A wireless mesh network is a meshed network that is implemented for example in a wireless local area network (WLAN). In a mesh network, a mobile node can forward data originating from another mobile node to a further mobile node or to a base station. Long distances can be spanned in a mesh network, in particular in uneven or difficult terrain. Furthermore, mesh networks operate very reliably, since every mobile node is connected to a number of other nodes. If one node fails, due to a hardware fault for example, its neighboring nodes look for an alternate data transmission route. Mesh networks can also include fixed (stationary) or mobile devices.
FIG. 1 shows a mesh network according to the prior art in schematic form. The nodes comprise dedicated mesh nodes (MN) which belong to the infrastructure of the network. Said dedicated mesh nodes can be a fixed base station BS or a mobile station MS. In addition to the dedicated mesh nodes, the mesh network also includes mobile terminal devices or, as the case may be, mobile nodes of users. The mobile nodes can communicate directly with other mobile nodes and directly or indirectly exchange data via further nodes with a base station BS that is connected to a gateway GW of a data network. In this case data packets DP are forwarded from one device or node to the next device until the destination device or gateway GW is reached, the data packets DP being forwarded by means of dynamic routing. In this case the routes over which the data packets DP are transferred are calculated dynamically based on the availability of the nodes and based on the network utilization. In general, mesh networks are characterized by a high level of network coverage, high reliability and economical use of available resources. In wireless mesh networks, the wireless transmission link is traditionally implemented by means of a WLAN (Wireless Local Area Network) transmission link. In contrast to a wireless personal area network (WPAN), WLAN networks have greater transmit powers and ranges and offer higher data transfer rates.
In order to authenticate nodes or computers, use is made of what is termed the Extensible Authentication Protocol (EAP) which is known for example from IEEE 802.X-2004: “IEEE standard for local and metropolitan area networks—Port-based network access control”, ISBN 0-7381-4528-8, Dec. 13, 2004, pp. 37-40. FIG. 2 shows a signal diagram to illustrate an authentication process in a conventional WLAN network. The EAP protocol is used in the case of WLANs for safeguarding access to the network. A wide variety of actual authentication procedures, known as EAP methods, can be transported via the EAP protocol, e.g. EAP-TLS, EAP-AKA, PEAP-MSChapv2. During the authentication a cryptographic key or session key MSK, EMSK (MSK: Master Session Key; EMSK: Extended Master Session Key) is determined which is subsequently used to protect the data communication, for example in the case of Link Layer encryption. The authentication of a subscriber takes place between the subscriber (supplicant) and an authentication server (AAA server). Upon successful authentication, the authentication server sends the result of the authentication and the session key MSK originating from the authentication to the authenticator, a WLAN access point AP for example. The communication between the access node or access point AP and the authentication server usually takes place by way of the Radius or Diameter data transmission protocol, the session key MSK being sent as a data attribute to the access node AP as part of an EAP success message. The transmitted session key MSK is subsequently used in an 802.11 4-way handshake 802.11 4WHS between the supplicant and the access node conforming to the 802.11 IEEE standard.
In a conventional network, the access node AP is a trusted node, i.e. a node belonging to the network infrastructure. The access node in a conventional network is therefore not an end user node.
FIG. 3 shows the authentication of two nodes MP-A, MP-B in a conventional WLAN network. The two nodes MP-A, MP-B can be, for example, two mesh nodes of a mesh network. In order to set up a data connection between the two nodes MP-A, MP-B, the end node MP-A (as supplicant) first authenticates itself with the associated authentication server AS by means of the EAP data transmission protocol. The node MP-B (authenticator) receives a session key MSK1 in an EAP success message. The node MP-B then performs a 4-way handshake with the node MP-A and in the process uses the received session key MSK1. The node MP-B (now as supplicant) then performs an authentication at the associated authentication server AS, and MP-A (now as authenticator) receives a second session key MSK2 in an EAP success message. The node MP-A then performs a 4-way handshake with the node MP-B using the second session key MSK2. Instead of being performed sequentially, the two authentications can also be interleaved or nested one inside the other.
The further communication between the two nodes MP-A, MP-B can be protected by means of one of the two session keys MSK1, MSK2.
A disadvantage of the prior art approach illustrated in FIG. 3 is that the nodes MP-A, MP-B may be mesh nodes which are not part of the network access infrastructure and consequently are vulnerable to manipulation. Since a mesh node communicates with neighboring mesh nodes, multiple authentications of a mesh node are necessary. This leads to a high load being imposed on the authentication server and a high signaling overhead for the transmission of authentication messages to the authentication server in the infrastructure network.
An enhancement of the EAP authentication method for the IEEE 802.11 standard is known from IEEE 802.11i-2004: “IEEE standard for local and metropolitan area networks—Wireless LAN Medium Access Control—Security Enhancements”, ISBN 0-7381-4073-2, Jul. 23, 2004, pp. 13-15, 19-20.
A WLAN mesh network is known, for example, from Faccin, S. M. et al: “Mesh WLAN networks: concept and system design”, Wireless Communications, IEEE, Volume 13, Issue 2, April 2006, pp. 10-17, wherein the network elements mutually authenticate one another.
An extension of the authentication method known from IEEE 802.11 can be found in Jyh-Cheng, C. et al: “Wireless LAN security and IEEE 802.11i.” Wireless Communications, IEEE, Volume 12, Issue 1, February 2005, pp. 27-36, while an extension of the authentication method known from IEEE 802.16 is described in Fan, Y. et al: “An improved security scheme in WMAN based on IEEE standard 802.16”, Proceedings, International Conference on Wireless Communications, Networking and Mobile Computing, Volume 2, Sep. 23-26, 2005, pp. 1191-1194.
US 2005/01 52 305 A1 discloses an authentication method in a WLAN network using an EAP proxy.