WIRELESS NETWORK AUTHENTICATION USING ISOLATED SECURITY KEY
A method includes generating, at a first station, a security key that is usable for authentication with an access point associated with a wireless network. The method includes switching from an infrastructure mode to an ad hoc communication mode, and while in the ad hoc communication mode, broadcasting a beacon frame and receiving a request, from a second station, to join the wireless network. The method includes determining that the second station is an approved device and sending a first authentication request to the access point on behalf of the second station. The method includes receiving a first authentication response, including challenge text, from the access point. The method includes encrypting the challenge text based on the security key and sending the encrypted challenge text as part of a second authentication request to the access point to authenticate the second station with the access point.
This application claims priority from and is a continuation application of U.S. patent application Ser. No. 16/890,200, entitled “WIRELESS NETWORK AUTHENTICATION USING ISOLATED SECURITY KEY,” filed Jun. 2, 2020, the contents of which is incorporated by reference in its entirety.
II. FIELDThe present disclosure is generally related to wireless network authentication.
III. BACKGROUNDA mobile device can authenticate with an access point to become part of a wireless network. Typically, the mobile device uses a security key to authenticate with the access point. As a non-limiting example, in a home setting, a user can enter a security key (e.g., a password) into the user's mobile device to authenticate the user's mobile device with an access point of the user's home wireless network.
If a guest enters the user's home and wishes to access the user's home wireless network with a guest mobile device, the user will typically have to give the guest the security key so that the guest can enter the security key into the guest mobile device. However, once the security key is shared, the likelihood that additional mobile devices will access the user's home wireless network, with or without the user's permission, increases. As a result, the user's home wireless network can become susceptible to network congestion and security threats.
IV. SUMMARYAccording to a particular implementation of the techniques disclosed herein, a method of station authentication includes generating, at a first station, a security key that is usable for authentication with an access point associated with a wireless network during an infrastructure mode. The method also includes switching from the infrastructure mode to an ad hoc communication mode for a particular time period. While in the ad hoc communication mode for the particular time period, the method includes broadcasting a beacon frame and receiving a request, from a second station, to join the wireless network in response to broadcasting the beacon frame. The beacon frame includes network information associated with the wireless network, and the request includes device information associated with the second station. The method also includes determining, based on the device information, whether the second station is an approved device. The method further includes sending a first authentication request to the access point on behalf of the second station in response to a determination that the second station is an approved device. The first authentication request includes the device information associated with the second station. The method also includes receiving a first authentication response from the access point in response to sending the first authentication request. The first authentication response includes challenge text. The method further includes encrypting the challenge text based on the security key to generate encrypted challenge text. The security key is isolated from the second station. The method also includes sending the encrypted challenge text as part of a second authentication request to the access point to authenticate the second station with the access point.
According to another implementation of the techniques disclosed herein, a station includes a memory and a processor coupled to the memory. The processor is configured to generate a security key that is usable for authentication with an access point associated with a wireless network during an infrastructure mode. The processor is also configured to initiate a switch from the infrastructure mode to an ad hoc communication mode for a particular time period. The station also includes a transceiver coupled to the processor. The transceiver is configured to, while in the ad hoc communication mode for the particular time period, broadcast a beacon frame and receive a request, from a second station, to join the wireless network in response to broadcasting the beacon frame. The beacon frame includes network information associated with the wireless network, and the request includes device information associated with the second station. The processor is further configured to determine, based on the device information, whether the second station is an approved device. The transceiver is further configured to send a first authentication request to the access point on behalf of the second station in response to a determination that the second station is an approved device. The first authentication request includes the device information associated with the second station. The transceiver is also configured to receive a first authentication response from the access point in response to sending the first authentication request. The first authentication response includes challenge text. The processor is further configured to encrypt the challenge text based on the security key to generate encrypted challenge text. The security key is isolated from the second station. The transceiver is further configured to send the encrypted challenge text as part of a second authentication request to the access point to authenticate the second station with the access point.
According to another implementation of the techniques disclosed herein, a non-transitory computer-readable medium includes instructions for station authentication. The instructions, when executed by a processor in a station, cause the processor to perform operations including generating a security key that is usable for authentication with an access point associated with a wireless network during an infrastructure mode. The operations also include initiating a switch from the infrastructure mode to an ad hoc communication mode for a particular time period. While in the ad hoc communication mode for the particular time period, the operations include initiating a broadcast of a beacon frame and processing a received request, from a second station, to join the wireless network in response to broadcasting the beacon frame. The beacon frame includes network information associated with the wireless network, and the request includes device information associated with the second station. The operations also include determining, based on the device information, whether the second station is an approved device. The operations further include initiating transmission of a first authentication request to the access point on behalf of the second station in response to a determination that the second station is an approved device. The first authentication request includes the device information associated with the second station. The operations also include processing a received first authentication response from the access point in response to sending the first authentication request. The first authentication response includes challenge text. The operations further include encrypting the challenge text based on the security key to generate encrypted challenge text. The security key is isolated from the second station. The operations also include initiating transmission of the encrypted challenge text as part of a second authentication request to the access point to authenticate the second station with the access point.
One advantage of the above-described implementations is an ability to permit access to a wireless network without having to disclose a security key for the wireless network. For example, a station can use the security key to authenticate other approved stations with an access point of the wireless network without disclosing the security key. Other implementations, advantages, and features of the present disclosure will become apparent after review of the entire application, including the following sections: Brief Description of the Drawings, Detailed Description, and the Claims.
Particular aspects of the present disclosure are described below with reference to the drawings. In the description, common features are designated by common reference numbers. As used herein, various terminology is used for the purpose of describing particular implementations only and is not intended to be limiting of implementations. For example, the singular forms “a,” “an,” and “the” are intended to include the plural forms as well, unless the context clearly indicates otherwise. It may be further understood that the terms “comprise,” “comprises,” and “comprising” may be used interchangeably with “include,” “includes,” or “including.” Additionally, it will be understood that the term “wherein” may be used interchangeably with “where.” As used herein, “exemplary” may indicate an example, an implementation, and/or an aspect, and should not be construed as limiting or as indicating a preference or a preferred implementation. As used herein, an ordinal term (e.g., “first,” “second,” “third,” etc.) used to modify an element, such as a structure, a component, an operation, etc., does not by itself indicate any priority or order of the element with respect to another element, but rather merely distinguishes the element from another element having a same name (but for use of the ordinal term). As used herein, the term “set” refers to one or more of a particular element, and the term “plurality” refers to multiple (e.g., two or more) of a particular element.
In the present disclosure, terms such as “determining”, “calculating”, “detecting”, “estimating”, “shifting”, “adjusting”, etc. may be used to describe how one or more operations are performed. It should be noted that such terms are not to be construed as limiting and other techniques may be utilized to perform similar operations. Additionally, as referred to herein, “generating”, “calculating”, “estimating”, “using”, “selecting”, “accessing”, and “determining” may be used interchangeably. For example, “generating”, “calculating”, “estimating”, or “determining” a parameter (or a signal) may refer to actively generating, estimating, calculating, or determining the parameter (or the signal) or may refer to using, selecting, or accessing the parameter (or signal) that is already generated, such as by another component or device.
Referring to
The access point 140 is a networking hardware device that enables stations to connect to a wired network 160. For example, the access point 140 establishes a wireless network 150. Stations within the wireless network 150 can communicate with the wired network 160 through the access point 140. According to one implementation, the wireless network 150 includes an Institute of Electrical and Electronics Engineers (IEEE) 802.11 wireless network. The wireless network 150 can be a wireless local area network (WLAN).
To join the wireless network 150, a station must use a security key 232 to authenticate with the access point 140. The access point 140 sends an authentication message at the end of the authentication process to indicate that a station receiving the authentication message has been authenticated. After authentication, the station can associated with the wireless network 150 using conventional techniques. As illustrated in
The techniques described herein enable the station 110 to selectively authenticate the other stations 120, 130 with the access point 140 using the security key 232 upon a determination that the stations 120, 130 are approved devices. As described below, it should be appreciated that the station 110 can perform the authentication on behalf of the other stations 120, 130 without sharing the security key 232 with the other stations 120, 130. As a result of not sharing the security key 232, it will become increasingly difficult for unauthorized parties to access the wireless network 150. Thus, the wireless network 150 will be less susceptible to network congestion and security threats.
Referring to
The memory 204 can be a non-transitory computer-readable medium that stores instructions 214. The instructions 214 are executable by the processor 202 to perform the operations described herein. According to one implementation, the instructions 214 are executable by the processor 202 to cause the processor 202 to perform or initiate steps in the method 700 of
The processor 202 includes a security key generator 220, a mode selector 222, a data transfer monitor 224, a prompt generator 226, a frame generator 228, and an encryption unit 230. According to some implementations, one or more of the processor components 220, 222, 224, 226, 228, 230 can correspond to software (e.g., instructions 214) executable by the processor 202. According to other implementations, one or more the processor components 220, 222, 224, 226, 228, 230 can correspond to dedicated circuitry (e.g., application-specific integrated circuits (ASICs) or field programmable gate arrays (FPGAs)) integrated into the processor 202. Additionally, one or more of the processor components 220, 222, 224, 226, 228, 230 can be integrated with another processor component.
The security key generator 220 is configured to generate the security key 232 used to authenticate the station 110 with the access point 140. According to one implementation, the security key 232 can have an ASCII form such that it includes a sequence of letters, decimal numbers, or a combination thereof. According to another implementation, the security key 232 can have a Hex form such that it includes a sequence of hexadecimal numbers. The security key 232 is usable by the station 110 to authenticate with the access point 140. As a non-limiting example, during a four-way handshake, the security key 232 is used by the station 110 during an encryption process to grant the station 110 access into the wireless network 150.
As described above, with respect to
According to some implementations, the data transfer monitor 224 is configured to monitor a data transfer amount 238 (e.g., an amount of data transfer) associated with the wireless network 150 while operating in the infrastructure mode 234. To reduce network interference when the data transfer amount 238 is relatively high, the mode selector 222 can be configured to switch from the infrastructure mode 234 to the ad hoc communication mode 236 in response to a determination that the data transfer amount 238 fails to satisfy a data transfer threshold.
According to other implementations, the mode selector 222 is configured to periodically switch from the infrastructure mode 234 to the ad hoc communication mode 236. As non-limiting examples, the mode selector 222 can switch from the infrastructure mode 234 to the ad hoc communication mode 236 every twenty time units, every twenty-five time units, every thirty time units, every fifty time units, etc. If the mode selector 222 performs periodic switching, according to some implementations, the period can be determined based on a number of stations that have historically authenticated with the access point 140. For example, if a relatively large number of stations have been authenticated with the access point 140 in the past, the period can be relatively small (e.g., twenty time units) because it is more likely that stations are trying to access the wireless network 150. However, if a relatively small number of stations have been authenticated with the access point 140 in the past, the period can be relatively large (e.g., fifty time units) because it is not likely that stations are trying to access the wireless network 150. Thus, a frequency at which the mode selector 222 initiates a periodic switch from the infrastructure mode 234 to the ad hoc communication mode 236 can be dependent on a historical number of stations that have been authenticated with the access point 140. According to yet another implementation, switching from the infrastructure mode 234 to the ad hoc communication mode 236 is initiated by a user request.
While operating in the ad hoc communication mode 236 during the particular time period, the frame generator 228 is configured to generate a beacon frame 242, and the wireless transceiver 208 is configured to broadcast the beacon frame 242 to stations in the ad hoc communication network (e.g., the stations 120, 130). The beacon frame 242 includes network information 244 associated with the wireless network 150. According to some implementations, the network information 244 includes a SSID of the wireless network 150, capability information of the access point 140, etc. Although described as a “broadcast,” it should be understood that term “broadcast” as used herein can also mean a multicast or unicast.
According to some implementations, the station 110 can receive an “original” beacon frame (having the network information 244) from the access point 140 while operating in the infrastructure mode 234. The frame generator 228 can generate the beacon frame 242 using the network information 244 from the original beacon frame broadcast from the access point 140. For example, after receiving the original beacon frame from the access point 140, the frame generator 228 can populate the relative fields in the beacon frame 142 with the SSID of the wireless network 150, the capability information of the access point 140, etc.
Additionally, while operating in the ad hoc communication mode 236 during the particular time period, the wireless transceiver 208 can receive a request 180, from the station 120, to join the wireless network 150 in response to broadcasting the beacon frame 242, as shown in
The processor 202 is configured to determine, based on the device information 248 associated with the station 120, whether the station 120 is an approved device. For example, the processor 202 can make a determination of whether to grant the station 120 access to the wireless network 150.
According to one implementation, to determine whether the station 120 is an approved device, the prompt generator 226 can generate a prompt 240 to verify whether the station 120 has permission to join the wireless network 150. The prompt 240 displays information about the station 120 based on the device information 248. The display controller 210 is configured to display the prompt 240 at the interactive user display 212.
Referring to
Referring back to
For purposes of description, assume that the station 120 is an approved station. That is, according to the user prompt 240 implementation, assume that the user-selectable option 302 is selected. Additionally, or in the alternative, according to the illustrative example in
In response to the determination that the station 120 is an approved device, the frame generator 228 is configured to generate an authentication request 246 that includes the device information 248 associated with the station 120. The wireless transceiver 208 is configured to send the authentication request 246 to the access point 140 on behalf of the station 120 in response to the determination that the station 120 is an approved device. One implementation of generating the authentication request 246 and sending the authentication request 246 on behalf of the station 120 is described with respect to
Referring to
For the station 110 to send the authentication request 246 to the access point 140 on behalf of the station 120, the frame generator 228 is configured to populate the destination address field 406 in the authentication request 246 with a MAC address 140A of the access point 140 (e.g., an address of the access point 140). Populating the destination address field 406 with the MAC address 140 of the access point 140 results in transmission of the authentication request 246 to the access point 140. The MAC address 140A of the access point 140 can be determined based on the network information 244.
Additionally, to send the authentication request 246 to the access point 140 on behalf of the station 120, the frame generator 228 is configured to populate the source address field 408 in the authentication request 246 with a MAC address 120A of the station 120. Although the source of the authentication request 246 is the station 110 in reality, populating the source address field 408 with the MAC address 120A of the station 120 indicates to the access point 140 that the station 120 is requesting authentication (as opposed to the station 110). Thus, by populating the source address field 408 with the MAC address 120A of the station 120, the station 110 is sending the authentication request 246 “on behalf of” of the station 120. The MAC address 120A of the station 120 can be determined based on the device information 248.
The frame generator 228 is also configured to populate the transmitter address field 410 with a MAC address 110A of the station 110. The transmitter address field 410 indicates, to the access point 140, an address to send a response frame. By populating the transmitter address field 410 with the MAC address 110A of the station 110, the access point 140 will send the response frame (e.g., an authentication response 190 as shown in
Referring back to
Referring to
The access point 140 populates the destination address field 506 with the MAC address 110A of the station 110 in response to the frame generator 228 populating the transmitter address field 410 in the authentication request 246 with the MAC address 110A of the station. Thus, the access point 140 sends the authentication response 190 to the station 110 that sent the authentication request 246. The access point 140 populates the source address field 508 and the transmitter address field 510 with the MAC address 140A of the access point 140.
The access point 140 also populates the challenge text field 522 with challenge text 552. The challenge text 552 is a sequence of characters that are to be encrypted by the receiving station (e.g., the station 110) for verification. For example, the access point 140, in addition to the station 110, has access to the security key 232. The access point 140 sends the challenge text 552 for encryption to a station requesting authentication. If the station has the security key 232, the station encrypts the challenge text 552 using the security key 232 and sends the encrypted version of the challenge text 552 to the access point 140. If the access point 140 decrypts the encrypted version of the challenge text 552 using the security key 232 and gets the challenge text 552, then the access point 140 authenticates the station. However, if the access point 140 decrypts the encrypted version of the challenge text 552 using the security key 232 and does not get the challenge text 552 as sent, then the access point 140 does not authenticate the station. To increase security, the challenge text 552 can change for each authentication process.
As described below, sending the authentication response 190 to the station 110 enables the station 190 to encrypt the challenge text 552 (on behalf of the station 120) using the security key 232 while isolating the station 120 from the security key 232. The other fields 502, 504, 512, 514, 516, 518, 520, 524 can be populated according to a SKA method.
Referring back to
Upon receiving the authentication response 190, the encryption unit 230 is configured to encrypt the challenge text 552 based on the security key 232 to generate encrypted challenge text 258. The frame generator 228 is configured to generate an authentication request 250 after the encrypted challenge text 258 is generated, and the wireless transceiver 208 is configured to send the encrypted challenge text 258 as part of the authentication request 250 to the access point 140 to authenticate the station 120 with the access point 140.
Referring to
For the station 110 to send the authentication request 250 to the access point 140 on behalf of the station 120, the frame generator 228 is configured to populate the destination address field 606 in the authentication request 246 with the MAC address 140A of the access point 140. Populating the destination address field 606 with the MAC address 140 of the access point 140 results in transmission of the authentication request 250 to the access point 140.
Additionally, to send the authentication request 250 to the access point 140 on behalf of the station 120, the frame generator 228 is configured to populate the source address field 608 in the authentication request 250 and the transmitter address field 610 in the authentication request 250 with the MAC address 120A of the station 120. Populating the source and transmitter address fields 608, 610 with the MAC address 120A of the station 120 promotes the access point 140 to send an authentication message 192 to the station 120, as illustrated in
The frame generator 228 is configured to populate the challenge text field 622 with the encrypted challenge text 258. As described above, once the authentication request 250 is received by the access point 140, the encrypted challenge text 258 is decrypted by the access point 140 using the security key 232 for verification. The other fields 402, 404, 412, 414, 416, 418, 420, 422, 424 can be populated according to a SKA method.
Referring back to
According to another implementation, the frame generator 228 is configured to populate the transmitter address field 610 in the authentication request 250 with the MAC address 110A of the station 110 to promote the access point 140 to send the authentication message 192 to the station 110. In this implementation, the station 110 receives the authentication message 192 from the access point 140 and relays the authentication message 192 to the station 120 while in the ad hoc communication mode
In other scenarios, the station 110 can inhibit another station from joining the wireless network 150. To illustrate, while operating in the ad hoc communication mode 236 during the particular time period, the wireless transceiver 208 can receive a request 182, from the station 130, to join the wireless network 150 in response to broadcasting the beacon frame 242, as shown in
The processor 202 is configured to determine, based on the device information 256 associated with the station 130, whether the station 130 is an approved device. For example, the processor 202 can make a determination of whether to grant the station 130 access to the wireless network 120.
In a similar manner as described above, to determine whether the station 130 is an approved device, the prompt generator 226 can generate a prompt to verify whether the station 130 has permission to join the wireless network 150. According to another implementation, to determine whether the station 130 is an approved device, the processor 202 is configured to access the list of stations 260 that have previously been granted permission to join the wireless network 150. For purposes of description, assume that the station 130 is not an approved device.
In response to the determination that the station 130 is not an approved device, the frame generator 228 is configured to generate an exclusion frame 254 that includes the device information 256 associated with the station 130. The wireless transceiver 208 is configured to send the exclusion frame 254 to the access point 140, as shown in
It should be appreciated that the techniques described with respect to
Referring to
The method 700 includes generating, at a first station, a security key that is usable for authentication with an access point associated with a wireless network during an infrastructure mode, at 702. For example, referring to
The method 700 also includes switching from the infrastructure mode to an ad hoc communication mode for a particular time period, at 704. For example, referring to
According to one implementation of the method 700, switching from the infrastructure mode to the ad hoc communication mode includes monitoring an amount of data transfer associated with the wireless network while operating in the infrastructure mode and switching from the infrastructure mode to the ad hoc communication mode in response to a determination that the amount of data transfer fails to satisfy a data transfer threshold. For example, referring to
According to another implementation of the method 700, switching from the infrastructure mode to the ad hoc communication mode is periodically initiated by the first station. For example, referring to
According to another implementation of the method 700, switching from the infrastructure mode to the ad hoc communication mode is initiated by a user request. For example, referring to
While in the ad hoc communication mode for the particular time period, the method 700 includes (i) broadcasting a beacon frame and (ii) receiving a request, from a second station, to join the wireless network in response to broadcasting the beacon frame. The beacon frame includes network information associated with the wireless network, and the request includes device information associated with the second station. For example, referring to
The method 700 also includes determining, based on the device information, whether the second station is an approved device, at 706. For example, referring to
According to one implementation of the method 700, determining whether the second station is an approved device comprises generating, based on the device information associated with the second station, a prompt to verify whether the second station has permission to join the wireless network. For example, referring to
According to one implementation of the method 700, determining whether the second station is an approved device comprises accessing a list of stations that have previously been granted permission to join the wireless network. For example, referring to
The method 700 also includes sending a first authentication request to the access point on behalf of the second station in response to a determination that the second station is an approved device, at 708. The first authentication request includes the device information associated with the second station. For example, referring to
According to one implementation, prior to sending the first authentication request to the access point, the method 700 includes determining an address of the second station based on the device information associated with the second station. For example, referring to
The method 700 also includes receiving a first authentication response from the access point in response to sending the first authentication request, at 710. The first authentication response includes challenge text. For example, referring to
The method 700 also includes encrypting the challenge text based on the security key to generate encrypted challenge text, at 712. The security key is isolated from the second station. For example, referring to
The method 700 also includes sending the encrypted challenge text as part of a second authentication request to the access point to authenticate the second station with the access point, at 714. For example, referring to
According to one implementation, prior to sending the second authentication request to the access point, the method 700 includes populating a source address field in the second authentication request and a transmitter address field in the second authentication request with the address of the second station to promote the access point to send an authentication message to the second station. For example, referring to
According to one implementation, prior to sending the second authentication request to the access point, the method 700 includes populating a transmitter address field in the second authentication request with the address of the first station to promote the access point to send an authentication message to the first station. According to this implementation, the method 700 can also include receiving the authentication message from the access point and relaying the authentication message to the second station while in the ad hoc communication mode.
According to one implementation, the method 700 also includes receiving a second request, from a third station, to join the wireless network in response to broadcasting the beacon frame. The second request includes device information associated with the third station. For example, referring to
According to one implementation, the method 700 includes establishing an ad hoc communication network prior to switching from the infrastructure mode to the ad hoc communication mode. The second station and the third station are included in the ad hoc communication network. For example, the station 110 can establish the ad hoc communication network prior to switching from the infrastructure mode 234 to the ad hoc communication mode 236. The stations 120, 130 can be included in the ad hoc communication network.
The method 700 of
Those of skill would further appreciate that the various illustrative logical blocks, configurations, modules, circuits, and algorithm steps described in connection with the implementations disclosed herein may be implemented as electronic hardware, computer software executed by a processing device such as a hardware processor, or combinations of both. Various illustrative components, blocks, configurations, modules, circuits, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as hardware or executable software depends upon the particular application and design constraints imposed on the overall system. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present disclosure.
The steps of a method or algorithm described in connection with the implementations disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in a memory device, such as random access memory (RAM), magnetoresistive random access memory (MRAM), spin-torque transfer MRAM (STT-MRAM), flash memory, read-only memory (ROM), programmable read-only memory (PROM), erasable programmable read-only memory (EPROM), electrically erasable programmable read-only memory (EEPROM), registers, hard disk, a removable disk, or a compact disc read-only memory (CD-ROM). An exemplary memory device is coupled to the processor such that the processor can read information from, and write information to, the memory device. In the alternative, the memory device may be integral to the processor. The processor and the storage medium may reside in an application-specific integrated circuit (ASIC). The ASIC may reside in a computing device or a user terminal. In the alternative, the processor and the storage medium may reside as discrete components in a computing device or a user terminal.
The previous description of the disclosed implementations is provided to enable a person skilled in the art to make or use the disclosed implementations. Various modifications to these implementations will be readily apparent to those skilled in the art, and the principles defined herein may be applied to other implementations without departing from the scope of the disclosure. Thus, the present disclosure is not intended to be limited to the implementations shown herein but is to be accorded the widest scope possible consistent with the principles and novel features as defined by the following claims.
Claims
1. A method of station authentication, the method comprising:
- generating, at a first station, a security key that is usable for authentication with an access point associated with a wireless network;
- receiving, at the first station and from a second station, a request to join the wireless network, the request including device information associated with the second station;
- determining, at the first station and based on the device information associated with the second station, whether the second station is an approved device; and
- performing, at the first station and on behalf of the second station, a handshake with the access point to authenticate the second station with the access point in response to a determination that the second station is an approved device, the handshake based on the security key and the device information associated with the second station.
2. The method of claim 1, wherein performing the handshake comprises:
- sending a first authentication request to the access point on behalf of the second station, the first authentication request including the device information associated with the second station;
- receiving a first authentication response from the access point in response to sending the first authentication request, the first authentication response including challenge text;
- encrypting the challenge text based on the security key to generate encrypted challenge text, the security key isolated from the second station; and
- sending the encrypted challenge text as part of a second authentication request to the access point to authenticate the second station with the access point.
3. The method of claim 1, wherein, prior to receiving the request to join the wireless network, the method comprises sending a frame to the second station, the frame including network information associated with the wireless network.
4. The method of claim 3, wherein the frame corresponds to a beacon frame, and wherein sending the frame comprises broadcasting the beacon frame.
5. The method of claim 3, wherein the request is received in response to sending the frame to the second station.
6. The method of claim 2, wherein, prior to sending the first authentication request to the access point, the method comprises:
- determining an address of the second station based on the device information associated with the second station;
- populating a source address field in the first authentication request with the address of the second station to send the first authentication request on behalf of the second station; and
- populating a transmitter address field in the first authentication request with an address of the first station to promote the access point to relay the first authentication response to the second station by way of the first station.
7. The method of claim 6, wherein a destination address of the first authentication response is the address of the first station in response to populating the transmitter address field in the first authentication request with the address of the first station, and further comprising:
- bypassing the relay of the first authentication response to the second station after receiving the first authentication response to isolate the second station from the challenge text.
8. The method of claim 2, wherein, prior to sending the second authentication request to the access point, the method comprises:
- populating a source address field in the second authentication request and a transmitter address field in the second authentication request with an address of the second station to promote the access point to send an authentication message to the second station.
9. The method of claim 2, wherein, prior to sending the second authentication request to the access point, the method comprises:
- populating a transmitter address field in the second authentication request with an address of the first station to promote the access point to send an authentication message to the first station;
- receiving the authentication message from the access point; and
- relaying the authentication message to the second station.
10. The method of claim 1, further comprising:
- receiving, at the first station and from a third station, a second request to join the wireless network, the second request including device information associated with the third station;
- determining, based on the device information associated with the third station, whether the third station is an approved device; and
- sending an exclusion frame to the access point in response to a determination that the third station is not an approved device, the exclusion frame including the device information associated with the third station, wherein the access point rejects authentication requests from the third station in response to receiving the exclusion frame.
11. The method of claim 1, further comprising, prior to receiving the request to join the wireless network, switching from an infrastructure mode to an ad hoc communication mode for a particular time period, wherein the request to join the wireless network is received while in the ad hoc communication mode.
12. The method of claim 11, wherein switching from the infrastructure mode to the ad hoc communication mode comprises:
- monitoring an amount of data transfer associated with the wireless network while operating in the infrastructure mode; and
- switching from the infrastructure mode to the ad hoc communication mode in response to a determination that the amount of data transfer fails to satisfy a data transfer threshold.
13. The method of claim 11, wherein switching from the infrastructure mode to the ad hoc communication mode is periodically initiated by the first station.
14. The method of claim 11, wherein a frequency at which the first station initiates a periodic switch from the infrastructure mode to the ad hoc communication mode is dependent on a historical number of stations that have been authenticated with the access point.
15. The method of claim 11, wherein switching from the infrastructure mode to the ad hoc communication mode is initiated by a user request.
16. The method of claim 1, wherein determining whether the second station is an approved device comprises:
- accessing a list of stations that have previously been granted permission to join the wireless network; and
- comparing the device information associated with the second station to device information associated with stations in the list of stations, wherein the second station is an approved device if the device information associated with the second station matches device information of a station in the list of stations, and wherein the second station is not an approved device if the device information associated with the second station fails to match device information of a station in the list of stations.
17. The method of claim 1, wherein the wireless network comprises an Institute of Electrical and Electronics Engineers (IEEE) 802.11 wireless network or a wireless local area network (WLAN).
18. The method of claim 1, wherein the device information associated with the second station includes an address of the second station.
19. A station comprising:
- a memory;
- a processor coupled to the memory, the processor configured to generate a security key that is usable for authentication with an access point associated with a wireless network; and
- a receiver coupled to the processor, the receiver configured to receive, from a second station, a request to join the wireless network, the request including device information associated with the second station;
- wherein the processor is further configured to: determine, based on the device information associated with the second station, whether the second station is an approved device; and initiate performance of a handshake with the access point on behalf of the second station to authenticate the second station with the access point in response to a determination that the second station is an approved device, the handshake based on the security key and the device information associated with the second station.
20. A non-transitory computer-readable medium comprising instructions for station authentication, the instructions, when executed by a processor in a station, cause the processor to perform operations comprising:
- generating a security key that is usable for authentication with an access point associated with a wireless network;
- processing a received request, from a second station, to join the wireless network, the request including device information associated with the second station;
- determining, based on the device information associated with the second station, whether the second station is an approved device; and
- performing, on behalf of the second station, a handshake with the access point to authenticate the second station with the access point in response to a determination that the second station is an approved device, the handshake based on the security key and the device information associated with the second station.
Type: Application
Filed: Oct 16, 2022
Publication Date: Feb 9, 2023
Inventor: Christopher Michael Scurry (Austin, TX)
Application Number: 17/966,842