WIRELESS SIGNAL CODING AND AUTHENTICATION FIELD AND BACKGROUND OF THE INVENTION The present invention relates to a system and method of improving security in wireless communications and, more particularly, to a method of authenticating clients in a wireless data network. A wireless data network is useful to provide all the functionality of a wired network but without using a physical connection, e.g. cable. Typically, data is modulated onto a radio frequency carrier, transmitted, demodulated and received using wireless modems. A wireless network is connected to a wired local area network with a device known as an access point. The access point generally includes one or more receivers and transmitters for wireless communication to client transceivers connected to computers of the wireless local area data network. The access point generally has a wired connection to a wired local area network. 802.11 is a set of specifications developed by the IEEE for wireless LANs. 802.11 provides transmission in the 2.4 GHz. ISM (Industrial Scientific and Medical) unlicensed band and 5Ghz transmission band. Wireless network technology based on 802.11 standards is known as "Wi-Fi". 802.11 specifications are incorporated by reference for all purposes as if fully set forth herein. Local area networks are secured to prevent unauthorized users from gaining access to tlie network, from acquiring sensitive or proprietary information, or from causing damage to network resources. Since wireless data networks broadcast signals, unauthorized access is more easily achieved than in wired networks if the transmissions are not sufficiently secure. According to IEEE 802.11, Wi-Fi networks are secured with a system known as Wired Equivalent Privacy (WEP), an encryption system for the data that 802.11 broadcasts through the air. A casual user, therefore, requires a WEP key in order to decrypt the transmitted data. However, the WEP encryption system can be and has been broken or a WEP key may be acquired illegitimately. Some of these weaknesses were addressed by the development of WPA (WiFi Protected Access). WPA uses the TKIP protocol (Temporal Key Integrity Protocol) which can change the encryption key for each packet of data, thus significantly increasing security.
Before a decryption key is distributed to a user allowing the user access to network resources, the user must be authenticated. In wired networks, authentication is often achieved with, the possession of a token. The token typically generates a single use or one time password by hashing parameters such as a user identification number and time. The passwords are periodically keyed in by hand into the client computer or alternatively use a separate computer input port, e.g. USB to periodically input the passwords. There is thus a need for, and it would be highly advantageous to have, a system and method for periodically authenticating clients of wireless networks using the protocol of the wireless network thereby avoiding keying of passwords by hand or using an additional computer port.
SUMMARY OF THE INVENTION According to the present invention there is provided a system for authenticating a client wireless transceiver in communication with a wireless access point, in a wireless data communications network, the system including: a wireless tagging device modulating a security code onto a communications signal transmitted from an antenna operatively connected to the client wireless transceiver thereby transmitting a tagged communications signal; and a tag receiver, operatively connected to the wireless access point, the tag receiver including a demodulator which demodulates the tagged communications signal and outputs a security signal including the security code. Preferably, the wireless tagging device includes a terminating load operatively connected to a tagging radiative element and the modulating is performed by changing the amount of energy contained in the communications signal reflected from the radiative element. Preferably, the terminating load includes an electronic component such as a diode, an inductor, a capacitor, a resistor or a transistor. Preferably, the wireless tagging device further includes an energy detector which detects the communications signal and triggers a timer when there is communications activity. Preferably, the wireless tagging device is placed in the proximity of the antenna within one wavelength of the communications signal. Preferably, the tag receiver further includes a de- framer which inputs the security signal and extracts the security code. According to the present invention there is provided a method for authenticating a client wireless transceiver in communication with a wireless access point, in a wireless data
communications network, the method including: modulating a security code onto a communications signal transmitted from an antenna operatively connected to the client wireless transceiver thereby transmitting a tagged communications signal; and demodulating the tagged communications signal thereby outputting a security signal including the security code. Preferably, the modulating is performed by changing the amount of energy contained in the communications signal reflected from said radiative element. Preferably, the modulating is during a portion of a physical layer frame used solely for system tuning. Preferably the method includes, prior to the modulating: hashing a one time password included in the security code. Preferably, the method further includes de-framing the security signal and extracting the security code. According to the present invention there is provided, a wireless tagging system for authenticating a communications with a wireless access point, in a wireless data communications network, the system comprising: a message modulator which modulates a security code onto a wireless communications signal to produce a tagged communications signal including the security code; an antenna operatively connected to the message modulator which transmits the tagged communications signal; and a client wireless transceiver which receives the tagged communications signal and produces and transmits a second tagged communications signal including the security code, the second tagged communications signal received by the wireless access point. Preferably, the wireless tagging system further includes: a password generator for generating tl e security code as input to the message modulator. According to the present invention there is provided a method for authenticating communications from a client wireless transceiver to a wireless access point, in a wireless data communications network, the method including modulating a security code onto a wireless communications signal to produce a tagged communications signal including the security code; transmitting the tagged commumcations signal; receiving the tagged communications signal by the client wireless transceiver; and responding to the tagged communications signal by producing, transmitting a second tagged communications signal including the security code and receiving of the second tagged communications signal by at least one receiver of the wireless access point. Preferably, the method includes extracting tlie security code from the second tagged communications signal. Preferably, the modulating
and the transmitting are performed by a wireless tagging device at a distance from the client wireless transceiver, the said distance controlled by the strength of the said tagged communications signal. BRIEF DESCRIPTION OF THE DRAWINGS The invention is herein described, by way of example only, with reference to the accompanying drawings, wherein: FIG. 1 is a simplified system drawing, according to an embodiment of the present invention, for authenticating a client in a wireless data network; FIG. 2 is simplified flow diagram of a method of authentication according to an embodiment of the present invention; FIG. 3 is a simplified block diagram of a tagging device, according to an embodiment of the present invention; FIG. 4 is a simplified block diagram of a tag receiver, according to an embodiment of the present invention; FIG. 5 is a simplified block diagram of a security receiver block, a part of a tag receiver, according to an embodiment of the present invention; FIG. 6 is a simplified block diagram of a de-framer block, a part of a tag receiver, according to an embodiment of the present invention; FIG. 7 is a drawing of a physical layer protocol frame for 802.11 a wireless standard . FIG. 8 is a simplified system drawing, according to a second embodiment of the present invention, for authenticating a client in a wireless data network; FIG. 9 is simplified flow diagram of a method of authentication according to the second embodiment of the present invention; FIG. 10 is a simplified block diagram of a tagging device, according to the second embodiment of the present invention.
DESCRIPTION OF THE PREFERRED EMBODIMENTS The present invention is of a system and method for authenticating clients in a wireless data network. Specifically, the system generates a sequence of one-time (single use) passwords based on a secret pass phrase. A tagging device is placed in the proximity of a
client transceiver. Passwords are periodically modulated onto a communications signal. The tagged communications signal is transmitted by a client transmitter and received by an access point. The receiver at the access point demodulates and extracts the security code from the tagged communications signal and authenticates the client transceiver for example, by contacting an authentication server. The term "authentication" when referring to a client transceiver refers herein to authentication of a user who is using a computer equipped with the client transceiver, authentication of the computer and/or authentication of an application installed on the computer equipped with the client transceiver. The principles and operation of a system and method for authenticating clients in a wireless local area data network, according to the present invention may be better understood with reference to the drawings and the accompanying description. Before explaining embodiments of the invention in detail, it is to be understood that the invention is not limited in its application to the details of construction and the arrangement of the components set forth in the following description or illustrated in the drawings. The invention is capable of other embodiments or of being practiced or carried out in various ways. Also, it is to be understood that the phraseology and terminology employed herein is for the purpose of description and should not be regarded as limiting. As such, those skilled in the art will appreciate that the conception, upon which this disclosure is based, may readily be utilized as a basis for the designing of other methods and systems for carrying out the several purposes of the present invention. It is important, therefore, that the claims be regarded as including such equivalent constructions insofar as they do not depart from the spirit and scope of the present invention. By way of introduction, principal intentions of the present invention are to: (1) provide a device that adds a security code to a signal transmitted from a client transceiver when the device is placed in the vicinity of the client transceiver and (2) extract the code with a wireless receiver in a standard access point or provide a modified access point receiver that extracts the security code from the communications signal for authentication purposes. It should be noted that while the discussion herein is directed to wireless local area networks, the principles of the present invention may be adapted for use in, and provide benefit for other wireless data networks such as a data network over a cellular mobile
telephone network, e.g. GPRS over GSM, and access networks such as 802.16 and 802.20, and UWB Furthermore, the modulation type may be of any such mechanisms known in the art, including frequency division multiplexing, phase shift keying, spread spectrum, code division multiple access, frequency and amplitude modulation. The terms "security code" and "tag" are used herein interchangeably. Referring now to the drawings, Figure 1 illustrates system 10 for achieving wireless authentication in a wireless network, a client transceiver 105 including a client transceiver antenna 109 in wireless communication with a wireless access point 111 including an antenna array 107 and multiple receivers 115. A tagging device 103 including a radiative element 113 is placed in proximity to client transceiver antenna 109. System 10 further includes a tag receiver 101 operatively connected to access point receivers 115. Referring also to Figure 2, a wireless authentication method is shown using system 10. Tagging device 103 typically includes memory and a processor. Software instructions are downloaded (step 201) into tagging device 103, and optionally a unique private key is downloaded as well during the manufacturing and issuing process of tagging device 103. Tagging device 103 hashes (step 203) a one-time ie. single use password, using a number of parameters, typically one of the parameters includes time. The hash result together with a client identifier, e.g. user identifier, are included in the tag or security code to be transferred. The security code is modulated (step 207) onto wireless transmission from client transceiver 105 only when tagging device 103 is placed in the vicinity of client transceiver antenna 109, typically less than one wavelength, on the order of half a wavelength e.g. 6cm. for a 2.4Ghz. communications signal. Referring now also to Figure 3 a block diagram of tagging device 103 is shown. An energy detector 31 is optionally used to detect wireless communications activity. If wireless communications activity is detected (step 205), tagging device 103 is triggered to operate. Alternatively, tagging device 103 operates continuously and periodically. Tagging device 103 achieves modulation (step 207) of the signal transmitted from client transceiver 105 with the use of a terminating load 301 operatively connected, by e.g. coaxial cable or transmission line, to radiative element 113. Terminating load 301 includes an electronic component, e.g. diode, inductor, capacitor, resistor or transistor, in which the
matching impedance to radiative element 113 is varied. For instance, terminating load 301 including a diode changes matching impedance to radiative element 113 when bias current through the diode is varied. Similarly, an inductor, e.g. coil changes its matching impedance to radiative element 113 when the coil is shorted with a switch. Modulation (step 207) is achieved therefore when radiative element 113 is placed in the vicinity of client transceiver antenna 109. The radiative properties of client transceiver antenna 109 is modified e.g. by multipath modulation, by the presence of radiative element 113 with terminating load 301 under modulation by changing the amount of energy emitted from antenna 109 and reflected by radiative element 113. Hence, the communications signal transmitted from antenna 109 is modulated (step 207) by the presence of tagging device 103. Tagging device 103 further includes a security code generator 303. Security code generator is operatively connected to a modulator 305. Modulator 305 modulates terminating load 301 for example by varying bias current through a diode. Periodic triggering of the modulator is provided by a timer/clock 307, alternatively or in addition a trigger is provided to modulator 305 through timer/clock 307 from energy detector 31. Energy detector 31 detects independently different frequency bands commonly used in wireless LANs. For instance, connected to energy-detect antenna 309 is a band pass filter 313a centered at 2.4 Ghz and used to isolate the ISM band. Energy in the 2.4 Ghz band is detected with detector 311. A band pass filter 313b centered at 5 Ghz. is similarly connected to energy-detect antenna 309 and the energy in this band is detected with a second detector 311. The outputs of energy detectors 311 are used to trigger timer/clock 307. A tagged signal transmitted from client transceiver 105 propagates and is received by access point receiver 115 of access point 111. Referring back to Figure 2, tag receiver 101 extracts (step 209) the security code of the tagged communications signal received by access point receiver 115. Referring now to Figure 4, a simplified block diagram of tag receiver 101 is shown. Tag receiver 101 includes security receiver 401 that extracts (step 209) a security signal 411 from received signals 405 output from a conventional access point receivers 115 and input to security receiver 401. Channels estimations signals 407, signals proportional to channel characteristics and behavior received in each antenna of array 107 are also typically available as output from access point receivers 115 and input to security receiver 401.
Security signal 411 includes the extracted security code divided into a number of data packets. Security de-framer block 403 sequences the data packets containing the security data into a single frame, e.g. medium access control (MAC) frame. Security de-framer block 403 also receives from access point receivers 115 a MAC address for each received data packet. Security de-framer block 403 performs decoding and error correction while assembling and decoding the frame containing the security data. A signal to noise ratio (SNR) estimation of received signals 405 is optionally available as output from security receiver and is used by security de-framer to improve the performance by correcting errors in the extracted security code. The security code after decoding and error correction is output from security de-framer block 403. Figure 5 shows security receiver 401 in detail. Two receiver equivalent paths are shown in Figure 5 because multiple receiver diversity is used for eliminating detrimental multi-path effects. Security receiver 401 includes a combiner 503 combining an inverted received signal 405 output from access point receiver 115 and a reconstructed signal 509 proportional to a known standard signal 505, e.g. a Wi-fi preamble signal, transmitted from client transceiver 805 as received but without a security signal modulated onto it. Reconstructed signal 509 is proportional to a signal 505 and channel estimation 407. Output of combiner 503 is a signal 511 proportional to the modulated security signal plus noise. Signal 511 is iteratively phase shifted by a phase shifter 507 and demodulated by demodulator 501. Security signal 411 output includes packets of security data. Figure 6 illustrates in more detail the function of de-framer block 403. Security signal 411 includes individual packets. Each packet includes, for example a serial number indicating the order of the packets and identification and a cyclic redundancy check (CRC) on the client identifier. Decoder 601 inputs security signal 411 and decodes the serial number and CRC. Reassembler 603 assembles a MAC frame from the individual packets and associates the MAC frame with the MAC identification 413 from access point receiver 115. The MAC frame is decoded, preferably with redundancy and error correction, with decoder 605 e.g. Reed Solomon decoder, one or more times to output the security code and client identifier. Figure 7 shows a drawing of a IEEE802.i l a PHY Layer Convergence Procedure
(PLCP) data unit (PPDU). The PPDU includes a preamble 701 of 8 microseconds including
10 symbols used for system tuning, ie. signal detection, automatic gain control, diversity selection, coarse frequency adjustment and timing synchronization. Wireless data is carried in the remainder 703 of the PPDU According to some embodiments of the present invention, the security code is modulated solely during the PPDU preamble while the system is being tuned and not during actual data transfer. This is advantageous to minimize bit errors during data communications. Another possible configuration of the present invention is shown in Figure 8. Figure 8 illustrates system 80 for achieving wireless authentication in a wireless network, a client transceiver 805 including client transceiver antenna 109 in wireless communication with wireless access point 111 including antenna array 107 and multiple receivers 115. An active tagging device 803 including a radiative element 113 is placed in proximity to client transceiver antenna 109. Referring also to Figure 9, a flow diagram of an authentication process 90 is shown, according to an embodiment of the present invention. Authentication process begins with a standard association protocol 901 between access point 111 and client transceiver 805. Tagging device 803 is placed in proximity to client transceiver antenna 109. An active tagging device 803 sends (step 903) a management data frame, e.g. IEEE 802.11 beacon frame including a security code for instance in the Service Set Identifier (SSID) field. Client transceiver 805 transmits a command intended for access point 111 requesting authentication (step 905) from access point 111. Access point 111 either grants authentication (step 909), ie. success, or does not grant authentication, ie. fail. If authentication is granted (step 909) then data transfer (step 913) to and from client transceiver 805 proceeds. Meanwhile, tagging device 803 repeats transmission (step 903) of management data frames e.g. IEEE 802.11 beacon frame including a security code for instance in the Service Set Identifier (SSID) field. Referring back to Figure 8, the operating distance between active tagging device 803 and client transceiver 805 depends on the strength of the output signal of step 903. A block diagram of active tagging device 803, according to an embodiment of the present invention is illustrated in Figure 10. Active tagging device 803 includes security code generator 303. A security code is input to a wireless message modulator 125. Triggering is provided to message modulator 125 by a timer 127. A message including a security code is output to digital to analog converter 123 and transmitted using an RF
converter 121 radiative element 113. A battery 129 is shown to indicate that as active tagging device 803 emits RF power and therefore consumes more electrical power than, for instance tagging device 103. Yet another configuration of the present invention includes active tag device 803 further including a receiver for an acknowledge message sent by client transceiver 805. With respect to the above description then, it is to be realized that the optimum dimensional relationships for the parts of the invention, to include variations in size, materials, shape, form, function and manner of operation, assembly and use, are deemed readily apparent and obvious to one skilled in the art, and all equivalent relationships to those illustrated in the drawings and described in the specification are intended to be encompassed by the present invention. Therefore, the foregoing is considered as illustrative only of the principles of the invention. Further, since numerous modifications and changes will readily occur to those skilled i the art, it is not desired to limit the invention to the exact construction and operation shown and described, and accordingly, all suitable modifications and equivalents may be resorted to, falling within the scope of the invention. While the invention has been described with respect to a limited number of embodiments, it will be appreciated that many variations, modifications and other applications of the invention may be made.