Ad hoc networks are self-forming networks which can operate in the absence of any fixed infrastructure, and in some cases the ad hoc network is formed entirely of mobile nodes. An ad hoc network typically includes a number of geographically-distributed, potentially mobile units, sometimes referred to as “nodes,” which are wirelessly connected to each other by one or more links (e.g., radio frequency communication channels). The nodes can communicate with each other over a wireless media without the support of an infrastructure-based or wired network. Links or connections between these nodes can change dynamically in an arbitrary manner as existing nodes move within the ad hoc network, as new nodes join or enter the ad hoc network, or as existing nodes leave or exit the ad hoc network.
One characteristic of the nodes is that each node can directly communicate over a short range with nodes that are within communication range or “a single hop” away. Such nodes are sometimes referred to as “neighbor nodes.” When a node transmits packets to a destination node and the nodes are separated by more than one hop (e.g., the distance between two nodes exceeds the radio transmission range of the nodes, or a physical barrier is present between the nodes), the packets can be relayed via intermediate nodes (“multi-hopping”) until the packets reach the destination node. In such situations, each intermediate node routes the packets (e.g., data and control information) to the next node along the route, until the packets reach their final destination. For relaying packets to the next node, each node maintains routing information collected through communication with neighboring nodes. The routing information can also be periodically broadcast in the network to reflect the current network topology. Alternatively, to reduce the amount of information transmitted for maintaining accurate routing information, the network nodes may exchange routing information only when it is needed.
A wireless mesh network can be formed by a collection of wireless nodes or devices organized in a decentralized manner to provide range extension by allowing the nodes to communicate “over or across” multiple hops. In a multi-hop network, communication packets sent by a source node can be relayed through one or more intermediary nodes before reaching a destination node. A large wireless mesh network can be realized using mesh-enabled access points (MAP) which provide wireless nodes with access to a wired backhaul. A wireless mesh network can include both routable or “mesh” nodes and non-routable or “non-mesh” nodes. Mesh or “routable” devices or “nodes” may operate in compliance with a proprietary wireless protocol. These devices can forward packets to/from devices which are associated with them. Non-mesh or “non-routable” WLAN-enabled nodes are devices that do not have routing functionality and do not participate in any kind of routing, such as those complying with a proprietary wireless mesh networking protocol or a standard wireless protocol such as Institute of Electrical and Electronics Engineers (IEEE) 802.11 802.11 a, b, e, g. As used herein, “IEEE 802.11” refers to a set of IEEE Wireless LAN (WLAN) standards that govern wireless networking transmission methods. IEEE 802.11 standards have been and are currently being developed by working group 11 of the IEEE LAN/MAN Standards Committee (IEEE 802). Any of the IEEE standards or specifications referred to herein may be obtained at http://standards.ieee.org/getieee802/index.html or by contacting the IEEE at IEEE, 445 Hoes Lane, PO Box 1331, Piscataway, N.J. 08855-1331, USA. Any of the IEEE standards or specifications referred to herein are incorporated by reference herein their entirety.
Although a network can be made up of just MAPs communicating among themselves, with no connection to a wired network, one useful configuration includes a special type of MAP known as a mesh portal (MP) that has a wired connection. MAPs are wirelessly “meshed” together to form a mesh network of MAPs that also includes a mesh portal. This allows other nodes, including non-mesh 802.11 stations, to associate with a MAP and to communicate packets through intermediate MAPs on the way to their ultimate destination. Because the mesh portal (MP) has a wired connection to infrastructure and is meshed with the other MAPs, the wired network is in effect wirelessly extended to each MAP. Nodes can transmit/receive packets hop-by-hop over the mesh network of intermediate MAPs so that distant stations can communicate with the mesh portal (MP). This way nodes can communicate with other infrastructure network entities that the mesh portal is coupled to via its wired connection.
Many wireless mesh networks use cryptographic techniques to transmit data securely from one location in a network to another location in the network. Encryption is used in wireless mesh networks to secure communication between MAPs that communicate over-the-air (OTA). For example, a MAP can encrypt information using a cipher or encryption algorithm and an encryption key. A secret encryption key can be used to encode information using the encryption algorithm, and the encrypted information can then be transmitted securely toward its destination. In order to decode the encrypted information, the destination MAP must use the same secret encryption key that was used to encrypt the information and apply a cipher or decryption algorithm.
In symmetric or “secret-key” type cryptographic systems, symmetric key algorithms use identical encryption and decryption keys to encrypt and decrypt the information. Thus, to exchange enciphered data a single key value must be shared between the originator and the recipient.
In asymmetric or “public-key” type cryptographic systems, asymmetric key exchange (AKE) algorithms use separate public and private keys. Existing asymmetric key exchange algorithms include, for example, Diffie-Hellman, Rivest, Shamir, and Adelman (RSA), Digital Signature Algorithm (DSA), ElGamal, and Elliptic Curve Cryptography (ECC). In such asymmetric cryptographic systems, a single operation is used to generate the pair of public and private keys. The public key can be made publicly available and can be safely shared with all nodes including the other MAP that will participate in a secure communication. The private key is kept secure or secret by the MAPs that share the key pair. To exchange encrypted data each MAP to the exchange makes their public key available, and keeps their private key secret. The keys are typically different from each other, but neither key can be deduced from the other. Because the private key needs to be kept only by one MAP, it never needs to be transmitted over any potentially compromised networks. Two MAPs can generate symmetric private keys through the exchange of public keys. The two MAPs agree beforehand on the exact algorithm to use, and each MAP then selects a random number as a private key and uses the algorithm and the random number to generate a public key. The two MAPs exchange public keys and then each generates a session key using their own private key and the other MAP's public key. Even though neither MAP knows the other MAP's private key, both MAPs' session keys are identical. Data enciphered by using one key of the pair may be deciphered using the other key of the pair. The originator MAP enciphers the data using the public key of the recipient MAP. The recipient MAP is then able to decipher the received data using his own private key. A third party intercepting the public keys but lacking knowledge of either private key cannot generate a session key. Therefore, data can be securely encrypted with the session key. Because one key pair is associated with one MAP, even on a large network, the total number of required keys is much smaller than in the symmetric case. Although AKE methods are convenient compared with alternatives such as manual key loaders, they are relatively slow because they are computationally intensive and because of the large keys needed for good security. To avoid this speed penalty, some secure MAPs use AKE only to establish the public key (shared by both MAPs) and then revert to fast symmetric-key encryption algorithm such as the Advanced Encryption Standard (AES) to encrypt and decrypt the traffic. Because AKE is relatively slow, it noticeably delays communication particularly in a wireless mesh network where data is transmitted over multiple hops between a source MAP and a destination node.
It is desirable to avoid unnecessary encryption, decryption and re-encryption that occurs when communicating information between MAPs since this can reduce delays typically associated with such secure communications over a wireless mesh network. Other desirable features and characteristics of the present invention will become apparent from the subsequent detailed description and the appended claims, taken in conjunction with the accompanying drawings and the foregoing technical field and background.