network is described. For enhanced mobility, both authentication and key establishment is performed prior to reassociation of the roaming device between access points. When the roaming device enters in contact with one of the access points, a local authentication is performed between the access point and the roaming device prior to reassociation with the access point to allow for fast hand-offs of the device between access points within the network.

Abstract: A method and system for handling roaming mobile nodes in a wireless network. The system uses a Subnet Context Manager to store current Network session keys, security policy and duration of the session (e.g. session timeout) for mobile nodes, which is established when the mobile node is initially authenticated. Pairwise transit keys are derived from the network session key. The Subnet Context Manager handles subsequent reassociation requests. When a mobile node roams to a new access point, the access point obtains the network session key from the Subnet Context Manager and validates the mobile node by computing a new pairwise transient key from the network session key.

Abstract: A method and apparatus for a modified linear filter using texture data as phase angle. In one embodiment, the present invention recites a method for filtering attribute data onto a display pixel using a minimum phase-angle average. First, a display pixel location is received. Then, a first and a second attribute data value, in the form of a texel, is received. A filtering calculation for the first attribute data values creates a filtered first texel attribute data value such that the difference between the filtered first attribute data value and the second attribute data value is not greater than approximately half the magnitude of the maximum attribute data value. Finally, an average is calculated using the filtered first attribute data value and the second attribute data value. The average will be the resultant attribute value assigned to the display pixel location. By using the steps in this method, the present invention provides more appropriate interpolation of attribute data values.

Abstract: A method an system provide that image processing operations and graphics processing are both performed by a graphics rendering system. The texture memory and a texture filter of the graphics rendering system are used to perform look-up table operations as well as multiply and accumulate operations typically associated with image processing.

Abstract: The integers involved in the computation are embedded into a modular system whose index (i.e., its modulus) is an integer M that is bigger than all of these integers involved. In other words, these integers are treated not as belonging to ordinary integers anymore, but as “modular integers” belonging to the modular system indexed by M. Having completed the embedding, CRT provides the bridge which connects the single modular system indexed by M (ZM) with a collection of k modular systems indexed by m1,m2, . . . , mk respectively (Zm1, Zm2, . . . , Zmk), where M factorizes as m1*m2*m3* . . . *mk, and where each mi is slightly smaller than single precision. Then, after numbers are manipulated within modular arithmetic, the answer is reconstructed via the algorithm of CRT, also known as CRA. Finally, the present invention introduces the process of dinking that overcomes the major weakness of implementing division with modular arithmetic.

Abstract: In a computer system including a processor coupled to a memory via a bus, a system for a reduced instruction set graphics processing subsystem. The graphics processing subsystem is configured to accept graphics data from a computer system via a bus. The graphics processing subsystem is deeply pipelined to achieve high bandwidth, and is operable for processing graphics data including a first and second set of graphics instructions. The graphics instructions from the second set are more complex than the graphics instructions from the first set. The graphics processing subsystem also includes a built-in recirculation path for enabling the execution of graphics instructions by multi-pass. The graphics pipeline is streamlined such that the graphics instructions from the first set are processed efficiently. The graphics instructions from the second set are processed by using multi-pass via the recirculation path.

Abstract: The method and apparatus employ a texture filter in a graphics processor to perform a transform such as, for example, a Fast Fourier Transform. The texturizer can include an array of linear interpolators. The architecture reduces the computational complexity of the transform processes.