Search

CN-114667499-B - Electronic device, method, and non-transitory computer readable storage medium

CN114667499BCN 114667499 BCN114667499 BCN 114667499BCN-114667499-B

Abstract

An electronic device is described that selectively grants a second electronic device secure access to a network. Such an electronic device receives an access request associated with a computer, wherein the access request includes a password parameter associated with a user, and the password parameter includes an input and an output of an encryption calculation. In response, the electronic device calculates one or more second outputs of the cryptographic calculation based at least in part on the input and the one or more stored passwords. Further, the electronic device accesses a policy associated with the user when there is a match between one of the one or more second outputs and the output. The electronic device then selectively provides an access accept message to the computer when one or more criteria associated with the policy are met, the access accept message including information for establishing secure access of the second electronic device.

Inventors

  • David sheldon stephenson
  • XU MINGJIE
  • Lun Sitri

Assignees

  • 艾锐势有限责任公司

Dates

Publication Date
20260508
Application Date
20200909
Priority Date
20190911

Claims (20)

  1. 1. An electronic device, comprising: interface circuitry configured to communicate with a computer and a second computer; a processor coupled to the interface circuit, and A memory coupled to the processor, the memory configured to store program instructions, wherein the program instructions, when executed by the processor, cause the electronic device to perform operations comprising: Receiving an access request associated with the computer, wherein the access request includes a password parameter associated with a user corresponding to a password, and the password parameter includes an input of an encryption calculation and an output of the encryption calculation; Calculating one or more second outputs of the encryption calculation based at least in part on the input and one or more stored passwords; Accessing a policy associated with the user when there is a match between one of the one or more second outputs and the output, wherein accessing the policy includes communicating with a second computer associated with property management of a hotel or educational institution, and An access accept message addressed to the computer is selectively provided when one or more criteria associated with the policy are met, wherein the access accept message is addressed to a second electronic device associated with the user and includes information for establishing secure access of the second electronic device to a network, and wherein the second electronic device is included in a group of electronic devices associated with the user and sharing the password, and communication between electronic devices in the group of electronic devices is isolated from communication with other electronic devices.
  2. 2. The electronic device of claim 1, wherein the electronic device comprises an authentication, authorization, and accounting (AAA) server.
  3. 3. The electronic device of claim 1, wherein the password comprises a dynamic pre-shared key (DPSK) of the user.
  4. 4. The electronic device of claim 1, wherein the password parameters include a random number associated with the second electronic device, a random number associated with a computer network device, an output of the encryption calculation, an identifier of the second electronic device, and an identifier of the computer network device.
  5. 5. The electronic device of claim 1, wherein the policy comprises a time interval during which the password is valid.
  6. 6. The electronic device of claim 1, wherein the policy comprises a location where the password is valid or a network that the user is allowed to access.
  7. 7. The electronic device according to claim 6, Wherein the operations include communicating with the second computer to determine whether the second electronic device is associated with the location, and Wherein the access accept message is selectively provided when the second electronic device is associated with the location.
  8. 8. The electronic device of claim 1, wherein the network comprises a virtual network associated with a location, and the information in the access accept message allows the second electronic device to establish secure communications with the virtual network.
  9. 9. The electronic device of claim 8, wherein the virtual network comprises a Virtual Local Area Network (VLAN) or a virtual extensible local area network (VXLAN).
  10. 10. The electronic device of claim 8, wherein the access accept message includes an identifier of the virtual network, and Wherein the identifier comprises a virtual local area network identifier (vlan id) or a Virtual Network Identifier (VNI).
  11. 11. The electronic device of claim 10, wherein the identifier comprises information specifying more than one of 4,096 virtual networks.
  12. 12. The electronic device of claim 8, wherein the secure communication is independent of traffic associated with other users of the network.
  13. 13. The electronic device of claim 1, wherein the access request comprises a remote authentication dial-in user service (RADIUS) access request and the access accept message comprises a RADIUS access accept message.
  14. 14. The electronic device of claim 1, wherein the policy allows the user to access multiple networks at different locations.
  15. 15. The electronic device of claim 14, wherein the input to calculate the one or more second outputs comprises a given identifier for a given network.
  16. 16. The electronic device of claim 4, wherein the one or more stored passwords are organized based at least in part on identifiers of different networks.
  17. 17. The electronic device of claim 1, wherein the password is independent of an identifier associated with the second electronic device.
  18. 18. The electronic device of claim 1, wherein the password is independent of the second electronic device or hardware in the second electronic device.
  19. 19. A non-transitory computer-readable storage medium for use with an electronic device, the computer-readable storage medium storing program instructions that, when executed by the electronic device, cause the electronic device to perform operations comprising: Receiving an access request associated with a computer, wherein the access request includes a password parameter associated with a user corresponding to a password, and the password parameter includes an input of an encryption calculation and an output of the encryption calculation; Calculating one or more second outputs of the encryption calculation based at least in part on the input and one or more stored passwords; Accessing a policy associated with the user when there is a match between one of the one or more second outputs and the output, wherein accessing the policy includes communicating with a second computer associated with property management of a hotel or educational institution, and An access accept message addressed to the computer is selectively provided when one or more criteria associated with the policy are met, wherein the access accept message is addressed to a second electronic device associated with the user and includes information for establishing secure access of the second electronic device to a network, and wherein the second electronic device is included in a group of electronic devices associated with the user and sharing the password, and communication between electronic devices in the group of electronic devices is isolated from communication with other electronic devices.
  20. 20. A method for selectively granting secure access to a network, comprising: The electronic device comprises: Receiving an access request associated with a computer, wherein the access request includes a password parameter associated with a user corresponding to a password, and the password parameter includes an input of an encryption calculation and an output of the encryption calculation; Calculating one or more second outputs of the encryption calculation based at least in part on the input and one or more stored passwords; Accessing a policy associated with the user when there is a match between one of the one or more second outputs and the output, wherein accessing the policy includes communicating with a second computer associated with property management of a hotel or educational institution, and An access accept message addressed to the computer is selectively provided when one or more criteria associated with the policy are met, wherein the access accept message is addressed to a second electronic device associated with the user and includes information for establishing secure access of the second electronic device to the network, and wherein the second electronic device is included in a group of electronic devices associated with the user and sharing the password, and communication between electronic devices in the group of electronic devices is isolated from communication with other electronic devices.

Description

Electronic device, method, and non-transitory computer readable storage medium Technical Field The described embodiments relate to techniques for authenticating one or more devices to a dynamic Personal Area Network (PAN) in a network based on a password and a policy associated with the network, e.g., a policy for a location associated with the one or more devices. Background Many electronic devices are capable of wireless communication with other electronic devices. In particular, these electronic devices may include network subsystems that implement network interfaces for cellular networks (UMTS, LTE, etc.), wireless local area networks (e.g., wireless networks as described in the Institute of Electrical and Electronics Engineers (IEEE) 802.11 standard or Bluetooth from the Bluetooth Special interest group of Kevlar, washington), and/or another type of wireless network. For example, many electronic devices communicate with each other via a Wireless Local Area Network (WLAN) using an IEEE 802.11 compatible communication protocol (sometimes collectively referred to as "Wi-Fi"). In a typical deployment, a Wi-Fi based WLAN includes one or more access points (or basic service sets or BSSs) that wirelessly communicate with each other and other electronic devices using Wi-Fi and access another network (e.g., the internet) through IEEE 802.3 (sometimes referred to as "ethernet"). One challenge associated with Wi-Fi is how to allow an electronic device to establish a connection with a PAN implemented in a WLAN. Notably, there may be multiple overlapping PANs in the WLAN, meaning that electronic devices outside a given PAN may be able to access content associated with other PANs (and vice versa). In principle, this problem can be solved by establishing a secure PAN. Notably, a given electronic device may establish a secure connection in a given PAN such that its communications (and thus associated content) are not accessible by other PANs in the WLAN. However, this approach presents other challenges such as how to distribute and use encrypted information (e.g., passwords, sometimes referred to as dynamic pre-shared keys or DPSK) to a given electronic device in a given PAN, enabling a secure connection to be established. For example, in some existing approaches, a given electronic device in a PAN has a separate password associated with the given electronic device, which can make loading of the electronic device cumbersome and time consuming, or may require a complex registration process for the electronic device in the given PAN. Furthermore, in these methods, the management of passwords can be complex. Disclosure of Invention In a first set of embodiments, an electronic device is described that selectively grants a second electronic device secure access to a network (e.g., a PAN in a WLAN that is independent of traffic associated with other PANs in the WLAN). The electronic device may include an interface circuit in communication with a computer (e.g., a computer network device in a WLAN, such as a controller of an access point or switch), a processor, and a memory storing program instructions that, when executed by the processor, cause the electronic device to perform operations. It is noted that during operation, the electronic device receives an access request associated with a computer, wherein the access request includes a password parameter associated with a user corresponding to a password, and the password parameter includes an input of an encryption calculation and an output of the encryption calculation. In response, the electronic device calculates one or more second outputs of the cryptographic calculation based at least in part on the input and the one or more stored passwords. Further, the electronic device accesses a policy associated with the user when there is a match between one of the one or more second outputs and the output. Then, when one or more criteria associated with the policy are met, the electronic device selectively provides an access accept message addressed to the computer, wherein the access accept message is addressed to the second electronic device and includes information for establishing secure access by the second electronic device. Note that the electronic device may include an authentication, authorization, and accounting (AAA) server. Further, the password may include the user's DPSK. In some embodiments, the second electronic device is included in a set of electronic devices associated with the user and sharing a password. Thus, the password may include the group DPSK used by the group of electronic devices. However, the password may not be included in the access request. Further, the password parameter may include a random number associated with the second electronic device, a random number associated with the computer network device, an output of the encryption calculation, an identifier of the second electronic device (e.g., a media access control or MAC address), and/or