Device-independent authentication based on an authentication parameter and a policy
US-2022272089-A1 · Aug 25, 2022 · US
Associating pre-shared keys with client devices based on message integrity check values
US12244695B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-12244695-B2 |
| Application number | US-202218050083-A |
| Country | US |
| Kind code | B2 |
| Filing date | Oct 27, 2022 |
| Priority date | Oct 27, 2022 |
| Publication date | Mar 4, 2025 |
| Grant date | Mar 4, 2025 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A process includes accessing a first message that is sent from an access point device. The first message includes data representing a second message that is sent by a client device. The second message is part of an exchange of messages between the client device and the access point device associated with authentication of the client device and a derivation of a first key used to encrypt and decrypt data communicated between the client device and the access point device. The second message includes a first message integrity check value. The process includes identifying, based on the second message, a pre-shared key corresponding to the client device. The identification of the pre-shared key includes determining a second message integrity check value based on a candidate pre-shared key of a plurality of candidate pre-shared keys; comparing the second message integrity check value with the first message integrity check value; and based on a result of the comparison, selecting the given candidate pre-shared key as the pre-shared key. The process includes determining a user role based on the pre-shared key. The process includes causing a third message to be sent to the access point device, where the third message includes data representing the pre-shared key and data representing the user role.
First claim
Opening claim text (preview).
What is claimed is: 1. A method comprising: accessing a first message sent from an access point device, wherein the first message comprises data representing a second message sent by a client device, wherein: the second message is part of an exchange of messages between the client device and the access point device associated with authentication of the client device and a derivation of a first key used to encrypt and decrypt data communicated between the client device and the access point device; and the second message comprises a first message integrity check value; identifying, based on the second message, a pre-shared key corresponding to the client device, wherein identifying the pre-shared key comprises: determining a second message integrity check value based on: a candidate pre-shared key of a plurality of candidate pre-shared keys; a content of the second message; and a length of the second message; comparing the second message integrity check value with the first message integrity check value; and based on a result of the comparison, selecting the given candidate pre-shared key as the pre-shared key; determining a user role based on the pre-shared key; and causing a third message to be sent to the access point device, wherein the third message comprises data representing the pre-shared key and data representing the user role. 2. The method of claim 1 , wherein identifying the pre-shared key further comprises: applying a first key derivation function to determine, for each candidate pre-shared key of the plurality of candidate pre-shared keys, a candidate pre-shared master key based on the candidate pre-shared key to provide a plurality of candidate pre-shared master keys; and determine the second message integrity check value based on a given candidate pre-shared master key of the plurality of candidate pre-shared master keys. 3. The method of claim 2 , wherein identifying the pre-shared key further comprises: apply a second key derivation function to determine, for the given candidate pre-shared master key, a pairwise temporal key; and determine the second message integrity check value based on the pairwise temporal key. 4. The method of claim 3 , wherein: the pairwise temporal key comprises a key confirmation key; and identifying the pre-shared key further comprises determining the second message integrity check value based on the key confirmation key. 5. The method of claim 1 , wherein identifying the pre-shared key further comprises: applying a cryptographic hash function to the content of the second message and the candidate pre-shared key to provide a hash value representing the second message integrity check value; comparing the hash value with the first message integrity check value; and based on the result of the comparison of the hash value with the first message integrity check value, selecting the given candidate pre-shared key as the pre-shared key. 6. The method of claim 1 , wherein identifying the pre-shared key further comprises: identifying the plurality of candidate pre-shared keys based on a media access control (MAC) address of the access point device. 7. An apparatus comprising: a hardware processor; and a memory to store instructions, that, when executed by the hardware processor, cause the hardware processor to: access a first message sent from an access point device, wherein the first message comprises data representing a second message sent by a client device, wherein: the second message is part of an exchange of messages between the client device and the access point device associated with authentication of the client device and a derivation of a first key used to encrypt and decrypt data communicated between the client device and the access point device; and the second message comprises a first message integrity check value; identify, based on the second message, a pre-shared key corresponding to the client device, wherein identifying the pre-shared key comprises: determining a second message integrity check value based on: a candidate pre-shared key of a plurality of candidate pre-shared keys; a content of the second message; and a length of the second message; comparing the second message integrity check value with the first message integrity check value; and based on a result of the comparison, selecting the given candidate pre-shared key as the pre-shared key; determine a user role based on the pre-shared key; and cause a third message to be sent to the access point device, wherein the third message comprises data representing the pre-shared key and data representing the user role. 8. The apparatus of claim 7 , wherein: the first message comprises an identifier for the access point device; and the instructions, when executed by the hardware processor, further cause the hardware processor to identify the plurality of candidate pre-shared keys based on the identifier for the access point device. 9. The apparatus of claim 7 , wherein the instructions, when executed by the hardware processor, further cause the hardware processor to: apply a cryptographic hash function to the content of the second message and the candidate pre-shared key to provide a hash value representing the second message integrity check value; compare the hash value with the first message integrity check value; and based on the result of the comparison of the hash value with the first message integrity check value, select the given candidate pre-shared key as the pre-shared key. 10. The apparatus of claim 7 , wherein the instructions, when executed by the hardware processor, further cause the hardware processor to: determine a candidate pre-shared master key based on the given candidate pre-shared key; and determine the second message integrity check value based on the candidate pre-shared master key. 11. The apparatus of claim 10 , wherein the instructions, when executed by the hardware processor, further cause the hardware processor to: determine a candidate pairwise transient key based on the candidate pre-shared master key; and determine the second message integrity check value based on the candidate pairwise transient key. 12. The apparatus of claim 11 , wherein the instructions, when executed by the hardware processor, further cause the hardware processor to determine the candidate pairwise transient key based on a wireless network identifier. 13. The apparatus of claim 7 , wherein the instructions, when executed by the hardware processor, further cause the hardware processor to select the plurality of candidate pre-shared keys based on a media access control (MAC) address corresponding to the access point device. 14. The apparatus of claim 7 , wherein the first message corresponds to a request to authorize the client device to access a network, and the third message corresponds to the request being granted. 15. A non-transitory machine-readable storage medium that stores machine-readable instructions that, when executed by a machine, cause the machine to: receive, from an access point device, an authorization request message, wherein the authorization request message corresponds to an authorization for a client device to access a network via the access point device, the authorization message comprising data representing a second message sent by the client device, and a content of the second message containing a message content cryptographically bound, via a first message integrity check value, to a first pre-shared key; access a directory comprising a plurality of candidate pre-shared keys; based on the message content, iden
Assignees
Inventors
Classifications
- H04L9/085Primary
Secret sharing or secret splitting, e.g. threshold schemes · CPC title
involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC · CPC title
- H04L9/0825Primary
using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US12244695B2 cover?
- A process includes accessing a first message that is sent from an access point device. The first message includes data representing a second message that is sent by a client device. The second message is part of an exchange of messages between the client device and the access point device associated with authentication of the client device and a derivation of a first key used to encrypt and dec…
- Who is the assignee on this patent?
- Hewlett Packard Entpr Dev Lp
- What technology area does this patent fall under?
- Primary CPC classification H04L9/085. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Mar 04 2025 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 6 related publications on this page (citations in our corpus or others sharing the same primary CPC).