1. Field of Invention
The present invention relates to wireless networking, and more particularly, to an authentication and secure communication system for Wi-Fi (IEEE 802.11) networks.
2. Description of Related Art
A Wireless Local Area Network (WLAN) is generally implemented to provide local connectivity between a wired network and a mobile computing device. In a typical wireless network, all of the computing devices within the network broadcast their information to one another using radio frequency (RF) communications. WLANs are based on the Institute of Electrical and Electronic Engineers (IEEE) 802.11 standard, which designates a wireless-Ethernet specification using a variety of modulation techniques at frequencies generally in the 2.4 gigahertz (GHz) and 5 GHz license-free frequency bands.
The IEEE 802.11 standard (“Wi-Fi”), the disclosure of which is incorporated herein in its entirety by reference, enables wireless communications with throughput rates up to 54 Mbps. Wi-Fi (for “wireless fidelity”) is essentially a seal of approval certifying that a manufacturer's product is compliant with IEEE 802.11. For example, equipment carrying the “Wi-Fi” logo is certified to be interoperable with other Wi-Fi certified equipment. There are Wi-Fi compatible PC cards that operate in peer-to-peer mode, but Wi-Fi usually incorporates at least one access point, or edge device. Most access points have an integrated Ethernet controller to connect to an existing wired-Ethernet network. A Wi-Fi wireless transceiver connects users via the access point to the rest of the LAN. The majority of Wi-Fi wireless transceivers available are in Personal Computer Memory Card International Association (PCMCIA) card form, particularly for laptop, palmtop, and other portable computers, however Wi-Fi transceivers can be implemented through an Industry Standard Architecture (ISA) slot or Peripheral Component Interconnect (PCI) slot in a desktop computer, a Universal Serial Bus (USB), or can be fully integrated within a handheld device.
FIG. 1 illustrates a typical conventional Wi-Fi network 100. Particularly, Wi-Fi network 100 comprises a number (N) of computing devices 110A-N and an access point 120. Each computing device 110 comprises a Wi-Fi transceiver (not shown) such as a Wi-Fi enabled network interface card (NIC) to communicate with the access point via an RF communications link 115. The access point 120 comprises a Wi-Fi transceiver (not shown) to communicate with a wired network via an RF communications link 125.
Authentication and security features offered by conventional Wi-Fi products have been implemented via Wired Equivalency Protocol (WEP). With WEP enabled, an access point will not admit anyone onto the LAN without the proper WEP settings. The WEP settings are used primarily for wireless security, but they also form the basis for authentication in that without these settings known to and used by the user, the user cannot connect through the access point.
The 802.11 standard defines different frame types that the Wi-Fi enabled NICs and access points employ for communications, as well as managing and controlling the wireless link. Every frame includes a control field that describes the 802.11 protocol version, frame type, and other network indicators, such as whether WEP is active, power management is enabled, etc. All frames contain MAC addresses of the source and destination station, and access point, in addition to a frame sequence number, a frame body, and a frame check sequence for error detection. Data frames carry protocols and data from higher layers within the frame body. For example, a data frame can comprise hypertext markup language (HTML) code from a Web page that a user is viewing. Other frames implemented for management and control carry specific information regarding the wireless link in the frame body. For example, an access point periodically sends a beacon frame to announce its presence and relay information, such as timestamp, service set identifier (SSID), and other parameters regarding the access point to the NICs that are within range.
The SSID is a 32-character unique identifier that acts as a password when a mobile device tries to connect to the network. The SSID differentiates one WLAN from another, so all access points and all devices attempting to connect to a specific WLAN must use the same SSID. A device will not be permitted to join the network unless it can provide the unique SSID. Because an SSID can be sniffed in plain text from a packet it does not supply any security to the network. An SSID is also referred to as a network name, or network ID, because essentially it is a name that identifies a wireless network.
The number of publicly available wireless 802.11 networks is rapidly increasing. Each network is “Wi-Fi compatible” and, following the specification, identifies itself using the beacon frame, which broadcasts the SSID to all potential users of the network. Typically, an access point broadcasts a beacon frame every 10 ms. When a user is in the broadcast range of one or more Wi-Fi networks, the user's wireless NIC listens for the beacon frame(s) associated each network. A list of all SSIDs currently available is displayed to the user, from which the user makes a choice. Typically, there is only one network with which the user can connect. Once a particular available Wi-Fi network is selected, the user must ensure that all of his Wi-Fi communication settings, e.g., SSID, WEP on or off, WEP keys, etc., are properly configured to connect to the selected Wi-Fi network. Use of beacon frames to identify a network is known as “passive mode.” An alternative method of seeking wireless networks is known as “active mode,” whereby the NIC issues a “probe request” to cause all the listening access points within range to respond with an identifying frame containing their SSID. Both modes are explicitly defined in the 802.11 specification.
As the user moves from network to network, for instance from his office network to a public network at a coffee shop, the user must switch his Wi-Fi setting as appropriate for the local network. Generally, this requires advanced knowledge of the settings for the new network. MICROSOFT WINDOWS® operating systems facilitate the storage of these settings as a “location,” thereby enabling the user to simply point-and-click to select the new network. However, the user still must manually install these parameters for the new network during initial setup.
As the number of networks proliferates, the number of network configurations will become daunting. Moreover, each network authenticates the user in some fashion. Some networks are left in “wide-open” mode where only a proper SSID selected is necessary to connect, but most others require passwords, WEP keys, etc.
Of further difficulty for a host facility of a Wi-Fi network such as an airport, generally there can only be one Wi-Fi network hosted per location. For example, Wi-Fi networks are shared-used networks. That is, Wi-Fi networks are unlicensed and hence there is no protection against interference from an additional network being installed at the same location. Once the first network is installed, say a WAYPORT®. network, which provides travelers with wireless Internet access, no other network can be installed without interference resulting from the second network. The host facility generally prefers that all potential customers have access to the wireless network, not just WAYPORT customers. However, a WAYPORT network only admits WAYPORT customers. Therefore, the issue becomes how do you allow a private network to admit customers from other networks to utilize the private network.
Companies like BOINGO™. offer a service whereby users can roam across multiple networks without necessarily being a customer of any particular network. BOINGO employs a ‘sniffer’ program which listens to the beacon frames and looks for a match in it's database of known network configurations. When a match is found, the BOINGO software will automatically make the appropriate configuration changes for that network and allow the user to connect. Once connection is attempted, the user appears to the network as a BOINGO customer and the user's credentials are passed onto an authentication server for the network. On recognition of the user's name at the authentication server, for example, access is then granted or denied. If the BOINGO customer is not really a customer of the present network, the authentication server forwards the user's credentials to a BOINGO authentication server, which performs the authentication service and if valid, passes the ‘grant’ command back to the original network authentication server. One problem with this approach is that as the number of ‘network affiliates’ grows for BOINGO, each network's configuration must be stored in a database. Accordingly, information in this database must be downloaded to each user. This becomes difficult to manage as the number of users and networks increase.
“Hot-Spots” as Wi-Fi networks are known in the public space, allow users portable, high-speed access to networks. Current Hot-Spot networks are designed such that only their authorized users can access their network. The configuration of each network includes numerous parameters, particularly if security such as WEP is enabled. As Hot-Spot networks are typically unlicensed and must share the spectrum with other users, the existence of a network generally precludes the construction of a second network for other users at the same location. The authentication mechanism for one network can be entirely different from that of another network. Each network may further have different settings for security.