Ubiquitous Internet access at high speed and low cost has been a long-standing vision for years, attracting major efforts from both academia and industry. As shown in recent studies (e.g. June 2006 bandwidth report published on the webpage websiteoptimization.com/bw/0606/or Wi-Fi Surpasses Ethernet for Home Networking published on the webpage parksassociates.com/press/press releases/2005/gd12), indoor Internet connectivity is becoming pervasive in the U.S. as a result of the steady growth of broadband penetration to the home and the proliferation of 802.11-based wireless local area networks (WLANs) deployed in households and other popular indoor locations. On the other hand, outdoor coverage for broadband Internet access is seriously lagging behind despite the explosion of wireless network technologies and deployments over the last decade.
One major challenge is to control the access of a mobile device to the Internet.
There are two predominant approaches currently in use to manage access to wireless networks: captive portals and LAN port authentication schemes. Captive ports are deployed in hotspots and several open Wi-Fi projects. A captive portal is a firewall application which restricts all traffic going from the client to the Internet until the user has authenticated through a custom webpage (e.g. chillispot.org/, dev.wifidog.org/). Since captive portals are password-based they need the cooperation by the user. Moreover, captive portals provide no wireless encryption between a mobile device and an access point and suffer from long authentication delays when communicating to a central server.
An existing LAN port authentication schemes is shown in FIG. 1. FIG. 1 depicts an exemplary wireless local area network designated by reference number 60. The WLAN 60 connects an authentication server 40 and an access point 30 which operates as an authenticator to provide access to the Internet 50. The authentication server 40 can be implemented for example as a RADIUS (Remote Authentication Dial-in User Service Protocol) server or a MS Active Directory server in the case PKI-based EAP modes such as EAP-TLS and EAP-TTLS are employed. A mobile device 10 is located in the coverage area (wireless cell) 20 of the access point and it tries to get access to the Internet 50. For example the WPA and the next 802.11i standards are used, which are based on the IEEE 802.1x framework and the extensible authentication protocol (EAP) and are well known to a person skilled in the art. The EAP scheme provides wireless encryption and supports a wide range of different authentication methods. A supplicant is implemented in the mobile device 10 and is the client side access control entity. It associates to an authenticator located in the access point 30 such as an Ethernet switch or Wi-Fi access point. The supplicant is authenticated through a closed port on the access point 30 against the authentication server 40. If the authentication is successful the authentication server 40 signals the authenticator to open the port to allow authorized traffic from the supplicant, e.g. access to other servers in the WLAN 60 or Internet 50. Although the standardized EAP methods work well in enterprise networks, they are not design for a global-scale Internet access infrastructure based on privately owned wireless Internet access points. These access points are, for example, installed in Wi-Fi networks of private persons or small enterprises. The existing methods are not designed to scale to the size of such a global-scale Internet access infrastructure. Intended for deployment in enterprise LANs with hundreds or maybe thousands of clients, the authentication server will be seriously challenged with potentially millions of active clients.
In addition, the existing authentication schemes are designed for LAN authentication so that all entities are deployed in the local enterprise network or even the same LAN segment. A global-scale Internet access infrastructure acts as an overlay operator or an overlay wireless Internet Service Provider (ISP) that is collectively owned by its actual users. Network management systems currently used in enterprise access network deployments perform centralized authentication in connection with an authentication server. A centralized authentication, however, is vulnerable to general Internet outages and distributed DoS attacks. Such a network management system is described for example by L. Yang et al. in the article “Architecture taxonomy for control and provisioning of wireless access points (CAPWAP). IETF Request For Comments (RFC4118), June 2005. The access points should be able to operate reliably and autonomously, even when access to network functions provided by a back-end management system is temporarily unavailable or inaccessible.
In the US patent application with publication number US2006/0143458 A1, Jun. 29, 2006, a method for secure access of mobile stations to a WLAN via certificate-based authentication is discussed. In the proposed method, a mobile terminal (MT) sends its certificate to the access point along with an authentication request message. The access point relays the mobile terminal certificate with its own certificate to an authentication server. The authentication server authenticates the access point certificate and the mobile terminal certificate, and sends the certificate authentication response message with the authentication server's signature to the access point. The access point authenticates the authentication server signature, and sends to the mobile terminal a certificate authentication response message as access authentication response message. The mobile terminal on receiving the response message authenticates the authentication server signature and obtains the result of authentication of the access point certificate. This completes the authentication procedure between the mobile terminal and the access point.
In the US patent application with publication number US2005/0138351 A1, Jun. 23, 2005, a method for server certificate verification is provided for certificate-based authentication using the Extensible Authentication Protocol (EAP). The method pertains to the case when it is not possible to access the Internet and use, for example, a Certificate Revocation List (CRL) to verify the server certificate on-line. The method involves sending by a WLAN terminal of a server certificate verification request to an authentication server AS, the verification of the server certificate by the AS via transmission of online certificate status protocol (OCSP) message to an online certificate status protocol server and receiving the response, and thus ascertaining the result of the server certificate verification.
In the US patent application with publication number US 2006/0039305 A1, Feb. 23, 2006, a method and system for EAP encapsulation exchange in a WLAN is discussed. The method allows for authentication of a 802.11 client station without disrupting the access to any clients that are already authenticated and communicating in the network. An access point in the proposed system is configured so that it does not change its service set identifier (SSID) to configure new clients. This enables previously configured clients to continue to access an extended service set (ESS) while a new client is being configured.
All of the above mentioned approaches suffer from frequent message exchanges between an access point and a central authentication server located in the Internet or in a WLAN.
A method and mobile device system architecture for providing certificate-based cryptography for authenticating mobile devices is discussed in the US patent application with publication number WO 2005/065134 A2. The method involves transmission of certificate revocation information over a broadcast channel. The revocation information is received by the mobile device for verifying the validity of its certificate. This approach is, however not directly deployable within an existing 802.11i framework.
Managed access control to the GIANT infrastructure (GIANT stands for global-scale Internet access infrastructure) is one most important design task to ensure its operating health and organic growth. Existing LAN port authentication schemes, such as WPA and the next 802.11i standards, are based on the IEEE 802.1x framework and the extensible authentication protocol (EAP) as shown in FIG. 1. A supplicant, the entity in charge of access control contained in a mobile device 10, first authenticates against an authentication server 40 or a directory server in the case PKI-based EAP modes such as EAP-TLS and EAP-TTLS are employed, e.g. a RADIUS (remote authentication dial-in service protocol) or MS Active Directory server, through a closed port on the LAN access point, e.g., an Ethernet switch or a Wi-Fi access point. If the authentication is successful, the authentication server instructs the authenticator contained at the access point to open the port for other authorized network traffic, e.g., connections to other servers located in the LAN or the Internet. Although those authentication schemes, e.g., various standardized EAP methods, work well in an enterprise network, they do not directly apply in GIANT as illustrated in FIG. 2 for the following reasons. First, they do not scale to the size of GIANT. Designed for enterprise LANs with hundreds or even thousands of devices, the capacity of the authentication server will be seriously challenged in GIANT with millions of active devices and access points.
Second, the 802.1x framework and existing EAP methods are designed for LAN port authentication. All entities, including authentication server, directory server, access points, and devices, are usually deployed in the local enterprise network or even the same LAN segment. No specific provisioning for high accessibility to the authentication server is necessary. In GIANT, the authentication servers may be located in the wild Internet, far away from the clients and access points. Their accessibility is vulnerable to Internet outages. For example, BGP misconfigurations may disconnect access points in certain areas from the authentication server; a successful DDOS attack against the authentication server can shut down the entire GIANT.
Third, the authentication process involves several rounds of communications between the client and an authentication server, which may lead to high and variable delay in GIANT because the authentication server is located beyond the local area network in the Internet. In the case of packet loss, it will be difficult to gauge the timeout before the authentication can be resumed. This is exactly the case in GIANT when existing authentication methods defined in EAP, such as EAP-TLS, LEAP, and PEAP, were applied.
Finally, GIANT access points are owned by various entities. They may not trust or collaborate with each other when authenticating clients, unlike the scenario of an enterprise network where all access points are under the same administrative domain. This fact rules out all known fast re-authentication proposals for user mobility support, (e.g., EAP-FAST, eap-er, USRK-EMSK), since they are usually based on authentication credential handoff between neighboring access points. Frequent re-authentications with the central authentication server across the Internet seriously limit the performance of delay-sensitive applications such as the popular Skype VoIP.