Search

US-20260128877-A1 - SECURITY FOR COORDINATED ACCESS POINT (CAP) COMMUNICATIONS

US20260128877A1US 20260128877 A1US20260128877 A1US 20260128877A1US-20260128877-A1

Abstract

This disclosure provides methods, components, devices and systems for security for coordinated access point (CAP) communications. Some aspects more specifically relate to the establishment of a secret key shared between two or more access points (APs) that are associated with different basic service sets (BSSs) and the use of the shared key to secure pairwise or group-based transmissions between the APs. For example, two or more APs may exchange messages that indicate one or more CAP security-related capabilities of the APs. The APs may establish or otherwise negotiate one or more security schemes for securing the CAP communications between the APs, which may be pairwise CAP communications or group CAP communications. The APs may exchange one or more frames that indicate information for identifying a pairwise or group security key. The APs may exchange CAP communications that are protected in accordance with the established security key.

Inventors

  • Abhishek Pramod PATIL
  • Giovanni Chisci
  • Alfred Asterjadhi
  • Sai Yiu Duncan Ho
  • Jouni Kalevi Malinen
  • George Cherian
  • Sanket Sanjay Kalamkar
  • Gaurang NAIK
  • Sherief HELWA

Assignees

  • QUALCOMM INCORPORATED

Dates

Publication Date
20260507
Application Date
20241104

Claims (20)

  1. 1 . A first access point (AP), comprising: a processing system that includes processor circuitry and memory circuitry that stores code, the processing system configured to cause the first AP to: transmit a message that requests or indicates support for establishing coordinated AP (CAP) communications between the first AP and a second AP that is associated with a second basic service set (BSS) different from a first BSS of the first AP, wherein the message indicates at least one of an ability to establish a secure CAP communication across BSSs or one or more first security parameters for securing the CAP communications across BSSs; receive one or more frames in accordance with the message and at least one of the ability to establish the secure CAP communication across BSSs or the one or more first security parameters, wherein the one or more frames indicate one or more second security parameters or a security key for the secure CAP communication between the first AP and the second AP; and receive the secure CAP communication in accordance with security information that is associated with the security key, the security key being established between the first AP and the second AP according to the one or more frames and the one or more first and second security parameters.
  2. 2 . The first AP of claim 1 , wherein, to transmit the message, the processing system is configured to cause the first AP to: transmit the message that indicates the one or more first security parameters, wherein the one or more first security parameters indicate, for each CAP communication scheme of one or more CAP communication schemes supported by the first AP, a respective security scheme supported by the first AP, and wherein the respective security scheme is one of a pairwise key establishment, a group key establishment, a message integrity protection, a message encryption, or any combination thereof.
  3. 3 . The first AP of claim 1 , wherein, to receive the one or more frames, the processing system is configured to cause the first AP to: receive, in accordance with an AP PeerKey protocol, one or more public key frames from the second AP, wherein the security key for the secure CAP communication between the first AP and the second AP is generated in accordance with information indicated via the one or more public key frames.
  4. 4 . The first AP of claim 1 , wherein, to receive the one or more frames, the processing system is configured to cause the first AP to: receive, as part of a handshake procedure between the first AP and the second AP, one or more CAP negotiation frames, one or more CAP notification frames, one or more CAP advertisement frames, or any combination thereof comprising one or more CAP management fields that indicate information associated with generation of the security key for the secure CAP communication between the first AP and the second AP, wherein receiving the secure CAP communication is in accordance with the handshake procedure and the security key.
  5. 5 . The first AP of claim 1 , wherein, to receive the one or more frames, the processing system is configured to cause the first AP to: receive, in accordance with a pre-association security negotiation (PASN) protocol, one or more PASN frames from the second AP, wherein the security key for the secure CAP communication between the first AP and the second AP is generated in accordance with information indicated via the one or more PASN frames.
  6. 6 . The first AP of claim 1 , wherein: the security key comprises a CAP group key for secure group CAP transmissions by the second AP to the first AP and one or more other APs; the secure CAP communication comprises a group CAP communication; and the security information is generated in accordance with the CAP group key.
  7. 7 . The first AP of claim 1 , wherein the processing system is further configured to cause the first AP to: generate, in accordance with a plurality of fields included before a message integrity check (MIC) field in the secure CAP communication and in accordance with the security key, a first MIC, and compare the first MIC with a second MIC indicated via the MIC field, wherein the security information comprises the second MIC.
  8. 8 . The first AP of claim 1 , wherein the processing system is further configured to cause the first AP to: decrypt the secure CAP communication in accordance with the security key, wherein the security information included in the secure CAP communication comprises information encrypted in accordance with the security key.
  9. 9 . The first AP of claim 1 , wherein, to receive the secure CAP communication, the processing system is configured to cause the first AP to: receive a frame associated with in-BSS communications and the CAP communications, the frame comprising a protection indication that indicates whether the security information applies to the CAP communications or not, wherein verification, by the first AP, of the secure CAP communication, is performed in accordance with the protection indication.
  10. 10 . The first AP of claim 1 , wherein, to receive the secure CAP communication, the processing system is configured to cause the first AP to: receive, via the secure CAP communication, one or more first fields that convey the security information for verifying a first portion of the secure CAP communication directed to the first AP; and receive, via the secure CAP communication, one or more second fields that convey second security information for verifying a second portion of the secure CAP communication comprising in-BSS communications by the second AP.
  11. 11 . A second access point (AP), comprising: a processing system that includes processor circuitry and memory circuitry that stores code, the processing system configured to cause the second AP to: receive a message that requests or indicates support for establishing coordinated AP (CAP) communications between the second AP and a first AP that is associated with a first basic service set (BSS) different from a second BSS of the second AP, wherein the message indicates at least one of an ability to establish secure CAP communications across BSSs or one or more first security parameters for securing the CAP communications across BSSs; transmit one or more frames in accordance with the message and at least one of the ability to establish the secure CAP communications across BSSs or the one or more first security parameters, wherein the one or more frames indicate one or more second security parameters or a security key for the secure CAP communication between the first AP and the second AP; and transmit the secure CAP communication in accordance with security information that is associated with the security key, the security key being established between the first AP and the second AP according to the one or more frames and the one or more security parameters.
  12. 12 . The second AP of claim 11 , wherein, to receive the message, the processing system is configured to cause the second AP to: receive a message that indicates the one or more first security parameters, wherein the one or more security parameters indicate one or more CAP communication schemes supported by the first AP and indicate, for each CAP communication scheme of the one or more CAP communication schemes supported by the first AP, a respective security scheme supported by the first AP, and wherein the respective security scheme is one of a pairwise key establishment, a group key establishment, a message integrity protection, a message encryption, or any combination thereof.
  13. 13 . The second AP of claim 11 , wherein, to transmit the one or more frames, the processing system is configured to cause the second AP to: transmit, in accordance with an AP PeerKey protocol, one or more public key frames to the first AP, wherein the security key for the secure CAP communication between the first AP and the second AP is generated in accordance with information indicated via the one or more public key frames.
  14. 14 . The second AP of claim 11 , wherein, to transmit the one or more frames, the processing system is configured to cause the second AP to: transmit, as part of a handshake procedure between the first AP and the second AP, one or more CAP negotiation frames, one or more CAP notification frames, one or more CAP advertisement frames, or any combination thereof comprising one or more CAP management fields that indicate information associated with generation of the security key for the secure CAP communication between the first AP and the second AP, wherein transmitting the secure CAP communication is in accordance with the handshake procedure and the security key.
  15. 15 . The second AP of claim 11 , wherein, to transmit the one or more frames, the processing system is configured to cause the second AP to: transmit, in accordance with a pre-association security negotiation (PASN) protocol, one or more PASN frames to the first AP, wherein the security key for the secure CAP communication between the first AP and the second AP is generated in accordance with information indicated via the one or more PASN frames.
  16. 16 . The second AP of claim 11 , wherein, to transmit the one or more frames, the processing system is configured to cause the second AP to: transmit, to the first AP and one or more other APs via the one or more frames, the security key comprising a CAP group key for secure group CAP transmissions by the second AP, wherein the secure CAP communication comprises a group CAP communication to the first AP and the one or more other APs, and the security information is generated in accordance with the CAP group key.
  17. 17 . The second AP of claim 11 , wherein the processing system is further configured to cause the second AP to: generate, in accordance with a plurality of fields included before a message integrity check (MIC) field in the secure CAP communication and in accordance with the security key, a MIC; and transmit the MIC via the MIC field in the secure CAP communication, wherein the security information comprises the MIC.
  18. 18 . The second AP of claim 11 , wherein the processing system is further configured to cause the second AP to: encrypt, before transmitting the secure CAP communication, the secure CAP communication in accordance with the security key, wherein the security information included in the secure CAP communication comprises information encrypted in accordance with the security key.
  19. 19 . The second AP of claim 11 , wherein, to transmit the secure CAP communication, the processing system is configured to cause the second AP to: transmit a frame associated with in-BSS communications and the CAP communications, the frame comprising a protection indication that indicates whether the security information applies to the CAP communications or not, wherein verification, by the first AP, of the secure CAP communication, is performed in accordance with the protection indication.
  20. 20 . The second AP of claim 11 , wherein, to transmit the secure CAP communication, the processing system is configured to cause the second AP to: transmit, via the secure CAP communication, one or more first fields that convey the security information for verifying a first portion of the secure CAP communication; and transmit, via the secure CAP communication, one or more second fields that convey second security information for verifying a second portion of the secure CAP communication comprising in-BSS communications by the second AP.

Description

TECHNICAL FIELD This disclosure relates generally to wireless communication and, more specifically, to security for coordinated access point (CAP) communications. DESCRIPTION OF THE RELATED TECHNOLOGY Wireless communication networks may include various types of wireless communication devices including network entities (such as wireless access points (AP) or base stations (BS)), client devices (such as wireless stations (STAs) or user equipment (UEs)), and other wireless nodes. These wireless communication devices may communicate with one another via a variety of technologies and wireless communication protocols, including wireless local area network (WLAN) or Wi-Fi-based protocols or cellular (such as 4G, 5G, or 6G)-based protocols. The wireless communication networks may be capable of supporting communication with multiple users by sharing the available system resources (such as time, frequency, and spatial resources). To enable features or provide improved performance, the wireless communication devices may employ technologies such as orthogonal frequency divisional multiple access (OFDMA), multi-user Multiple-Input Multiple-Output (MU-MIMO), spatial multiplexing, and beamforming. For greater inter-operability, the wireless communication networks may support backwards compatibility (such as supporting legacy wireless communication devices) as well as forward compatibility (such as supporting communication with wireless communication devices compatible with next-generation wireless communication standards). SUMMARY The systems, methods, and devices of this disclosure each have several innovative aspects, no single one of which is solely responsible for the desirable attributes disclosed herein. One innovative aspect of the subject matter described in this disclosure can be implemented in a method for wireless communication at a first access point (AP). The method may include transmitting a message that requests or indicates support for establishing coordinated AP (CAP) communications between the first AP and a second AP that is associated with a second basic service set (BSS) different from a first BSS of the first AP, where the message indicates at least one of an ability to establish a secure CAP communication across BSSs or one or more first security parameters for securing the CAP communications across BSSs, receiving one or more frames in accordance with the message and at least one of the ability to establish the secure CAP communication across BSSs or the one or more first security parameters, where the one or more frames indicate one or more second security parameters or a secure security key for the secure CAP communication between the first AP and the second AP, and receiving the secure CAP communication in accordance with security information that is associated with the security key, the security key being established between the first AP and the second AP according to the one or more frames and the one or more first and second security parameters. Another innovative aspect of the subject matter described in this disclosure can be implemented by a first AP. The first AP may include a processing system that includes processor circuitry and memory circuitry that stores code. The processing system may be configured to cause the first AP to transmit a message that requests or indicates support for establishing CAP communications between the first AP and a second AP that is associated with a second BSS different from a first BSS of the first AP, where the message indicates at least one of an ability to establish a secure CAP communication across BSSs or one or more first security parameters for securing the CAP communications across BSSs, receive one or more frames in accordance with the message and at least one of the ability to establish the secure CAP communication across BSSs or the one or more first security parameters, where the one or more frames indicate one or more second security parameters or a secure security key for the secure CAP communication between the first AP and the second AP, and receive the secure CAP communication in accordance with security information that is associated with the security key, the security key being established between the first AP and the second AP according to the one or more frames and the one or more first and second security parameters. Another innovative aspect of the subject matter described in this disclosure can be implemented by another first AP. The first AP may include means for transmitting a message that requests or indicates support for establishing CAP communications between the first AP and a second AP that is associated with a second BSS different from a first BSS of the first AP, where the message indicates at least one of an ability to establish a secure CAP communication across BSSs or one or more first security parameters for securing the CAP communications across BSSs, means for receiving one or more frames in accordance with the message