The current data-centric use of networks (Internet access, media streaming) is increasingly extended towards home control functionality (home automation for climate control, lighting, burglar alarm, home energy network). Such home networks use according to FIG. 1 for instance various communication network technologies like Ethernet (IEEE 802.3), WLAN/WiFi (IEEE 802.11), and Power Line Communication (PLC; IEEE 1901). For this reason they are heterogeneous. The standard IEEE P1905.1 for Convergent Digital Home Networks (CDHN) [1] defines a home network standard supporting different network technologies by a specified “IEEE P1905.1”-Abstraction Layer.
FIG. 2 shows the design of the abstraction layer based on the ISO/OSI-Reference Model with a management and data plane. The abstraction layer is embedded in an IEEE P1905.1-Architecture above a Media Access Control (MAC)-layer and a Physical layer as part of a “Network Node Device” NND within the heterogeneous network. Thus, the network node device NND uses the cited technologies like Ethernet (IEEE 802.3), WLAN/WiFi (IEEE 802.11), and Power Line Communication (PLC; IEEE 1901) and additionally a technology according to the specification of the Multimedia over Coax Alliance (MoCA) via corresponding interfaces according to FIG. 2. It is not compulsory or mandatory for a typical network node device to support all cited communication technologies. It is possible that the network node device NND supports only one or two of the cited technologies or completely other network technologies. Thus the network node device NND supports at least one network technology.
At least one goal of the IEEE P1905.1 standardization activities are security mechanisms. They are needed to protect the home network from external attacks. Such security mechanisms have to be configured with a security credential (password, passphrase, cryptographic key) that is burdensome to set-up manually.
The specific problem of using a Push-Button Configuration (PBC) in an “IEEE P1905.1”-network comes from the fact that multiple devices (belonging even to different technologies) are activated to accept a new device. So in the current version of the standard, more than one device could register with the “IEEE P1905.1”-network after a single button press. An attacker node may therefore register undetected when an authorized registration of a new device takes place. Further, even in a scenario where there is no attacker node, if multiple existing nodes of the home network (for e.g. access points) activate their technology specific PBC mode simultaneously it may lead to failure of the new node's attempts to join the network. This is specifically the case when the access points (or the nodes involved in registering the new node in the network via the technology specific PBC) are IEEE 802.11 (WLAN) access points supporting as a Push-Button Configuration in the WLAN environment a Wi-Fi Protected Setup (WPS). Taking this into account a technology specific Push-Button Configuration is a Push-Button Configuration, which is used specifically for each of the communication network technologies within the heterogeneous network. In other words the aforementioned PBC and WPS is each a technology specific Push-Button Configuration or belongs each to the technology specific Push-Button Configuration.
Currently in heterogeneous convergent digital home networks for ease of use a push button method is provided in order to allow the end-user to easily setup the security credentials and permit new network devices to join the convergent digital home network. An example for this is the mechanism provided in the IEEE P1905.1 draft standard. Here using the P1905.1 push button mechanism, technology specific push button configurations (PBC) are activated on authenticated devices in the home network. This enables the new device joining to carry out a technology specific PBC itself with a suitable device (based on range, connectivity, and media type) to get security credentials to join the home network.
One of the basic problems with this is, that multiple technology specific push button configurations (PBC) triggered by the same push button event may actually fail because they recognize each other as a conflicting PBC run. This is especially the case in Wi-Fi Protected Setup (WPS) with “Wi-Fi”-devices.
Wireless communication equipment as e.g., a WLAN device has to be configured before it can be used. In particular, a cryptographic key may be required to be configured. An important standard for user-friendly configuration of WLAN devices is Wi-Fi Protected Setup (WPS) that supports a push-button configuration PBC between two devices. However, the general applicability is limited. So there is a need for an improved wireless configuration setup method.
The mechanisms provided however are limited, for example, they do not work for the case of home networks where multiple registrars are present [multiple registrars are possible, see page 16 of the “Wi-Fi Simple Configuration Technical Specification” defined by the Wi-Fi Alliance Version 2.0.2 (Jan. 2012) [2], which is the de-facto standard for WLAN security setup.
The IEEE 1905.1 Standard for Convergent Digital Home Networks [1] generalizes the push button configuration method of Wi-Fi Simple Configuration [2] to heterogeneous communication networks that have potentially multi-hop paths between the nodes. In IEEE 1905.1 [1], the push button on the network-side can be pressed on any device already belonging to the convergent digital home network (CDHN) in order to provide the necessary security credentials for joining the CDHN to the enrollee in a so-called push button configuration (PBC). Nodes in the CDHN use their technology-specific PBC methods, and for Wireless LAN (WLAN) devices, this is the push button configuration as defined in Wi-Fi Protected Setup [2].
The idea of IEEE 1905.1 is to activate the technology-specific PBC method at all nodes of the CDHN if a push button is pressed on a network node. Potentially, more than one WLAN access point will activate its WPS push button configuration method. However, the push button configuration in Wi-Fi Protected Setup will fail, if an enrollee will see more than one access point in PBC mode.
A method is needed to recognize whether multiple, simultaneous technology-specific PBC runs, especially Wi-Fi Protected Setup PBC runs, belong to the same push button event in the CDHN or to different push button events. The latter might be caused by an attacker and should be dealt as session overlap. Furthermore, the means for identifying the same push button event need to be verified so that an attacker cannot simply copy them to its own push button messages. These methods have to work over multiple hops.
The current technical specification for Wi-Fi Simple Configuration with the push button configuration (PBC) method (see [2], especially section 11.3) describes a monitoring for simultaneous push-button configurations. If a session overlap is detected, the push button configuration fails. A session overlap is detected if:                an enrollee discovers more than one registrar in active PBC mode: “if the Enrollee discovers more than one Registrar in active PBC mode then the Enrollee MUST abort its connection attempt and signal a “session overlap” error to the user.”([2] page 93)        a registrar receives PBC probe requests from more than one enrollee within the PBC Monitor Time and PBC Walk Time: “Within the PBC Monitor Time, if the Registrar receives PBC probe requests from more than one Enrollee, or if the Registrar receives an M1 message from an Enrollee with a UUID-E that does not match the UUID-E received in a probe request, then the Registrar MUST signal a “session overlap” error.”([2], page 94)        
FIG. 3 illustrates the components involved in a Push Button Configuration as defined by the Wi-Fi Simple Configuration Protocol [2]: A Registrar R, an Access Point AP, and an Enrollee E. In some cases, these logical components may be co-located, especially an Access Point may include a built-in Registrar to add Enrollees in a standalone fashion.
The standard IEEE P1905.1 [1] defines a 1905.1 Push Button Configuration (PBC) Method for automatic cross-technology security setup (multi-technology push button configuration) in clause 9.2.2. An example of the IEEE 1905.1 PBC Method, as given in [1], is shown in FIG. 4.
If the push button is pressed on any IEEE 1905.1 device already belonging to the IEEE 1905.1 network, then a corresponding push button event is triggered on this IEEE 1905.1 device. The underlying technology-specific push button configuration methods of each of the interfaces of this IEEE 1905.1 device are initiated. Furthermore, a Push Button Event Notification (PBN) Message is distributed to all IEEE 1905.1 devices belonging to the network (1905.1 Devices 2, 3, and 5 in FIG. 4).
The PBN Message contains the following information: MAC address of the transmitting device (=the PBN originator), the media types and corresponding media-specific information for which a PBC configuration has been activated at the PBN originator (=the IEEE 1905.1 device with the push button event).
On receipt of a PBN Message, an IEEE 1905.1 device initializes its underlying technology-specific PBC methods except for IEEE 802.11 interfaces. If the IEEE 802.11 interface belongs to an IEEE 802.11 access point, the underlying Wi-Fi Push Button Configuration is only initialized if the IEEE 802.11 Access Point is configured as the Registrar and the PBN originator did not initialize a Wi-Fi Push Button Configuration.
The IEEE 1905.1 PBC method ensures that only one IEEE 802.11 Access Point will initialize its technology-specific Wi-Fi PBC method at a push button event somewhere in the IEEE 1905.1 network. However, it cannot be ensured in networks with multiple IEEE 802.11 Access Points that the Enrollee will be in reach of the initialized access point even if it is in reach of an access point of the IEEE 1905.1 network.
Wi-Fi Simple Configuration [2] describes message exchanges between Enrollee, Access Point and Registrar for the scenario with an External Registrar and the case “Registrar triggered first” (cf. FIG. 5) as well as the case “Enrollee triggered first” (cf. FIG. 6).
FIGS. 5 and 6 show an example message flow of PBC configurations as specified in Wi-Fi Simple Configuration [2].
FIG. 7 shows an example setting of a convergent digital home network where the Enrollee of the FIGS. 5 and 6 corresponds to a New Device ND and the Access Point corresponds to network node devices D1, D2. The External Registrar functionality corresponds typically to a network node device D-PBE on which the push button is pressed and thus a Push Button Event happened. However, it is also possible in the context of the example setting being related to the invention that the Registrar functionality is realized on a different node (not shown in the FIG. 7) or on the network node device D1 or the network node device D2. In each of these cases the network node device D-PBE would send an information about the Push Button Event to the Registrar, for instance, a “Push Button Notification”-message (PBN-message).
The FIG. 7 shows a failed push button configuration in a convergent digital home network according to the state of the art of Wi-Fi Simple Configuration [2]. Note: The network node device D2 will start a technology-specific PBC and it is multiple hops away from the originator of the Push Button Event, the network node device D-PBE.
The FIG. 7 shows an exemplary signalling flow according to the state of the art. The two network node devices D1, D2 and the node device with the External Registrar functionality D-PBE belong to the same heterogeneous or homogeneous wireless network, e.g., an IEEE P1905.1 network or a single WLAN mesh network according to IEEE 802.11. Although only these three network node devices D1, D2, D-PBE are shown in the FIG. 7 it should be clear that the network can include more than these three devices. This means that besides a first network node device, which corresponds to the node device with the External Registrar functionality D-PBE, the network can have at least one second network node device, in the present case two second network node devices D1, D2.
A Push Button Configuration (initiation of an automatic security bootstrapping) is started, here by a first Push Button Event PBE-1 triggered on a first network node device D-PBE. The push button may be a physical push button activated by a user, a software push button on a user interface activated by a human user, or a logical push button which can be activated, for instance, by a software program. The first network node device D-PBE may in particular realize the role of a Registrar according to Wi-Fi Protected Setup specification.
Two second network node devices D1, D2 belonging to the same network are informed by the first network node device D-PBE by sending a push button notification message PBN to the two second network node devices D1, D2. Of the informed network node devices D1, D2 each network node device start a Push Button Configuration session (PBC session), e.g. a Wi-Fi Protected Setup session (WPS). A new device (third network node device) ND that is to be registered with the network to which the network node devices D-PBE, D1 and D2 belong, starts also a Push Button Configuration by a second Push Button Event PBE-2. A monitoring is performed according to the standard to detect overlapping PBC sessions. As here both network node devices D1 and D2 indicate the status of their started PBC by sending a beacon referring to the network node device D1 respectively D2 and the started PBC, the new device ND detects two simultaneous Push Button Configuration sessions, i.e. a session overlap. Thus the new device ND aborts the PBC session with a failure. The new device ND cannot distinguish this case that is expected to be successful from a case where a different device, e.g. an external device ED (cf. FIG. 9), which belongs to a neighbour or an attacker, is performing a PBC session.
Moreover, also the second network node devices D1, D2 would detect a session overlap if they receive the indication of the active PBC session from each other. This is especially the case, if the second network node devices D1, D2 are Wi-Fi Access Point with co-located Wi-Fi Registrars and the second network node devices D1, D2 are in direct range.
In such a scenario, which is based on the FIG. 7 but only described textually, the second network node devices D1, D2 receive the respective beacons indicating an active PBC session from the second network node device D2 resp. D1. Due to the reception of the beacons indicating an active PBC sessions, the second network node devices D1, D2 know that some other Wi-Fi Access Point is performing a PBC run. This is interpreted as a session overlap according to the state of the art [2] and both, the second network node devices D1, D2, will abort their PBC session although there wouldn't be any harm in doing the PBC session since both the second network node devices D1, D2 belong to the same secure home network.