US007039021B1
`
`(12) United States Patent
`Kokudo
`
`(10) Patent No.:
`(45) Date of Patent:
`
`US 7,039,021 B1
`May 2, 2006
`
`(54) AUTHENTICATION METHOD AND
`APPARATUS FOR AWIRELESS LAN
`SYSTEM
`
`O
`O
`75
`(75) Inventor: Junichi Kokudo, Tokyo (JP)
`
`(73) Assignee: NEC Corporation, Tokyo (JP)
`(*) Notice:
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 615 days.
`(21) Appl. No.: 09/680,258
`
`Oct. 5, 2000
`22) Filed:
`c. 5,
`(22) File
`Foreign Application Priority Data
`(30)
`Oct. 5, 1999
`(JP)
`................................. 11-284231
`(51) Int. Cl.
`(2006.01)
`H04B 7/00
`(52) U.S. Cl. ....................................... soloss
`(58) Field of Classification Search ................ 370/310,
`370/338,349,389, 469, 475,522; 379/91.01,
`379/93.02, 93.03, 142.05, 142.06; 713/150,
`713/151,152, 153, 155, 158, 168; 380/247,
`380/248, 249,277,278; 455/431.1, 411,
`455/410, 432: 340/825.34
`See application file for complete search history.
`
`(56)
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`5,586,260 A 12, 1996 Hu ............................. T13 201
`5,673,318 A
`9, 1997 Bellare et al............... 713/170
`5,796,727 A :
`8, 1998 Harrison et al. ............ 370,338
`6,052,785 A
`4/2000 Lin et al..................... T13 201
`6,148,405 A * 1 1/2000 Liao et al. .................. T13 201
`6,272,148 B1* 8/2001 Takagi et al. ............... 370/469
`6,307,837 B1 * 10/2001 Ichikawa et al. ........... 370,230
`6,332,077 B1 * 12/2001 Wu et al. ................ 455,432.1
`6,345,043 B1
`2/2002 Hsu ........................... 370,324
`
`6,400,722 B1* 6/2002 Chuah et al. ............... 370/401
`6,453,159 B1* 9/2002 Lewis ...........
`... 455,411
`6,526,506 B1* 2/2003 Lewis ...........
`... T13,153
`6,574.466 B1* 6/2003 Papini et al. .....
`... 455,410
`6,600,734 B1* 7/2003 Gernert et al. ....
`... 370,352
`6,606,663 B1* 8/2003 Liao et al. .....
`... 709,229
`6,636,894 B1 * 10/2003 Short et al. ....
`... 709,225
`6,701,361 B1* 3/2004 Meier ...............
`... 709,224
`6,801,941 B1 * 10/2004 Steph
`tal. ............ 709,225
`epnens et a
`FOREIGN PATENT DOCUMENTS
`11-2521.83
`9, 1999
`11-265.349
`9, 1999
`
`JP
`JP
`
`OTHER PUBLICATIONS
`5 GHz Band Ethernet Tipe Wireless LAN System, NTT
`R&D, vol. 48, pp. 15-21, dated Aug. 10, 1999.
`* cited by examiner
`Primary Examiner Hanh Nguyen
`Ast Exity Sata Mion, PLLC
`(74) Attorney, Agent, or Firm Sughrue Mion,
`t
`f
`(57)
`ABSTRACT
`
`An authentication method and apparatus at a wireless LAN
`(local area network) system based on the IEEE 802.11, in
`which many STAs (terminal stations) are connected to APs
`(access points), and which can keep the security in authen
`tication, is provided. At the authentication method, an
`authentication request from one of the STAS composed of a
`data terminal and a wireless LAN card is transmitted to one
`of the APs. The AP transmits a MAC (media access control)
`address of the STA to an authentication server by converting
`the authentication request to a protocol adaptable to the
`authentication server. The authentication server checks the
`MAC address and transmits a challenge message to the AP
`2. The AP2 executes encryption authentication with the STA
`based on a WEP (wired equivalent privacy) algorithm stipu
`lated in the IEEE 802.11
`aC 1
`.
`.
`.
`.
`.
`
`10 Claims, 6 Drawing Sheets
`
`WIRED
`NETWORK
`6
`4
`MAINTENANCE
`
`SERVER
`
`AUTHENTICATION
`SERVER
`
`
`
`STA 1
`
`WIRELESS
`30
`10
`DATA WRESS NEMORK
`TERMINAL CR - - -
`
`
`
`-
`
`
`
`STA 1
`
`STA 1
`
`20 /
`:
`10
`DATA WIRELESS
`LAN
`TERMINAL
`
`
`
`2O
`DATA WIREESS
`LAN
`TERMINAL
`R.
`
`1
`
`Comcast, Ex. 1231
`
`

`

`U.S. Patent
`U.S. Patent
`
`May 2, 2006
`May 2, 2006
`
`Sheet 1 of 6
`Sheet 1 of 6
`
`US 7,039,021 B1
`US 7,039,021 B1
`
`
`
`moz<2522:
`
`mm>mmm
`
`
`
`$2mos:_.0HI._
`
`2
`
`
`

`

`U.S. Patent
`
`May 2, 2006
`
`Sheet 2 of 6
`
`US 7,039,021 B1
`
`F I. G. 2
`PRIOR ART
`
`STA
`
`AP
`
`AUTHENTICATION
`REQUEST TO AP
`
`
`
`
`
`WEP(GENERATE TEXT)
`
`
`
`(S3) WEP(ENCRYPT)
`
`
`
`
`
`
`
`SUCCESSFUL CODE
`(S6)
`
`ASSOCIATION
`
`3
`
`

`

`mm
`
`Sheet 3 of 6
`
`US 7,039,021 B1
`
`POmmoHL
`
`tSE;
`xmoamz85mm;82
`
`
`
`
`8”..de<20mxmoghmz 2,87225222_w25:2sz:5Mm,
`
`
`zoP<onwIH3<
`
`mm>mmw
`
`AHV@8de<25
`
`._<z=2mmfi
`_Sm
`
`om
`
`2
`
`mmmdmg<20
`$30223%:
`
`ONor
`
`F{Fm
`
`4
`
`
`
`
`

`

`U.S. Patent
`
`May 2
`
`9
`
`2006
`
`Sheet 4 of 6
`
`US 7,039,021 B1
`
`9C (JEANES
`
`0 | ídC][] 0
`
`NOLLWOLLNEH10\/
`
`
`
`
`
`
`
`
`
`7 '0 I -
`
`SS3:00' 07" (ÎNio), ss500
`
`
`
`
`NWT SSETENJIM Z d\/
`
`|dWOL/CHI
`
`dWNS | §§
`|NETTO
`
`LENÈJEH13
`
`ETEWO
`
`
`
`(TWNIWYJEI NWT SSETEHIM) | W/1S
`
`N. Y.
`
`Ya
`
`Ya
`
`dWNS
`
`CHWOL/CHI
`
`Yn N N
`
`NOLLWOLLNEHITY/
`
`5
`
`

`

`U.S. Patent
`
`May 2, 2006
`
`Sheet S of 6
`
`US 7,039,021 B1
`
`F I. G. 5
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`AUTHENTICATION
`AP 2
`SERVER 3
`(RADIUS CLIENT) (RADIUS SERVER)
`STA 1
`AUTENTICATION SET AP KEY
`REQUEST TO AP
`(S1)
`
`else (S9)
`
`MAC
`ADDRESS(S8)
`
`AjEcon
`WEP ALGORITHM
`
`MAC ADDRESS
`(S10)
`CHALLENGE
`MESSAGE
`
`
`
`WEP(GENERATE TEXT
`(S2
`CHALLENGE
`TEXT
`WEP(ENCRYPT)
`(S4)
`IV--ENCRYPTED
`CHALLENGE EXT
`
`
`
`RADIUS
`CHAP
`
`WEP(DECRYPT&COMPARE
`(S5)
`HALLENG ASF (S11)
`
`
`
`(S6)
`SUCCESSFUL
`CODE
`
`(S7)
`ASSOCIATION
`
`
`
`THENTICATION
`AU
`OMPLETED
`
`RENEW MAC
`
`ARRSESS
`(S13)
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`6
`
`

`

`U.S. Patent
`
`May 2, 2006
`
`Sheet 6 of 6
`
`US 7,039,021 B1
`
`F I. G. 6
`
`SIA
`
`
`
`Ap
`
`AUTHENTICATION
`SERyER
`
`OPEN SYSTEM
`AUTHENTICATION
`REQUEST(S14)
`
`CHECK MAC ADDRESS
`
`(S17)
`RESPONSE: HASHED
`CHALLENGE TEXT
`
`2X
`
`- - - - - - - - - - - - - as as as as m me with
`
`Y
`
`-
`
`a
`
`(S19)
`SUCCESS CODE
`
`(S20)
`
`ASSOCATION
`
`COMMUNICATION
`(WITH TIME LIMIT)
`DEASSOCIATION
`(S21)
`
`7
`
`

`

`US 7,039,021 B1
`
`1.
`AUTHENTCATION METHOD AND
`APPARATUS FOR AWIRELESS LAN
`SYSTEM
`
`BACKGROUND OF THE INVENTION
`
`The present invention relates to an authentication method
`and apparatus at a wireless LAN (local area network)
`system, in particular, based on the IEEE (Institute of Elec
`trical and Electronics Engineers) 802.11.
`
`10
`
`DESCRIPTION OF THE RELATED ART
`
`2
`STA 1 encrypts the received challenge text by using the own
`shared key and an IV (initialization vector) based on the
`WEP algorithm (S3).
`And the STA 1 transmits the encrypted challenge text and
`the IV to the AP 2 (S4). The AP 2 decrypts the received
`encrypted challenge text by using the received encrypted
`challenge text, the IV, and the own shared key. And the AP
`2 compares the challenge text transmitted at the S2 with the
`decrypted challenge text obtained at the S4, and judges
`whether the two challenge texts are the same or not (S5).
`When the judged result is the same, the AP 2 transmits a
`Successful code as an authentication completed notice to the
`STA1, because the authentication has completed (S6). The
`STA 1 received the authentication completed notice transfers
`to association operation with the AP2CS7).
`At the open system authentication method, when the STA
`1 transmits an authentication request to the AP2, any special
`judging procedure is not executed, and an authentication
`result is transmitted from the AP 2 to the STA 1. This is a
`simple procedure.
`However, at the conventional wireless LAN system based
`on the IEEE 802.11, the authentication method and appara
`tus have the following problems.
`First, at the conventional wireless LAN system mentioned
`above, the AP 2 authenticates the MAC address. However,
`generally the main task of the AP2 is an interface function
`between the wireless network and the wired network, there
`fore there is a limit in hardware and software to execute the
`authentication function of the MAC address. Especially, it is
`difficult for the generally used AP 2 to provide a MAC
`address table of many STAs 1, for example, more than
`10000 STAs 1. Consequently, authenticating the MAC
`addresses for the many STAs 1 becomes difficult.
`Second, a card such as a PC card, in which hardware and
`firmware for controlling radio signals and an ID (identifier)
`are memorized, has been recently used in each terminal
`station in the wireless LAN system. In order to apply the
`shared key authentication method stipulated in the IEEE
`802.11 to this kind wireless LAN system, the shared key is
`also memorized in the card. In this case, the card is Small and
`easy to carry, and forgetting to leave the key or stolen the key
`will happen, therefore the probability that the key is used
`illegally becomes large, and a method to keep the security is
`required.
`Thirdly, after the authentication procedure is completed at
`the open system authentication method, the communication
`period after the association has no limitation, consequently,
`there is a possibility to be connected illegally, and the
`security becomes low.
`
`SUMMARY OF THE INVENTION
`
`It is therefore an object of the present invention to provide
`an authentication method and apparatus at a wireless LAN
`system, which can keep the security.
`According to the present invention, for achieving the
`object mentioned above, there is provided an authentication
`method at a wireless LAN (local area network) system. The
`authentication method provides the steps of transmitting an
`authentication request from a STA (terminal station) to an
`AP (access point), with which the STA desires to make
`association, requesting authentication of the authentication
`request from the AP to an authentication server, by convert
`ing the authentication request to a protocol adaptable to the
`authentication server, cheking the authentication request at
`the authentication server based on a MAC (media access
`control) address of the STA, executing encryption authen
`
`15
`
`A wireless LAN system based on the IEEE 802.11 has
`been developed. In the system, frequency bands Such as 2.4
`GHz or 5 GHZ can be used without license, therefore, it is
`important to keep security at the wireless network.
`At the chapter 8, Authentication and Privacy, in the IEEE
`802.11, Open system authentication method and Shared key
`authentication method used WEP (wired equivalent privacy)
`algorithm are stipulated, and either one of the Authentication
`methods is fixed and used in a wireless LAN system.
`FIG. 1 is a block diagram showing a conventional struc
`ture of a wireless LAN system based on the IEEE 802.11. In
`FIG. 1, a STA 1 is a terminal station and the plural STAs 1
`are provided in the wireless LAN system, and each STA 1 is
`a data terminal having transmitting and receiving functions
`for radio signals, such as a notebook size PC (personal
`computer).
`And an AP (access point) 2 has an interface function
`between a wireless network and a wired network, and also
`has transmitting and receiving functions for radio signals,
`and further provides firmware for controlling the radio
`signals and a MAC (medium access control) address authen
`tication function. And plural APs 2 are also provided in the
`wireless LAN system. A maintenance server 4 sets and
`controls the plural APs 2 by a SNMP (simple network
`management protocol).
`The connection between the STAs 1 and the APs 2 is a
`wireless network 5, and the connection between the APs 2
`and the maintenance server 4 is a wired network Such as
`Ethernet.
`First, referring to a drawing, the shared key authentication
`method is explained. FIG. 2 is a sequence diagram showing
`a conventional procedure of encryption authentication used
`the WEP algorithm stipulated in the IEEE 802.11. In FIG. 2,
`the encryption authentication used the WEP algorithm is
`executed in a MAC (media access control) being a sub-layer
`of a data link layer that is the second layer of an OSI (open
`system interconnection).
`The MAC controls access rights when data transmission
`requests from plural terminal stations compete with one
`another on a common transmission line, and distinguishes
`physical connecting points between the terminal stations and
`the transmission line, and forms frames, and executes error
`control on the transmission line, together with a physical
`layer being the first layer of the OSI.
`First, an authentication request is transmitted from a STA
`60
`1 to an AP2 by a radio signal (S1). At this time, bits showing
`the authentication request based on the shared key authen
`tication method are provided in a PDU (packet data unit)
`format. And a MAC address of the STA 1 is included in a
`MAC frame as a source address.
`Next, a challenge text is transmitted from the AP2, which
`is received the authentication request, to the STA 1 (S2). The
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`65
`
`8
`
`

`

`US 7,039,021 B1
`
`5
`
`10
`
`15
`
`3
`tication at the AP with the STA based on a designated
`encryption algorithm, and notifying an authentication
`completion from the authentication server to the AP, after the
`authentication server received a response of a completion of
`the encryption authentication from the AP
`According to the present invention, after the encryption
`authentication is normally completed, a table of the MAC
`address in the AP is renewed by an instruction from the
`authentication server.
`According to the present invention, in case that a trouble
`occurs at the authentication server, the AP itself executes
`authentication of the MAC address.
`According to the present invention, the encryption algo
`rithm uses a shared key having a predetermined usable
`period.
`According to the present invention, in case that the
`predetermined usable period of the shared key expired, the
`MAC address is authenticated by an open system authenti
`cation method, and at the open system authentication
`method, after association, a period of communication is
`limited to a designated short time, and a key is transported
`in the limited time by using such an Internet Key EXchange
`method of Public Key Infrastructure, and the authentication
`request is executed again by using the shared key.
`According to the present invention, the authentication
`algorithm is a WEP (wired equivalent privacy) algorithm
`stipulated in the IEEE 802.11.
`
`25
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`The objects and features of the present invention will
`become more apparent from the consideration of the fol
`lowing detailed description taken in conjunction with the
`accompanying drawings in which:
`FIG. 1 is a block diagram showing a conventional struc
`ture of a wireless LAN system based on the IEEE 802.11;
`FIG. 2 is a sequence diagram showing a conventional
`procedure of encryption authentication used the WEP algo
`rithm stipulated in the IEEE 802.11;
`FIG. 3 is block diagram showing a system structure of an
`embodiment of an authentication apparatus of a wireless
`LAN system of the present invention;
`FIG. 4 is a diagram showing a protocol stack at each node
`of a control plane of the embodiment of the authentication
`apparatus of the wireless LAN system of the present inven
`tion;
`FIG. 5 is a sequence diagram showing an authentication
`procedure of a first embodiment of an authentication method
`of the wireless LAN system of the present invention;
`FIG. 6 is a sequence diagram showing an authentication
`procedure of a third embodiment of the authentication
`method of the wireless LAN system of the present invention.
`
`DESCRIPTION OF THE PREFERRED
`EMBODIMENTS
`
`Referring now to the drawings, embodiments of the
`present invention are explained in detail. FIG. 3 is block
`diagram showing a system structure of an embodiment of an
`authentication apparatus of a wireless LAN system of the
`present invention. In FIG. 3, a STA 1 is a terminal station
`and the plural STAs 1 are provided in the authentication
`apparatus of the wireless LAN system of the present inven
`tion. Each STA 1 consists of a data terminal 10 such as a
`notebook size PC, and a wireless LAN card 20 in which
`hardware and firmware for transmitting and receiving radio
`signals and for controlling the radio signals are provided.
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`4
`And an AP2 has an interface function between a wireless
`network and a wired network, and also provides hardware
`and firmware for transmitting and receiving radio signals
`and for controlling the radio signals. And the AP 2 also
`provides a function for converting protocols so that the
`authentication protocol of the IEEE 802.11 and the protocol
`to authenticate the STA 1 are made to be adaptable to the
`authentication protocol of an authentication server. The
`plural APS 2 are also provided in the authentication appa
`ratus of the wireless LAN system of the present invention.
`An authentication server 3 is a server having an authen
`tication function, and usable MAC addresses of the STAs 1
`are registered in the authentication server 3 beforehand. At
`the embodiment of the present invention, a RADIUS (re
`mote authentication dial in user service) server having
`functions such as access for dialing up, authentication, and
`charging is used. However, the authentication server 3 is not
`limited to the RADIUS server. And the authentication server
`3 also has a function for executing the MAC address
`authentication by connecting to the APs 2.
`A maintenance server 4 is a server to set and control the
`APs 2 by the SNMP
`At the embodiment of the present invention, the authen
`tication server 3 and the maintenance server 4 are separated
`and independent, however, both functions can be installed in
`Ole SWC.
`The connection between the STAs 1 and the APs 2 is a
`wireless network 5, and the connection between the APs 2
`and the authentication server 3, and between the APs 2 and
`the maintenance server 4 is a wired network 6 Such as
`Ethernet.
`FIG. 4 is a diagram showing a protocol stack at each node
`of a control plane of the embodiment of the authentication
`apparatus of the wireless LAN system of the present inven
`tion.
`In FIG. 4, at the IEEE 802.11, the association and the
`authentication are handled as entities in the MAC being the
`sub layer of the data link layer. In the wireless network 5,
`encryption authentication is executed based on the IEEE
`802.11. When the AP 2 receives an authentication request
`from the wireless network 5, the AP 2 transfers the authen
`tication request to the authentication server 3. The authen
`tication server 3 executes authentication operation by using
`the RADIUS protocol.
`FIG. 5 is a sequence diagram showing an authentication
`procedure of a first embodiment of an authentication method
`of the wireless LAN system of the present invention. At the
`embodiment of the present invention, in addition to the
`encryption authentication used the shared key authentication
`method utilized the WEP algorithm stipulated in the IEEE
`802.11, an authentication used the MAC address is executed.
`Keys of the STAs 1 and the APs 2 are set beforehand, and
`usable MAC addresses of the STAs 1 are registered in the
`authentication server 3 beforehand.
`As explained in FIG. 3, at the embodiment of the authen
`tication apparatus of the wireless LAN system of the present
`invention, the wireless LAN card 20 is provided in the STA
`1, consequently, there is a possibility that the wireless LAN
`card is forgotten to leave, or the card is stolen by an illegal
`user and used. Therefore, in order to keep the security in a
`high level, the authentication used the MAC address is
`combined with the shared key authentication method to
`determine which cards are stolen. In FIG. 5, a procedure that
`is the same procedure in FIG. 2 has the same reference
`number.
`Referring to FIG. 5, operation of the embodiment of the
`authentication apparatus of the wireless LAN system of the
`
`9
`
`

`

`5
`present invention is explained. First, an authentication
`request is transmitted from a STA 1 to an AP 2 by a radio
`signal (S1). At this time, bits showing the authentication
`request based on the shared key authentication method are
`provided in the PDU format. And a MAC address of the STA
`1 is included in a MAC frame as a source address.
`At the conventional WEP algorithm shown in FIG. 2, the
`AP 2 received the authentication request provides a chal
`lenge text and transmits the challenge text to the STA 1.
`However, at the first embodiment of the present invention,
`the AP2 requests a check to the authentication server 3 by
`using the MAC address as the ID (identifier) (S8).
`In this, the authentication server 3 is a RADIUS server,
`and operates based on the RADIUS protocol defined by the
`RFC (request for comments) 2138 of the IETF (Internet
`engineering task force).
`And the MAC address is defined as a user name or a
`calling-station ID on the authentication protocol (RADIUS
`protocol).
`The authentication server (RADIUS server) 3 checks the
`MAC address received from the AP 2 (S9).
`In case that the MAC address is checked and confirmed,
`a challenge message is transmitted to the AP 2, base on a
`procedure being equivalent to the CHAP (PPP challenge
`handshake authentication protocol) defined at the RFC 1994
`of the IETF (S10). In this, the PPP signifies a point-to-point
`protocol.
`At the CHAP, a message digest 5 (MD 5) is defined as a
`hashing method being one way. However, instead of the MD
`5, one of the other hashing methods can be used.
`30
`The AP 2 received the challenge message from the
`authentication server 3 transmits a challenge text to the STA
`1 based on the normal WEP algorithm (S2). As the challenge
`text, the challenge message transmitted from the authenti
`cation server 3 can be used as it is, instead of the challenge
`text based on the WEP algorithm.
`The STA 1 encrypts the challenge text received from the
`AP 2 by using the own shared key and an IV based on the
`WEP algorithm (S3).
`And the STA 1 transmits the encrypted challenge text and
`the IV to the AP 2 (S4). The AP 2 decrypts the received
`encrypted challenge text by using the received encrypted
`challenge text, the IV, and the own shared key. And the AP
`2 compares the challenge text transmitted at the S2 with the
`decrypted challenge text obtained at the S4, and judges
`whether the two challenge texts are the same or not, and
`when the judged result is the same, the authentication at the
`wireless network is success (S5).
`The AP2 returns a CHAP response (challenge response)
`to the authentication server 3 by hashing of the CHAP (S11).
`When the authentication server 3 acknowledges that a
`normal response is received by using the CHAP, the authen
`tication server 3 notifies the completion of the authentication
`(successful code) to the AP 2 by judging that the total
`authentication is completed (S12).
`The AP 2, received the authentication completion notifi
`cation (Successful code), notifies the authentication comple
`tion to the STA 1, and the STA 1 also recognizes that the
`authentication is successful (S6).
`The authentication server 3 instructs that the usable MAC
`60
`address table stored in the AP2 is made to renew (S13). As
`a result, a newly authenticated MAC address is registered at
`any time, and the MAC address table in the AP 2 can be
`automatically renewed. After this operation, the STA 1 and
`the AP 2 go to association operation (S7).
`As a result of the first embodiment, the following effect
`can be also realized. At the first embodiment of the present
`
`50
`
`35
`
`40
`
`45
`
`55
`
`65
`
`US 7,039,021 B1
`
`5
`
`10
`
`15
`
`25
`
`6
`invention, as shown in FIG. 5, the AP 2 executes the
`authentication request to the authentication server 3 by using
`the MAC address as the ID (S8). However, when a trouble
`occurs at the hardware or the software in the authentication
`server 3 and the authentication server 3 can not receive the
`authentication request from the AP2, at that time, the AP2
`itself can execute the authentication by using the MAC
`address.
`As mentioned at the S 13 in FIG. 5, the MAC address
`table in the AP 2 is automatically renewed, therefore the
`authenticated result is taken in the MAC address table in the
`AP2 immediately. The AP2 stores the MAC addresses until
`that the trouble occurs at the authentication server 3, there
`fore the AP 2 can authenticate the MAC addresses by itself.
`Consequently, even when some troubles occur at the authen
`tication server 3, the authentication procedure can be con
`tinued.
`At a second embodiment of the present invention, the
`usable time of the shared key is limited to a designated
`period beforehand at a key control server (not shown),
`therefore the security is made to be high. As shown in FIG.
`5, at the S3 of the first embodiment, the STA 1 can always
`encrypt the challenge text received from the AP2 by using
`the own shared key and the IV based on the WEP algorithm.
`At the second embodiment, in order that the illegal authen
`tication is not executed even when the shared key is leaked,
`a security can be kept by limiting the usable time of the
`shared key.
`Next, a third embodiment of the present invention is
`explained. At the second embodiment of the present inven
`tion, the usable time of the shared key for the WEP is
`limited, with this, the security against the illegal usage can
`be kept. However, when a legal user did not use the STA 1
`within the usable limit time, the key must be transported in
`case that the legal user uses after the usable time limit.
`At the third embodiment, an authentication method, at the
`time when the shared key becomes invalid due to the usable
`time limit, is explained.
`FIG. 6 is a sequence diagram showing an authentication
`procedure of the third embodiment of the authentication
`method of the wireless LAN system of the present invention.
`In FIG. 6, when the shared key from the STA 1 becomes
`invalid (unsuccessful), the STA 1 requests again the authen
`tication for the AP 2 by the open system authentication
`method (S14).
`The AP 2 recognizes that the request is executed by the
`open system authentication method, and requests the authen
`tication for the authentication server 3 by using the MAC
`address as the authentication ID (S15).
`In this, the authentication server 3, for example, operates
`based on the RADIUS protocol defined at the RFC 2138 of
`the IETF.
`And the MAC address is defined as a user name or a
`calling station ID on the authentication protocol (RADIUS)
`The authentication server 3 (RADIUS) authenticates the
`MAC address, and after this, transmits a challenge text by
`using a procedure equivalent to the CHAP defined at the
`RFC 1994 in the IETF (S16).
`At the CHAP, a message digest MD 5 is defined as a
`hashing method being one way. However, instead of the MD
`5, one of the other hashing methods can be used.
`The AP 2, received the challenge text from the authenti
`cation server 3, returns the CHAP response (hashed chal
`lenge text) to the authentication server 3 by hashing by the
`CHAP (S17).
`When the authentication server 3 recognizes that a normal
`response is received by the CHAP, the authentication server
`
`10
`
`

`

`US 7,039,021 B1
`
`50
`
`60
`
`7
`3 notifies the AP 2 to the authentication completion as the
`total authentication is completed (S18).
`The AP 2 received the information of the authentication
`completion notifies the authentication completion to the STA
`1, and the STA 1 recognizes that the authentication is 5
`successful (S19).
`After this, the STA 1 and the AP 2 go to the operation of
`association (S20).
`When the authentication between the AP2 and the authen
`tication server 3 was successful, as mentioned at the first 10
`embodiment, the newly authenticated MAC address can be
`registered in the usable MAC address table stored in the AP
`2. However, at the third embodiment, the open system
`authentication method is used and the security is low,
`therefore it is recommended that the newly authenticated 15
`MAC address is not newly registered.
`After the association procedure is completed, the STA 1
`executes communication by a normal IP (Internet protocol)
`packet through the AP 2.
`Next a fourth embodiment of the present invention is 20
`explained. In case of the open system authentication method
`at the third embodiment, the communication period does not
`have a limit after the association, consequently, the possi
`bility that an illegal connection is executed is high.
`At the fourth embodiment of the present invention, an 25
`effective period of communication after the association is
`decided to a designated short period that is sufficient for that
`the shared key of the WEP algorithm is transported from a
`key control server (not shown) by using such an Internet Key
`Exchange method of Public Key Infrastructure. For 30
`example, this effective period of communication is recom
`mended to be 10 seconds to one minute.
`In FIG. 6, after the key is transported for the original
`shared key authentication method, de-association is
`executed (S21), and the connection is executed again by the 35
`shared key authentication method. As a result, even an
`illegal access used a false MAC address is executed, the
`security can be kept in high.
`As mentioned above, at the present invention, the MAC
`address authentication, in which the shared key authentica- 40
`tion method stipulated in the IEEE 802.11 is expanded, is
`executed. With this, at the wireless LAN system in which an
`illegal usage is liable to occur because of the usage of a
`wireless LAN card, the security can be kept in high. And the
`authentication for many wireless LAN cards can be executed 45
`from any of access points.
`Moreover, at the present invention, a usable time limit of
`the shared key of the WEP is decided, and the period of the
`association at the open system authentication method is
`limited, consequently, the security can be kept in high.
`Further, the MAC address table in the AP is automatically
`renewed by the instruction from the authentication server.
`Therefore, even the authentication server has some troubles,
`by utilizing the MAC address information until right before
`the troubles, the APitself can authenticate the MAC address. 55
`While the present invention has been described with
`reference to the particular illustrative embodiments, it is not
`to be restricted by those embodiments but only by the
`appended claims. It is to be appreciated that those skilled in
`the art can change or modify the embodiments without
`departing from the scope and spirit of the present invention.
`What is claimed is:
`1. An authentication method for a wireless LAN (local
`area network) system, comprising:
`transmitting an authentication request from a STA (ter
`minal station) to an AP (access point), wherein said
`
`65
`
`8
`authentication request comprises a request from said
`STA to connect with said LAN:
`requesting authentication of said authentication request
`from said AP to an authentication server, by converting
`said authentication request to a protocol adaptable to
`said authentication server,
`if no problem occurs at hardware or software of said
`authentication server, checking said authentication
`request at said authentication server based on a MAC
`(media access control) address of said STA;
`executing encryption authentication at said AP with said
`STA based on a designated encryption algorithm; and
`if no problem occurs at hardware or software of said
`authentication server, notifying an authentication
`completion from said authentication server to said AP,
`after said authentication server received a response of
`a completion of said encryption authentication from
`said AP,
`wherein said AP stores said MAC address said STA, and
`wherein, when a problem occurs in hardware or software
`of said authentication server said AP itself executes
`authentication of said STA based on said MAC address
`of said STA.
`2. An authentication apparatus for a wireless LAN system
`comprising
`plural STAs: plural APs which connect to an authentica
`tion server and said plural STAs, and one of said plural
`APs receives an authentication request from one of said
`plural STAS and converts said authentication request
`from one of said plural STAs to a protocol adaptable to
`said authentication server, and authenticates said
`authentication request from one of said plural STAs
`based on a designated encryption algorithm; and
`said authentication server which, if no problem occurs at
`hardware or software of said authentication server,
`checks said authentication request from one of said
`STAs based on a MAC address of one of said plural
`STAS receiving said converted authentication request,
`and
`notifies an authentication completion to said AP, after said
`authentication server received a response of a comple
`tion of encryption authentication from said AP:
`wherein said authentication request comprises a request
`from one of said plural STAs to connect with said LAN,
`wherein said AP stores a MAC address of said one of said
`STAS, and
`wherein in case that a problem occurs at hardware or