IEEE 802.11i is used to ensure that a wireless local area network (WLAN) operating under IEEE 802.11 standards can communicate data securely by using a counter mode (CTR) with cipher-block chaining with a message authentication code (CBC-MAC) protocol (CCMP) encapsulation technique which, in turn, utilizes an advanced encryption standard (AES) algorithm. To achieve this goal, IEEE 802.11i provides two schemes that allow a pair of communicating nodes to derive keys that can be used to encrypt exchanged packets.
The first scheme is based on an IEEE 802.1x authentication technique that requires a remote authentication server, (e.g. a RADIUS server). In IEEE 802.1x, an access point (AP) acts as a router between a wireless transmit/receive unit (WTRU) desiring association with the AP and an authentication server. The authentication server provides a public key to the WTRU via the AP. The WTRU can verify this public key by checking it with a digital certificate provided by the authentication server. The WTRU then derives a random secret, (i.e., master secret), and sends the master secret to the authentication server by encrypting it with the public key provided. Thus, only the authentication server can decrypt the master secret using a corresponding private key. The authentication server and the WTRU use this master secret to derive a master key (MK). The authentication server and the WTRU then derive a pairwise master key (PMK) from the MK. The authentication server provides this PMK to the AP. The AP and the WTRU then derive a pairwise transient key (PTK) using the PMK. A portion of this PTK is a temporal key (TK) that is the actual key used in the CCMP technique for encrypting packets. Because this scheme uses remote authentication servers and digital certificates, (which are currently expensive), such a scheme is typically implemented in an enterprise WLAN.
The second scheme that is more suitable for home or small business networks utilizes a pre-shared key (PSK). In this scheme, a 256 bit user-configurable secret key is stored on the communicating nodes. When the WTRU wishes to associate with an AP, the WTRU uses the PSK as a PMK, (without deriving the master secret and the MK), and derives a PTK and uses a portion of the PTK as a TK just like in the IEEE 802.1x system.
There are at least two problems with the IEEE 802.11i system. First, the final TK is only as secure as the master secret exchanged in the case of IEEE 802.1x networks, or as the PSK in the case of home or small business networks. In the IEEE 802.1x system, an attacker can decrypt the master secret by stealing the authentication server's private key. In home networks, the PSK can either be deduced using a brute-force attack, (being that PSKs at home are not changed regularly or are generated from a “weak” pass-phrase), or by stealing the key. Knowing the master secret or the PSK allows the attacker to arrive at the identical value for the PMK, in the same manner as the two legitimate communicating nodes, and to thereafter derive an identical PTK value. Thus, knowledge of authentication credentials is sufficient for knowledge of derived encryption keys. Moreover, when keys are updated during a session the MK and the PMK are typically left untouched and only a new PTK is derived using the PMK, (which is supposed to be a secret), and information exchanged in the clear. As the PMK does not change, the PTK is not fresh and is therefore not a new key.
Furthermore, the key derivation procedure is very complex and it has many stages, (such as MK, PMK, PTK and TK). This consumes time and resources.
Keys can be thought of as bit sequences. A perfectly secret random key of length N bits is an N-bit sequence S, shared by entities. Given all the information available in the system at large, anyone else's estimation about what this key sequence can be is roughly equiprobably distributed over all possible 2N N-bit sequences.
Prior art crypto systems rely on the fact that it may be extremely difficult from a computational resource point of view to guess the crypto key. However, in most of these systems, once the correct guess is produced, it is very easy to verify that this is indeed the correct guess. In fact, the prior art implies that this is applicable to any public-key system, (i.e., one where the encryption key is made public, while the decryption key is kept secret).
By way of example, assume that p and q are two large prime numbers and s=pq, it is well known that the problem of factoring a product of two large prime numbers is extremely computationally difficult. If a party chooses p and q in secret and makes publicly available their product s, which is then used as an encryption key for an encryption system, it cannot be easily decrypted unless one knows p and q. An eavesdropper wishing to intercept an encrypted message would likely start by attempting to factor s, which is known to be computationally difficult. However, if the eavesdropper guesses p, it will quite easily verify that it has the right answer. The ability to know that the right answer was obtained with a guess differentiates computational secrecy from perfect secrecy. Perfect secrecy implies that even if the attacker guesses the key correctly, it will have no ability to determine that it has indeed done so.
It is therefore desirable to generate encryption by keys without the limitations of the prior art.