An evolving family of standards is being developed by the Institute of Electrical and Electronic Engineers (IEEE) to define parameters of a point-to-multipoint wireless, packet-switched communications system. In particular, the 802.16 family of standards (e.g., the IEEE std. 802.16-2004 (published Sep. 18, 2004)) may provide for fixed, portable, and/or mobile broadband wireless access networks. Additional information regarding the IEEE 802.16 standard may be found in IEEE Standard for Local and Metropolitan Area Networks—Part 16: Air Interface for Fixed Broadband Wireless Access Systems (published Oct. 1, 2004). See also IEEE 802.16E-2005, IEEE Standard for Local and Metropolitan Area Networks—Part 16: Air Interface for Fixed and Mobile Broadband Wireless Access Systems—Amendment for Physical and Medium Access Control Layers for Combined Fixed and Mobile Operation in Licensed Bands (published Feb. 28, 2006). Further, the Worldwide Interoperability for Microwave Access (WiMAX) Forum facilitates the deployment of broadband wireless networks based on the IEEE 802.16 standards. For convenience, the terms “802.16” and “WiMAX” may be used interchangeably throughout this disclosure to refer to the IEEE 802.16 suite of air interface standards.
WiMax technology may support a high-speed seamless handoff of a mobile station (MS) from a source base station (BS) to a target BS while maintaining subscriber and network security. Security mechanisms may include an automatic key derivation in which an authentication key (AK) for the target BS is derived by both the MS and by the target BS prior to a handoff, while the MS remains connected to the source BS. This may avoid a lengthy and time-consuming authentication, authorization, and accounting (AAA) session at the handoff. A seamless, low-latency handoff may result.
The process of deriving the AK automatically at both the target BS and at the MS from a parent key (e.g., from a pairwise master key, or “PMK”) may create a fresh context associated with the derived AK (e.g., an AK context). Protocol rules may establish that the AK context may be derived only once per BS and PMK, and that the single AK context may be used until the PMK expires. If an AK context was created more than once for a given AK, a replay attack security hole may be created.
In accordance with WiMAX standards and/or protocols, AKs and AK contexts may be cached until the corresponding PMK becomes invalid. In one example, a PMK may be valid for several days in some networks. An AK context may comprise a 32-bit uplink packet number (PN) and a 32-bit downlink PN. The size of an AK cache may grow quite large because it may contain AKs and AK contexts belonging to MSs currently active in the network and to MSs that have left the network but continue to maintain valid PMKs. These potentially large caching requirements may lead to a large memory requirement in the BS and to costs associated therewith. Similarly, an MS needs to cache AKs and AK contexts for BSs that it has visited previously and for which it continues to maintain a valid PMK. The memory requirement is also increased for an MS because the MS may visit many BSs during a PMK's lifetime.