Continued advancements in hardware technology and software development are enabling computer systems and other electronic devices, such as personal digital assistants, electronic books, cellular phones, etc., to be utilized in a variety of different implementations and applications. Some implementations are financial and commercial transactions, computer-aided design, health care, communication, data storage and warehousing, education, etc. Additionally, coupling these stand-alone computers and other electronic devices to form a networking environment greatly enhances their functionality. In a network environment, users are able to exchange information, share commonly stored files, combine resources, communicate via e-mail (electronic mail) and via video conferencing. Further, with the advent of wireless communication, networked computers can communicate and exchange information with nearly any other computer or other electronic device without having to be physically connected via a wired configuration.
In a wireless environment, there is a wireless client and an access point. The communication between the client and the access point is transmitted over public air space, so the communication is visible to anyone within range. In order to protect the privacy and contents of the transmitted communication, the information is commonly encrypted. To enable encryption, an encryption key is distributed to each of the clients utilizing the wireless network.
There are numerous different techniques for distributing encryption keys. One such technique involves public key cryptography, where the two parties sign (provide a digital signature for) a message using their respective private keys while authenticating (verifying the origin of) the message using the other party's public key. One type of public key distribution is the Diffe-Helmann scheme. The Diffe-Helmann scheme has an advantage in that the wireless client and the access point are the only parties that are apprised of the key. An Authenticated Diffe-Helmann scheme, an enhancement of Diffe-Helmann, provides that the two parties are aware of with whom they are communicating. Further, in Authenticated Diffe-Helmann, there may be a third party which checks the validity of the digital signatures, but that is the only function performed by the third party. Because the third party performs no computations, it is unaware of the session key used between the wireless client and the access point.
Public key cryptography, preferred from a strictly security standpoint, requires a substantial infrastructure, which is expensive to deploy and maintain. The necessary infrastructure can deter some customers from implementing this type of network security. More specifically, a significant drawback to Authenticated Diffe-Helmann is that it creates a significant computational burden on the access point. It is known that access points are commonly low end processing devices whose processing budget is highly constrained. In one attempt to alleviate the computational burden placed on the access point, some of the cryptographic processing associated with setting up a session key between a wireless client and an access point could be distributed to a system called an access server. However, if the computations performed by the access point are distributed to the access server, a number of properties of the original scheme are lost.
First, all three parties, the wireless client, the access point, and the access server, know the computed session key. Therefore, there is little justification for the increased computational burden imposed by Diffe-Helmann, which is a public key distribution scheme used to ensure only the two participating parties are apprised of the key.
Second, the session must be communicated from the access server to the access point using a cryptographically protected channel. Thus, there must be another shared key between the access point and the access server in addition to the signing key. It is well known that using the same key for both signing and encryption violates standard cryptography practices. Because the channel is protected using a symmetric encryption algorithm, the security of the Diffe-Helmann scheme is no more secure than the channel to which the algorithm is applied, which inherently reduces the security provided by Diffe-Helmann.
Another technique for distribution of encryption keys involves two parties holding a shared secret, where each party signs a message using the shared secret, while the other party authenticates the message utilizing the shared secret. This technique, termed shared secret based key distribution, is well known as being substantially less computationally intensive in comparison with public key cryptography.
Symmetric key cryptography is an encryption system in which the sender and receiver of a message share a single, common key that is used to encrypt and decrypt the message. Contrast this with public-key cryptography, which utilizes two keys—a public key to encrypt messages and a private key to decrypt them. Symmetric-key systems are simpler and faster, but their main drawback is that the two parties must somehow exchange the key in a secure way. Public-key encryption avoids this problem because the public key can be distributed in a non-secure way, and the private key is never transmitted. Symmetric-key cryptography is sometimes called secret-key cryptography. One of the more popular symmetric-key systems is the DES, short for Data Encryption Standard, developed in 1975 and standardized by ANSI in 1981. DES uses a 56-bit key, and a password or table is needed to decipher the encoded data. Another system is the RC4 encryption algorithm.
A well-known shared key based key distribution technique is the Otway-Rees scheme, which is known to dramatically reduce the computational burden on both the WC (wireless client) and the AP (access point).
Shared key based key distribution, inferior to public key cryptography, has its own drawbacks and shortcomings. This technique does not actually authenticate the sender of the message, it simply increases the likelihood that the incoming message originated from a sender that knows the shared secret. In addition, it is commonly known that this technique is subject to certain types of attacks, e.g., reflective attacks, that can complicate or disable the authentication process. Further, shared key based key distribution does not provide a way of uniquely identifying the communicating parties.
Thus, a need exists for a method and system to provide a secure wireless network for communication between a wireless client and an access point while reducing the computational burden placed on the access point and the wireless client. Another need exists for a method and system which meets the above listed needs and which provides positive identification of the parties communicating within a wireless network. Still another need exists for a method and system which meet the above listed needs and which provides an encryption key and a signing key.