Abstract: Devices, systems, methods, and processes for facilitating enhanced data privacy (EDP) management are described herein. EDP management for effective obfuscation may be enabled with a wireless AP. The AP transmits wireless frames advertising support for group-based EDP. The AP transmits one or more epoch parameters associated with a plurality of epoch groups. A first epoch parameter comprises epoch timing information and a second epoch parameter indicates a number of wireless stations participating in the corresponding epoch group. The AP further receives a wireless action frame, transmitted by a wireless station, that indicates a first epoch group of the plurality of epoch groups that the STA requests to join. The AP maintains a wireless connection with the wireless station using a plurality of over-the-air (OTA) medium access control (MAC) addresses for the wireless station that are rotated at an epoch interval associated with the first epoch group.

Abstract: Devices, systems, methods, and processes for managing device address rotation are described herein. Managing address rotation to ensure sufficient participation for effective obfuscation, while also offering it as an optional feature is challenging. An address rotation logic in a network device facilitates enhanced device address rotation by allowing mass address rotation at an epoch boundary, with an added property of being optional. The network device broadcasts a message indicating upcoming time intervals for address rotation and receives responses from user devices indicating their intent to participate in address rotation. The message further indicates a count of participating devices to encourage non-participating devices to reconsider their decision. This approach manages mass address rotations while allowing user devices to select their address rotation intervals.

Abstract: Validation of privacy requests for mutual Access Point (AP) and client device protection may be provided. A first computing device may accept association with a second computing device. Then the first computing device may receive frame anonymization parameters associated with a parameter rotation from the second computing device. Next, the first computing device may determine to one of: i) accept the parameter rotation based on the frame anonymization parameters; and ii) reject the parameter rotation based on the frame anonymization parameters.

Abstract: In one aspect, the techniques described herein relate to a computer-implemented method that includes receiving, from a device associated with a Wi-Fi network, a signal. The signal may be configured to convey generational capabilities of the device to operate in the Wi-Fi network. The generational capabilities may include information on compliance of the device with wireless communication protocols of the Wi-Fi network. The method may further include determining a status of the device for operating in the Wi-Fi network based on the generational capabilities of the device included the signal and configuring one or more parameters for communicating with the device in the Wi-Fi network according to the status of the device. The method may further include communicating with the device using the one or more parameters.

Abstract: Opportunistic Key Caching (OKC) in Suite-B-192 Authentication and Key Management (AKM) may be provided. OKC in Suite-B-192 AKM can comprise performing an association process with a Station (STA). An initial Key Confirmation Key (KCK) can be received, and a Pairwise Master Key (PMK) Identifier (PMKID) is determined based on the initial KCK. A four-way handshake is performed to derive one or more keys using the PMKID.

Abstract: Techniques and apparatus for facilitating seamless roaming within a seamless mobility domain (SMD) are described. An example technique performed by a wireless device includes performing an association to a SMD. The SMD includes multiple access point (AP) multi-link devices (MLDs), and each of the AP MLDs includes a respective one or more APs. The wireless device roams among the AP MLDs within the SMD while maintaining association to the SMD.

Abstract: The present disclosure provides techniques for handling MAC address collision within an ESS comprising at least one wireless station and at least one access point (AP). An AP receives a first IRM address during execution of a handshake protocol between the AP and a wireless station. The AP determines that the first IRM address is allocated for use by another wireless station and then transmits a message to the wireless station. The AP receives a first wireless action frame transmitted by the wireless station after execution of the handshake protocol, where the wireless action frame includes a second IRM address selected by the wireless station. The AP establishes a wireless connection with the wireless station in a subsequent association with the wireless station using the second IRM.

Abstract: The present disclosure provides techniques for handling MAC address collision within an ESS comprising at least one wireless station and at least one access point (AP). A wireless station selects a first Identifiable Random Media Access Control (MAC) (IRM) address, and sends the IRM address to the AP during execution of a handshake protocol. The wireless station receives a message from the AP indicating the selected IRM address is allocated for use by another wireless station. Responsive to the message, the wireless station selects a second IRM address different from the first IRM address, and transmits the second IRM address to the AP after execution of the handshake protocol. The wireless station uses the second IRM address in a subsequent association with the wireless AP or any other AP in a same extended service set (ESS) of the wireless AP.

Abstract: An epoch scheme for Station (STA) privacy and, specifically, a structured Media Access Control (MAC) address rotation schedule for STAs may be provided. Providing an epoch scheme for STA privacy can include determining epoch parameters for a STA, the epoch parameters comprising a minimum epoch period duration and a maximum epoch period duration. The epoch parameters are sent to the STA, wherein the STA is operable to rotate a MAC address each epoch period at a time between the minimum epoch period duration and the maximum epoch period duration. A mapping of the STA and the MAC address can be updated each epoch period.

Abstract: An epoch scheme for Station (STA) privacy and, specifically, a structured Media Access Control (MAC) address rotation schedule for STAs may be provided. Providing an epoch scheme for STA privacy can include determining epoch parameters for a STA, the epoch parameters comprising a minimum epoch period duration and a maximum epoch period duration. The epoch parameters are sent to the STA, wherein the STA is operable to rotate a MAC address each epoch period at a time between the minimum epoch period duration and the maximum epoch period duration. A mapping of the STA and the MAC address can be updated each epoch period.

Abstract: An epoch scheme for Station (STA) privacy and, specifically, a structured Media Access Control (MAC) address rotation schedule for STAs may be provided. Providing an epoch scheme for STA privacy can include determining epoch parameters for a STA, the epoch parameters comprising a minimum epoch period duration and a maximum epoch period duration. The epoch parameters are sent to the STA, wherein the STA is operable to rotate a MAC address each epoch period at a time between the minimum epoch period duration and the maximum epoch period duration. A mapping of the STA and the MAC address can be updated each epoch period.

Abstract: A system and method are provided for generating a pairwise transient key security association (PTKSA) by: providing a first media access control (MAC) address that is shared by multiple access points (APs), the first MAC address corresponding to an infrastructure comprising the multiple APs, and each AP of the multiple APs having a respective AP MAC address; providing a second MAC address to a station (STA); and establishing a secure link between the STA and the infrastructure using the first MAC address and the second MAC address to derive a pairwise transit key (PTK) for the secure link, wherein the secure link is between the STA and the multiple APs.

Abstract: The present technology provides for efficient re-association of a STA from a first Wi-Fi AP to a second Wi-Fi AP where the respective Wi-Fi APs utilize different security protocols. Since the association and key management (AKM) protocols are different and the cipher suites between generations of Wi-Fi technology, a STA normally would not be able to take advantage of the fast transition process. However, since the present technology allows the STA to derive the security keys in advance, the STA can perform the fast transition and efficiently roam to the Wi-Fi AP that utilizes a different association and key management (AKM) version.

Abstract: Secure communication with a Backscatter Device (BKD) may be provided. A temporal key may be created. The temporal key and a network Identifier (ID) may be encrypted with a public key of a public private key pair associated with the BKD. An excitation frame including the encrypted temporal key and the encrypted network ID may be transmitted to the BKD. The AMP BKD may include a sensor. A BKD frame may be received from the BKD in response to the excitation frame. The BKD frame may include a sensor data encoded with the temporal key and the network ID as a target destination. The BKD frame may be signed using a private key of the public private key pair.

Abstract: Backscatter Device (BKD) onboarding may be provided. BKD onboarding may begin with an AP receiving an identifier associated with a BKD. The AP may determine to onboard the BKD and transmit to the BKD an onboarding excitation signal to request data from a memory bank of the BKD. The AP may then receive a response to the onboarding excitation signal from the BKD. The AP may verify the BKD is valid based on the identifier and the response. Finally, the AP may onboard the BKD based on verifying the BKD is valid.

Abstract: The present technology provides a mechanism for more efficient make-before-you-break roaming (MMBR) between devices in the same extended service set (ESS) that utilize a common Pairwise Master Key (PMK). Association and key management (AKM) procedures can be time-consuming, and the present technology provides for a more efficient mechanism by which the Pairwise Transient Key (PTK) can be derived in advance so that the STA can directly associate with a new AP. More specifically, the Robust Security Network Information Element (RSNIE) that is exchanged prior to key derivation and association between the STA and the AP can be enhanced to include information about the security protocols used by other APs in the extended service set (ESS), which can be used to derive respective Pairwise Transient Keys (PTKs) in advance for use with other APs.

Abstract: A system and method are provided for generating group encryption keys for a global group and a private group to encrypt wireless messages between an access point and a station. The private group key is based on a unique private group identifier. The global group key and the private group key are sent from the access point to one or more stations via an M3 message as part of a 4-way handshake or as part of a 2-way group key handshake. The global group key is used for encrypted broadcast or multicast messages with an entire group, whereas the private group key is used for encrypted broadcast or multicast messages with a private group that is a subset of the entire group.

Abstract: The present disclosure describes a system and method for deconflicting locally administered medium access control addresses (LAMAs). An apparatus includes a memory and a processor communicatively coupled to the memory. The processor receives a request for a client device to use a locally administered medium access control address (LAMA) and determines that the LAMA is in use or reserved for future use by an access point that is out of range of the client device. Prior to the client device roaming to the access point, the processor transmits to the client device a message denying connectivity to the client device using the LAMA. The message indicates a LAMA that the client device is prohibited from selecting.

Abstract: A client device may receive, from a computing device, a message indicating that a session duration of a current session is nearly over. The client device may close the current session as soon as the client device is idle for more than a configurable interval. A new session may be started with the computing device by the client device.

Abstract: Fine Time Measurement (FTM) Location Configuration Information (LCI) protection and, specifically, FTM LCI protection with authentication and selective client enablement may be provided. To perform FTM LCI protection, a controller may first obtain a key-pair including a public key and a private key from a Certificate Authority (CA). The controller my determine a venue location where an Access Point (AP) is located. The controller may send a Certificate Signing Request (CSR) with the venue location to the CA. In response to sending the CSR, the controller may receive a public key certificate from the CA, wherein the public key certificate includes the venue location. The AP may receive a request for Location Configuration Information (LCI) from a Station (STA), wherein the LCI includes an AP location. The AP creates a hash of LCI of the AP using the private key and sends the LCI and the hash to the STA.