Setting up a home wireless network, such as a wireless local area network (WLAN), can be a very difficult process for most computer users, thus presenting a significant obstacle to efficient utilization of WLANs. One of the difficulties users encounter is determining how to best secure a WLAN. Wireless networks have typically been protected with a single Pre-Shared Key (PSK). However, the use of a single pre-shared secret key requires that a user re-configure the entire network if the user wants to deny future access to a device that was previously authorized for use on the WLAN. While the latest wireless LAN standard 802.11i (also known as “WPA2”) supports the use of multiple PSKs, some access points (APs) do not support the use of multiple PSKs. The availability of multiple PSKs enables selective revocation of security associations, which makes removing guests possible. 802.11i specifies from the PSK onward, but it does not specify how PSKs are created. In addition, 802.11i does not specify how to group PSKs or how to remove a PSK when it is no longer needed.
Other 802.11X protocols specify how PMKs (Pairwise Master Keys, which are similar to PSKs, except that a PMK is valid only for a single session) are created using a separate protocol between a device and an authentication server on the network. However, like 802.11i, 802.11X also does not specify how to group PMKs (removal is implicit at the end of the session).
Existing proposals for solving the network setup problem attempt to exploit proximity. For example, one known approach exploits physical proximity by using a physically secure “out-of-band” (OOB) channel 1.1. The OOB channel can be based on NFC (Near Field Communication), infrared, portable USB memory stick or any other communication technology that is based on physical proximity. The OOB is used to transfer the network identifier (e.g., a SSID) and a shared key from one device to another. Because the transferred key is used directly as the PSK, no additional protocols are needed. To add a new device to the network, the only user interaction needed is to touch the new device with a “token.” The token can be a simple special-purpose device, or it can be part of another device, e.g., part of a WLAN client device that is already in the network. FIG. 1 illustrates this approach when an “introducer” is used to admit a new device into the network 1.2. Note that the introducer can be the AP itself. While this approach provides intuitive user interaction and allows delegation of access from one device to another, guest access remains cumbersome. Because the same PSK is used by all the devices, the only way to remove guest access is to remove all devices from the network, and then add allowed devices again, one by one.
Another known approach exploits time proximity using in-band configuration. A proposal by Broadcom for Secure Easy Setup (SES) falls into this category. In SES, network setup is performed by first putting the AP into a configuration mode, and then placing the new device into its configuration mode, e.g., by pressing a button on the respective devices. Once in configuration mode, the devices locate each other using some protocol to agree on a PSK. FIG. 2 illustrates an example of an “in-band” solution. Pairing of the new device and the AP in the in-band approach is done utilizing WLAN pairing methods 2.1 and 2.2. In-band solutions present a variety of problems, including the possibility of accidental pairing with an unintended device and the threat of a man-in-the-middle attack (because the initial key agreement protocol is not authenticated). In addition, guest access is cumbersome as in the OOB case, and no device-to-device delegation of access rights is possible.
The OOB and in-band approaches have advantages and disadvantages. The OOB approach is more intuitive and secure, but because of the extra hardware required, it is unreasonable to expect that all devices will have suitable out-of-band channels available. The in-band approach does not allow delegation of access and is less secure, but it is less expensive and is more likely to start appearing in commercial APs and client devices. Neither approach supports easy guest access management.
Thus, it would be an advancement in the art to provide methods and systems that allow for simpler and more efficient wireless network setup and administration that overcome the above limitations and disadvantages.