EP-4740525-A1 - METHODS AND APPARATUS FOR PROTECTING INFORMATION ELEMENTS

Abstract

Methods, apparatus and computer-readable medium are disclosed for protecting information element. In an embodiment, there is provided a method performed at a wireless device. The method comprises obtaining an identifier of the wireless device; obtaining an encryption key, wherein the encryption key is associated to the identifier; and communicating a frame between the wireless device and the first access point. The frame comprises the identifier of the wireless device and an information element encrypted with the encryption key.

Inventors

• MUTGAN, Orhan Okan
• YANG, ZHI JIE
• CHENG, GANG
• JIANG, YI MING
• LUO, YE

Assignees

• Nokia Technologies Oy

Dates

Publication Date

20260513

Application Date

20230707

Claims (20)

1. An apparatus at a wireless device, the apparatus comprising: at least one processor; and at least one memory storing instructions that, when executed by the at least one processor, cause the apparatus at least to: obtain an identifier of the wireless device; obtain an encryption key, wherein the encryption key is associated with the identifier; and communicate a frame between the wireless device and a first access point, wherein the frame comprises the identifier of the wireless device and an information element encrypted with the encryption key.
2. The apparatus according to claim 1, wherein the frame is communicated before a security establishment between the wireless device and the first access point is completed.
3. The apparatus according to claim 1 or 2, wherein when the instructions are executed by the at least one processor, the instructions cause the apparatus at least to obtain the identifier by: determining the identifier of the wireless device; and wherein the apparatus is further caused to transmit the determined identifier to the first access point, or to a second access point which belongs to a same network as the first access point.
4. The apparatus according to any of claims 1 to 3, wherein when the instructions are executed by the at least one processor, the instructions cause the apparatus at least to obtain the encryption key by: generating the encryption key.
5. The apparatus according to claim 4, wherein when the instructions are executed by the at least one processor, the instructions further cause the apparatus at least to: transmit the encryption key to the first access point or to a second access point which belongs to a same network as the first access point, wherein the encryption key is transmitted together with the identifier.
6. The apparatus according to any of claims 1 to 3, wherein when the instructions are executed by the at least one processor, the instructions cause the apparatus at least to obtain the encryption key by: receiving the encryption key from the first access point or from a second access point which belongs to a same network as the first access point, wherein the encryption key is received together with the identifier.
7. The apparatus according to any of claims 1 to 6, wherein the identifier and the encryption key are obtained during an initial connection of the wireless device to the first access point or a network of the first access point.
8. The apparatus according to any of claims 1 to 7, wherein when the instructions are executed by the at least one processor, the instructions cause the apparatus at least to communicate the frame by: transmitting a first frame to the first access point, wherein the identifier is carried in in a header field of the first frame and a first information element encrypted with the encryption key is carried in a payload field of the first frame.
9. The apparatus according to claim 8, wherein the first frame is transmitted as a first pre-association security negotiation frame for a next connection to the first access point.
10. The apparatus according to claim 9, wherein the first pre-association security negotiation frame is one of: a probe request frame, an authentication frame, an association request frame, an action frame, or a 4-way Handshake frame.
11. The apparatus according to claim 10, wherein the first information element comprises at least one of: a device identifier of the wireless device in the first pre-association security negotiation frame for the next connection; an identifier of simultaneous authentication of equals password in the authentication frame for the next connection; or an identifier of pairwise master key in the association request for the next connection.
12. The apparatus according to any of claims 1 to 11, wherein when the instructions are executed by the at least one processor, the instructions cause the apparatus at least to communicate the frame by: receiving a second frame from the first access point, wherein the identifier is carried in a head field of the second frame, and a second information element encrypted with the encryption key is carried in a payload field of the second frame; retrieving the encryption key according to the identifier carried in the second frame; and decrypting the second information element using the encryption key.
13. The apparatus according to claim 12, wherein the second frame is received as a second pre-association security negotiation frame for a next connection from the first access point.
14. The apparatus according to claim 13, wherein the second pre-association security negotiation frame is one of: a probe response frame, an authentication frame, an association response frame, an action frame, and a 4-way Handshake frame.
15. The apparatus according to claim 14, wherein the second information element comprises at least one of: a device identifier of the wireless device in the second pre-association security negotiation frame for the next connection, or an identifier of simultaneous authentication of equals password in a second authentication frame for the next connection.
16. The apparatus according to any of claims 1 to 15, wherein the identifier is an identifiable random medium access control (IRM) address of the wireless device.
17. The apparatus according to any of claims 1 to 16, wherein the network is an extended service set.
18. An apparatus at a first access point, the apparatus comprising: at least one processor; and at least one memory storing instructions that, when executed by the at least one processor, cause the apparatus at least to: obtain an identifier of a wireless device; obtain an encryption key, wherein the encryption key is associated with the identifier; and communicate a frame between the wireless device and the access point, wherein the frame comprises the identifier of the wireless device and an information element encrypted with the encryption key.
19. The apparatus according to claim 18, wherein the frame is communicated before a security establishment between the wireless device and the first access point is completed.
20. The apparatus according to claim 18 or 19, wherein when the instructions are executed by the at least one processor, the instructions cause the apparatus at least to obtain the identifier by: receiving the identifier from the wireless device or from a second access point which belongs to a same network as the first access point.

Description

METHODS AND APPARATUS FOR PROTECTING INFORMATION ELEMENTS TECHNICAL FIELD Embodiments of the disclosure generally relate to wireless communication technology, and more particularly, to methods and apparatus for protecting information elements (IEs) by using an identifier of a wireless device, e.g., an identifiable random medium access control (IRM) address. BACKGROUND In conventional 802.11 standards, a non-access point (non-AP) station (STA) , which may be simply referred to as an STA in the present disclosure, and an access point (AP) use a fixed unencrypted medium access control (MAC) address in a frame header. This causes a security concern by allowing others to track the STA and the AP based on their MAC addresses. To prevent an STA and an AP from being tracked and improve the privacy of 802.11 standards, a MAC address randomization became a common technique. Within this regard, institute of electrical and electronics engineers (IEEE) 802.11bh and 802.11bi groups focus on identification of an STA using a random MAC address (RMA) without decreasing user privacy. The 802.11bh draft 1.0 (D1.0) defines two identification mechanisms, namely, network generated identifier (such as a device ID (identifier) ) and STA generated identifier (such as an identifiable random MAC (IRM) ) . An AP may generate an identifier (e.g., a unique number, called device ID) for an STA, and send it to the STA. Then, the STA can use that unique identifier again when it returns to the same AP or a same extended service set (ESS) of the AP. By using the device ID, the STA may be identified by the AP or other AP (s) in the ESS. An STA may generate an identifier (e.g., a unique MAC address, called IRM) for itself, and send it to an AP. Then, the STA can use that unique MAC address again when it returns to the same AP or a same ESS of the AP. By using the IRM, the STA may be identified by the AP or other AP (s) in the ESS. When an STA returns to a same AP or another AP of a same ESS, information element (s) (IEs) included in management frames may be sent in the air without protection from the STA before robust security network association (RSNA) establishment between the STA and the AP. It becomes critical if those IEs consist of personal identifiable information, such as information of a device ID. In this case, any third party can track the STA based on those unprotected IEs. SUMMARY This summary is provided to introduce simplified concepts of the present disclosure. This summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used to limit the scope of the claimed subject matter. According to a first aspect of the disclosure, there is provided an apparatus at a wireless device. The apparatus comprises at least one processor, and at least one memory storing instructions that, when executed on the at least one processor, cause the apparatus at least to obtain an identifier of the wireless device; obtain an encryption key, wherein the encryption key is associated with the identifier; and communicate a frame between the wireless device and the first access point. The frame comprises the identifier of the wireless device and an information element encrypted with the encryption key. According to some embodiments, the frame may be communicated before a security establishment between the wireless device and the first access point is completed. According to some embodiments, when the instructions are executed by the at least one processor, the instructions may cause the apparatus at least to obtain the identifier by determining the identifier of the wireless device. The apparatus may be further caused to transmit the determined identifier to the first access point, or to a second access point which belongs to a same network as the first access point. According to some embodiments, when the instructions are executed by the at least one processor, the instructions may cause the apparatus at least to configure the encryption key by generating the encryption key. The apparatus may be further caused to transmit the encryption key to the first access point or to a second access point which belongs to a same network as the first access point. The encryption key may be transmitted together with the identifier. According to some embodiments, when the instructions are executed by the at least one processor, the instructions may cause the apparatus at least to obtain the encryption key by receiving the encryption key from the first access point or from a second access point which belongs to a same network as the first access point. The encryption key may be received together with the identifier. According to some embodiments, the identifier and the encryption key may be obtained during an initial connection to the first access point or a network of the first access point. According to some embodiments, when the instructions are executed by the at least one processor, the instruction