1. The Field of the Invention
The invention generally relates to establishing secure communications in a wireless network. More specifically, the invention relates to authenticating clients in a wireless network.
2. Description of the Related Art
Much of the functionality of modem day computers can be realized by implementing the computers in networks. Networks interconnect computers and allow data to be quickly and efficiently shared between the computers.
Businesses and corporations that implement computer networks often implement hard wired Ethernet networks as part of the construction of new buildings or during the build-out of rented business space. Home users that desire to implement networks are faced with expensive retrofitting if they wish to implement a hard wired Ethernet network. One way to avoid retrofitting a wired network is to use a wireless network. Wireless networks send and receive signals using radio frequencies. Wireless networks are also widely used in business settings for users with laptops, PDAs and other portable devices. Wireless networks allow users to remain connected to a network while roaming in different areas of the business.
One challenge that arises with the use of wireless networks is maintaining the security and integrity of data. For example, data that is transmitted through the air waves may be intercepted by unauthorized users using equipment that “sniffs” for wireless communications. In this way, data transmitted over the air waves can be obtained by individuals other than those to whom the data was intended to be transmitted. At a minimum such eavesdropping invades privacy and in worse scenarios, can result in the loss of sensitive information such as credit card numbers, passwords, confidential data and the like.
A further problem arises when an unauthorized user obtains sufficient information to add a computer as part of the network. Such a user may be able to access, delete and modify data on other computers in the network. In extreme cases, the unauthorized user may be able to commandeer other computers on the network for sending spam or launching attacks on other computers.
To combat the interception of data on wireless networks, various security schemes have been implemented. One of these schemes relies on data encryption. Data encryption scrambles the data that is sent across the network. Both the sender and receiver of data have an encryption key that is used to determine how the data is scrambled and descrambled. One common data encryption scheme used in wireless networks is Wired Equivalent Privacy (WEP). WEP allows users to select a common key. This key may be transmitted to users via word of mouth, as a written communication, by email, and other such methods. All users on the network should use the same WEP key.
One problem that arises with the use of WEP keys is the ease with which WEP can be cracked. Using common sniffing tools, a rouge user can monitor the network traffic. When a sufficient amount of network traffic has been monitored, the WEP key can be deduced. One way to combat this sort of eavesdropping is to periodically change the WEP key. The interval between changing the WEP key is preferably some interval less than the amount of time it takes to crack a WEP key. One challenge is that some sniffing tools have the ability to crack a WEP key within hours or minutes. Thus, using only WEP, manual changes need to be made to each client on a network in very short intervals. The difficulty and time consuming nature of such a task means that networks implementing WEP typically do not change the WEP key, leaving the network vulnerable to eavesdroppers.
Networks can be divided into client/server networks and peer to peer networks. Clients on wireless client/server networks are often referred to as operating in infrastructure mode. Wireless client/server networks have a central access point that acts as a central hub for clients on the wireless client/server network. Clients on wireless peer to peer networks are often referred to as operating in Ad Hoc mode. Ad Hoc clients communicate directly with each other.
Client/server networks can implement a protocol that allows for dynamically re-keying encryption keys. This protocol is known as the Extensible Authentication Protocol (EAP). Using EAP, a server can authenticate a client using passwords and various other authentication techniques. Once the client has been authenticated, the server can transmit, and direct the client to use, a new encryption key.
Ad Hoc networks and infrastructure networks with multiple access points do not allow for this dynamic authentication and re-keying. Users of Ad Hoc networks and infrastructure networks with multiple access points are therefore relegated to using less secure communication methods.