Wireless digital networks, such as networks operating under current Electrical and Electronics Engineers (IEEE) 802.11 standards, are spreading in their popularity and availability. With such popularity, however, come problems of fast BSS transitions. A BSS transition generally refers to movement of a wireless station from one BSS in one extended service set (ESS) to another BSS within the same ESS. By contrast, a fast BSS transition (FT) generally refers to a BSS transition that establishes the state necessary for data connectivity before the re-association rather than after the re-association.
For example, the current IEEE 802.11i standard (Medium Access Control Security Enhancements) provides pre-authentication and Pairwise Master Key (PMK) caching. Pre-authentication enables supplicants, such as wireless stations, to authenticate with authenticators, such as access points or network controllers, to which they may roam. Pre-authentication typically happens through the access point to which the wireless station is currently associated over a distribution system, such as an Ethernet network. Moreover, PMK caching allows supplicants and authenticators to cache PMK Security Associations (PMKSAs) so that a supplicant revisiting an authenticator to which it has previously authenticated can omit performing IEEE 802.1X/EAP authentications and proceed directly to a 4-way handshake. The 4-way handshake is used by an IEEE 802.1X supplicant and an authenticator to derive Pairwise Transient Keys (PTKs) which are used for encrypting data frames. PMK Caching is also referred to as “fast roam-back” because supplicants must have previously authenticated and formed a PMKSA with the authenticator in order to proceed directly to the 4-way handshake.
Alternatively, an Opportunistic Key Caching (OKC) protocol can be used in fast roaming where the supplicant has never authenticated. OKC allows the PMK in the initial PMKSA formed by the supplicant and authenticator to be reused across the network. The PMK can be redistributed by a wireless local area network (WLAN) and given new PMK identifiers that are unique to each access point in the WLAN. The unique PMK identifier may include the new access point's Media Access Control (MAC) address (i.e., BSSID). According to OKC, the supplicant places the unique PMK identifier into its re-association request; and when the authenticator validates the PMK identifier, the access point starts the 4-way handshake using the PMK corresponding to the PMK identifier to derive a PTK.
Moreover, the current IEEE 802.11r standard (Fast Basic Service Set Transition) specifies an exemplary FT protocol, which redefines a security key negotiation protocol and allows the negotiation and request for wireless resources to occur in parallel. The IEEE 802.11r standard introduces, inter alia, a new 3-tier authentication and key management (AKM) architecture and two tiers of pairwise master keys (PMKs). Furthermore, mobility domain is typically a set of BSSs within the same ESS, each of which is identified by a mobility domain identifier. Fast BSS Transition (FT) can be supported between access points within a mobility domain, but is not specified between mobility domains according to the IEEE 802.11r standard. Also, an authenticator is split into two levels: a first level key holder, such as a PMK-R0 Key Holder (R0KH), and a second level key holder, such as a PMK-R1 Key Holder (R1KH).
Nevertheless, existing protocols supporting fast BSS transitions barely provide any effective and efficient ways of determining appropriate leveled security key holders during fast BSS transitions. Proper determination of leveled security key holders of first and/or second level security keys can reduce latency in completion of the fast BSS transition and provide better load balancing of clients among multiple wireless network devices (such as access points) within a mobility domain.