The present invention relates generally to wireless networks, and more particularly to an encryption scheme and access point for providing two or more levels of encryption to prevent unauthorized access to the network.
In recent years, the use of wireless communication systems having mobile transceivers which communicate with a hardwired network, such as a local area network (LAN) or a wide area network (WAN), has become widespread. The mobile transceivers, commonly referred to as mobile terminals, may take one of several different forms. For instance, in retail stores hand-held scanning units may be used to allow for scanning inventory bar codes. In a warehouse, portable units mounted to a vehicle may be used to gather information from the warehouse floor. In a medical environment, the mobile terminal may take the form of a pen based workslate which allows medical personnel to work with full page screens at once.
In a typical wireless communication system or xe2x80x9cwireless networkxe2x80x9d, each mobile terminal communicates with a networked system via a radio or optical link in order to allow for a real time exchange of information. The mobile terminals communicate through one of several access points interconnected to the network. The access points allow for a wireless data communication path to be formed.
Associated with each access point is a geographic cell. A cell is a geographic area in which an access point has sufficient signal strength to transmit data to and receive data from a mobile terminal with an acceptable error rate. Typically, access points will be positioned along the backbone such that the combined cell area coverage from each access point provides full coverage of a building or site.
Mobile terminals are designed to be carried throughout the system from cell to cell. Each mobile terminal is capable of communicating with the system backbone via wireless communications between the mobile terminal and an access point to which the mobile device is currently registered. As the mobile terminal is portable and roams from one cell to another, the mobile terminal will typically reassociate itself with a new access point each time the mobile terminal enters a new cell thereby causing the former access point to which the mobile terminal was associated to deregister the mobile terminal.
Information exchanged between mobile terminals and access points is generally sent in packet format. Packets of information (also referred to herein simply as xe2x80x9cpacketsxe2x80x9d or xe2x80x9cdata packetsxe2x80x9d) are a defined set of data bits which carry information such as source address, destination address, synchronization bits, data, error correcting codes, etc. One standard communication protocol for transmitting packets of information between mobile terminals and access points is the IEEE 802.11 standard, although other protocols exist.
Of particular concern in wireless networks is network security. A mobile terminal which is granted unauthorized access to the wireless network has the ability to compromise the integrity of the network. For example, an unauthorized mobile terminal may engage in unauthorized communications and/or eavesdrop on the wireless transmissions. This can lead to undesirable or even catastrophic results in the case where an unauthorized mobile terminal is permitted to delete, alter or otherwise detrimentally affect data within the network.
Suppose, for example, a wireless network is operating in accordance with the IEEE 802.11 protocol. Mobile terminals which are capable of communicating in accordance with the 802.11 protocol are readily available from many manufacturers and are capable of operating within the wireless network. An individual wishing to compromise the integrity of the network may obtain such a mobile terminal and effectively eavesdrop on communications occurring between authorized mobile terminals and access points within the network. By eavesdropping on such communications, the individual may then ascertain a system ID within the network. The individual may then proceed to place unauthorized traffic on the network using the unauthorized mobile terminal.
The 802.11 protocol does include some degree of security in the form of a wired equivalent privacy (WEP) standard. Ideally, the WEP standard provides a degree of security equivalent to a hard-wired communication link. However, there are difficulties in implementing the WEP standard in many wireless networks. For example, there is no apparent teaching as to how the WEP standard may be used to provide security in a wireless network in which one or more mobile terminals may exist which are authorized to communicate on the network but which themselves are not capable of encrypting communications in accordance with WEP. Moreover, there is no apparent teaching as to how the information necessary for communicating using the WEP standard can be reliably exchanged in a wireless network without potentially breaching the security of the network.
In view of the aforementioned shortcomings associated with existing wireless networks, there exists a strong need in the art for a wireless network which permits secure communications without substantial risk of compromise. In particular, there is a strong need for a wireless network which enables secure communications among mobile terminals capable of engaging in secure communications. At the same time, there is a strong need for a wireless network which is still capable of permitting communications by authorized mobile terminals requiring a non-secure format.
A multi-level encryption scheme is provided for a wireless network. A first level of encryption is provided primarily for wireless communications taking place between a mobile terminal and an access point. In addition, however, a second, higher level of encryption is provided which is distributed beyond the wireless communications onto the system backbone itself. The second level of encryption provides a secure means for distributing the encryption scheme of the first level without compromising the integrity of the network.
According to one aspect of the invention, an access point is provided which includes a transceiver for wirelessly communicating with mobile terminals; an interface for coupling the access point to a system backbone; an encryption engine for encrypting messages using a first encryption key which are to be transmitted to a mobile terminal via the transceiver, and for decrypting messages using the first encryption key which are received from the mobile terminal via the transceiver; operational means for determining whether a message received via the transceiver has been encrypted using the first encryption key and, based on such determination, selectively forwarding the message to a destination on the system backbone specified in the message if the message had been encrypted, and at least one of forwarding the message to a predefined destination on the system backbone, blocking the message from being placed onto the system backbone, and placing the message onto the system backbone if the message had not been encrypted.
According to another aspect of the invention, an access point is provided which includes a transceiver for wirelessly communicating with mobile terminals; an interface for coupling the access point to a system backbone; a memory which stores mobile terminal identifiers indicating which mobile terminals which are to be permitted access to the system backbone, and whether such permitted access is secure access or non-secure access; control means, operatively coupled to the transceiver and the memory, for determining whether a received communication is from a mobile terminal which is permitted access to the system backbone; and means for processing the received communication based on whether the mobile terminal is permitted access.
To the accomplishment of the foregoing and related ends, the invention, then, comprises the features hereinafter fully described and particularly pointed out in the claims. The following description and the annexed drawings set forth in detail certain illustrative embodiments of the invention. These embodiments are indicative, however, of but a few of the various ways in which the principles of the invention may be employed. Other objects, advantages and novel features of the invention will become apparent from the following detailed description of the invention when considered in conjunction with the drawings.