Search

EP-4221293-B1 - METHOD AND APPARATUS FOR PERFORMING ACCESS AND/OR FORWARDING CONTROL IN WIRELESS NETWORKS SUCH AS WLANS

EP4221293B1EP 4221293 B1EP4221293 B1EP 4221293B1EP-4221293-B1

Inventors

  • FREI, RANDALL WAYNE
  • GOLDSTONE, Guy
  • DADE, NICOLAS S
  • CHENG, LINKER
  • HAJELA, Sujal

Dates

Publication Date
20260513
Application Date
20180816

Claims (11)

  1. A device, comprising: a processor configured to: store key information identifying which of a plurality of keys are associated with one or more wireless terminals; determine, based on a first message received from a first wireless terminal, that the first message is addressed to a second wireless terminal; determine a key used to secure communications between a first device and the first wireless terminal; determine whether the second wireless terminal has access to the key based on the stored key information, and based on determining that the second wireless terminal has access to the key, forward the first message to the second wireless terminal.
  2. The device of claim 1, wherein the processor is further configured to: determine, based on a second message received from the first wireless terminal, that the second message is addressed to a third wireless terminal; determine, whether the third wireless terminal has access to the key; and based on determining that the third wireless terminal does not have access to the key, drop the second message without delivering the second message to the third wireless terminal.
  3. The device of any of claims 1-2, wherein the key is a preshared key (PSK).
  4. The device of any of claims 1-3, the processor is further configured to: secure the message using the key prior to transmitting the message to the second wireless terminal.
  5. The device of any of claims 1-4, wherein the processor further configured to: forward the message to a second device when the second wireless terminal is attached to the second device.
  6. The device of claim 5, wherein the first device is a WiFi access point, and wherein the second device is an LTE access point, the second device using a different wireless communications protocol than the first device.
  7. The device of claim 5, the processor further configured to: receive a notification from the second device, the notification including an indication that the second wireless terminal does not have access to the key or an instruction to stop forwarding content addressed to the second wireless terminal and secured with the key to the second device for delivery to the second wireless terminal.
  8. The device of any of claims 1-7, wherein the processor is further configured to decrypt the first message using the key.
  9. A system comprising: a first device attached to a first wireless terminal; and a second device attached to a second wireless terminal; the first device including a processor configured to: store key information identifying which of a plurality of keys are associated with one or more wireless terminals; determine, based on a message received from the first wireless terminal, that the message is addressed to the second wireless terminal; determine a key used to secure communications between the first device and the first wireless terminal; based on a determination that the first device does not have key association information available for the second wireless terminal, forward the message to the second device; the second device including a processor configured to: store key information identifying which of a plurality of keys are associated with one or more wireless terminals; determine, based on a first message received from a first device, that the first message is addressed to a second wireless terminal; determine a key used to secure communications between a first device and the first wireless terminal; determine whether the second wireless terminal has access to the key based on the stored key information; and based on determining that the second wireless terminal has access to the key, forward the message to the second wireless terminal.
  10. A method performed by the device of any of claims 1-8.
  11. A computer readable medium comprising instructions that, when executed by one or more processors of a device, cause the device to become configured as the device of any of claims 1-8.

Description

FIELD The present application relates to wireless networks and, more particularly to methods and/or apparatus which can be used to control and/or limit access to communicated information, e.g., traffic, communicated using a WLAN (Wireless Local Area Network) or another network. BACKGROUND US 2002/116606A1 relates to 'Encryption and decryption system for multiple node network'. Wireless local area networks (WLANS) and various other types of networks are commonly being used to communication information, e.g., data, between wireless devices such as cell phones and thus between users who use different cell phones. One common approach to providing security through the use of encryption involves the use of what is referred to as a PSK which stands for Pre-Shared Key. In many systems to avoid unauthorized use of a network and to provide security for information transmitted over the air, the information transmitted wirelessly over the air is often encrypted, e.g., secured, using a security key also sometimes referred to as an encryption key. WiFi systems often rely on the use of pre-shared keys (PSKs) for security to enable such encryption. In such systems the PSK is often used in combination with other information or values to generate a short term encryption key that is used to encrypt and/or decrypt communications for a particular communications session and/or limited time period. While in such systems the PSK may not be used to directly encrypt or decrypt a particular communication, the PSK enables and is used in the securing, e.g., encryption, of the communication since it is used in the generation of the transient encryption key used to perform the actual encryption/decryption of the transmitted or received communication. Wi-Fi Protected Access (WPA) is a commonly used security protocol developed by the Wi-Fi Alliance to secure wireless computer networks that relies on the use of PSKs. WPA-Personal , also sometimes identified as WPA-PSK (pre-shared key) mode, is a common security approach designed for home and small office networks in which each wireless network device encrypts the network traffic using a 256 bit key. This key may be entered either as a string of 64 hexadecimal digits, or as a passphrase of 8 to 63 ASCII characters. A WLAN protected with WPA security normally uses a single PSK (Pre-shared key) for all stations on the WLAN. Some vendors allow multiple PSKs ("private PSK" or "per-user PSK") on a single WLAN. In either the normal implementation where a single PSK is used by all devices or where in an implementation where different users use different PSKs, when data arrives from a wireless station the station's MAC address is used to look up the appropriate key which is then used to decrypt the traffic. The equivalent key lookup is then used to re-encode the received traffic prior to transmission to a destination device. Thus, once received the data is decoded and then re-encoded prior to transmission. While a PSK is used to secure the traffic sent over the air link, once decoded, assuming successful decoding of the content by the receiving access point, in convention systems the original PSK does not affect or influence routing or retransmission decisions with the successfully decoded data being routed and transmitted based on a destination address or other destination indicator included in the decoded traffic. As devices become multi-mode devices, it is becoming more common for data transmitted on one network to be communicated to another network for delivery to a destination device. Different networks may use different encryption techniques and, in current systems, may not have knowledge of how the traffic being sent over a communications network was originally encrypted, e.g., for transmission to an access point which receives the traffic from the original wireless terminal sending the traffic. One approach to data security is to keep data in encrypted form as it is transmitted from a source device to a destination device thereby providing security by requiring that the receiving device be capable of decrypting the transmitted data in its original form. Such end to end encryption is often in addition to, and independent of, the encryption used over an airlink between a wireless terminal and an access point. When such end to end encryption is used, the network or networks over which the traffic is transmitted generally act as mere delivery devices with the end device being responsible for making sure that the traffic it receives is in fact traffic which the device is able to decrypt and use. In such an end to end encryption approach devices which receive data that they are not entitled to receive will be unable to decrypt the data since they will lack the security key required to perform such encryption; however, the network resources will have been wasted in delivering such content which was addressed to the destination device. While transmitting traffic without decrypting it at an access po