WO2005008901A2 - Wireless signal coding and authentication - Google Patents

Wireless signal coding and authentication Download PDF

Info

Publication number
WO2005008901A2
WO2005008901A2 PCT/IL2004/000645 IL2004000645W WO2005008901A2 WO 2005008901 A2 WO2005008901 A2 WO 2005008901A2 IL 2004000645 W IL2004000645 W IL 2004000645W WO 2005008901 A2 WO2005008901 A2 WO 2005008901A2
Authority
WO
WIPO (PCT)
Prior art keywords
wireless
communications signal
security code
tagged
security
Prior art date
Application number
PCT/IL2004/000645
Other languages
French (fr)
Other versions
WO2005008901A3 (en
Inventor
Nery Ben-Azar
Roy Kinamon
David Voschina
Original Assignee
Nery Ben-Azar
Roy Kinamon
David Voschina
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nery Ben-Azar, Roy Kinamon, David Voschina filed Critical Nery Ben-Azar
Publication of WO2005008901A2 publication Critical patent/WO2005008901A2/en
Publication of WO2005008901A3 publication Critical patent/WO2005008901A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/068Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • H04L63/0838Network architectures or network communication protocols for network security for authentication of entities using passwords using one-time-passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/02Terminal devices

Definitions

  • the present invention relates to a system and method of improving security in wireless communications and, more particularly, to a method of authenticating clients in a wireless data network.
  • a wireless data network is useful to provide all the functionality of a wired network but without using a physical connection, e.g. cable.
  • data is modulated onto a radio frequency carrier, transmitted, demodulated and received using wireless modems.
  • a wireless network is connected to a wired local area network with a device known as an access point.
  • the access point generally includes one or more receivers and transmitters for wireless communication to client transceivers connected to computers of the wireless local area data network.
  • the access point generally has a wired connection to a wired local area network.
  • 802.11 is a set of specifications developed by the IEEE for wireless LANs. 802.11 provides transmission in the 2.4 GHz. ISM (Industrial Scientific and Medical) unlicensed band and 5Ghz transmission band. Wireless network technology based on 802.11 standards is known as "Wi-Fi". 802.11 specifications are incorporated by reference for all purposes as if fully set forth herein. Local area networks are secured to prevent unauthorized users from gaining access to tlie network, from acquiring sensitive or proprietary information, or from causing damage to network resources. Since wireless data networks broadcast signals, unauthorized access is more easily achieved than in wired networks if the transmissions are not sufficiently secure.
  • Wi-Fi networks are secured with a system known as Wired Equivalent Privacy (WEP), an encryption system for the data that 802.11 broadcasts through the air.
  • WEP Wired Equivalent Privacy
  • a casual user therefore, requires a WEP key in order to decrypt the transmitted data.
  • WEP encryption system can be and has been broken or a WEP key may be acquired illegitimately.
  • the token In wired networks, authentication is often achieved with, the possession of a token.
  • the token typically generates a single use or one time password by hashing parameters such as a user identification number and time.
  • the passwords are periodically keyed in by hand into the client computer or alternatively use a separate computer input port, e.g. USB to periodically input the passwords.
  • a separate computer input port e.g. USB to periodically input the passwords.
  • a system for authenticating a client wireless transceiver in communication with a wireless access point, in a wireless data communications network including: a wireless tagging device modulating a security code onto a communications signal transmitted from an antenna operatively connected to the client wireless transceiver thereby transmitting a tagged communications signal; and a tag receiver, operatively connected to the wireless access point, the tag receiver including a demodulator which demodulates the tagged communications signal and outputs a security signal including the security code.
  • the wireless tagging device includes a terminating load operatively connected to a tagging radiative element and the modulating is performed by changing the amount of energy contained in the communications signal reflected from the radiative element.
  • the terminating load includes an electronic component such as a diode, an inductor, a capacitor, a resistor or a transistor.
  • the wireless tagging device further includes an energy detector which detects the communications signal and triggers a timer when there is communications activity.
  • the wireless tagging device is placed in the proximity of the antenna within one wavelength of the communications signal.
  • the tag receiver further includes a de- framer which inputs the security signal and extracts the security code.
  • a method for authenticating a client wireless transceiver in communication with a wireless access point, in a wireless data communications network including: modulating a security code onto a communications signal transmitted from an antenna operatively connected to the client wireless transceiver thereby transmitting a tagged communications signal; and demodulating the tagged communications signal thereby outputting a security signal including the security code.
  • the modulating is performed by changing the amount of energy contained in the communications signal reflected from said radiative element.
  • the modulating is during a portion of a physical layer frame used solely for system tuning.
  • the method includes, prior to the modulating: hashing a one time password included in the security code.
  • the method further includes de-framing the security signal and extracting the security code.
  • a wireless tagging system for authenticating a communications with a wireless access point, in a wireless data communications network, the system comprising: a message modulator which modulates a security code onto a wireless communications signal to produce a tagged communications signal including the security code; an antenna operatively connected to the message modulator which transmits the tagged communications signal; and a client wireless transceiver which receives the tagged communications signal and produces and transmits a second tagged communications signal including the security code, the second tagged communications signal received by the wireless access point.
  • the wireless tagging system further includes: a password generator for generating tl e security code as input to the message modulator.
  • a method for authenticating communications from a client wireless transceiver to a wireless access point in a wireless data communications network, the method including modulating a security code onto a wireless communications signal to produce a tagged communications signal including the security code; transmitting the tagged commumcations signal; receiving the tagged communications signal by the client wireless transceiver; and responding to the tagged communications signal by producing, transmitting a second tagged communications signal including the security code and receiving of the second tagged communications signal by at least one receiver of the wireless access point.
  • the method includes extracting tlie security code from the second tagged communications signal.
  • the modulating and the transmitting are performed by a wireless tagging device at a distance from the client wireless transceiver, the said distance controlled by the strength of the said tagged communications signal.
  • FIG. 4 is a simplified block diagram of a tag receiver, according to an embodiment of the present invention
  • FIG. 5 is a simplified block diagram of a security receiver block, a part of a tag receiver, according to an embodiment of the present invention
  • FIG. 6 is a simplified block diagram of a de-framer block, a part of a tag receiver, according to an embodiment of the present invention
  • FIG. 7 is a drawing of a physical layer protocol frame for 802.11 a wireless standard .
  • FIG. 8 is a simplified system drawing, according to a second embodiment of the present invention, for authenticating a client in a wireless data network
  • FIG. 9 is simplified flow diagram of a method of authentication according to the second embodiment of the present invention
  • FIG. 10 is a simplified block diagram of a tagging device, according to the second embodiment of the present invention.
  • the present invention is of a system and method for authenticating clients in a wireless data network. Specifically, the system generates a sequence of one-time (single use) passwords based on a secret pass phrase.
  • a tagging device is placed in the proximity of a client transceiver. Passwords are periodically modulated onto a communications signal.
  • the tagged communications signal is transmitted by a client transmitter and received by an access point.
  • the receiver at the access point demodulates and extracts the security code from the tagged communications signal and authenticates the client transceiver for example, by contacting an authentication server.
  • authentication when referring to a client transceiver refers herein to authentication of a user who is using a computer equipped with the client transceiver, authentication of the computer and/or authentication of an application installed on the computer equipped with the client transceiver.
  • the principles and operation of a system and method for authenticating clients in a wireless local area data network, according to the present invention may be better understood with reference to the drawings and the accompanying description.
  • principal intentions of the present invention are to: (1) provide a device that adds a security code to a signal transmitted from a client transceiver when the device is placed in the vicinity of the client transceiver and (2) extract the code with a wireless receiver in a standard access point or provide a modified access point receiver that extracts the security code from the communications signal for authentication purposes.
  • a wireless receiver in a standard access point or provide a modified access point receiver that extracts the security code from the communications signal for authentication purposes.
  • Figure 1 illustrates system 10 for achieving wireless authentication in a wireless network, a client transceiver 105 including a client transceiver antenna 109 in wireless communication with a wireless access point 111 including an antenna array 107 and multiple receivers 115.
  • a tagging device 103 including a radiative element 113 is placed in proximity to client transceiver antenna 109.
  • System 10 further includes a tag receiver 101 operatively connected to access point receivers 115.
  • a wireless authentication method is shown using system 10.
  • Tagging device 103 typically includes memory and a processor.
  • Software instructions are downloaded (step 201) into tagging device 103, and optionally a unique private key is downloaded as well during the manufacturing and issuing process of tagging device 103.
  • Tagging device 103 hashes (step 203) a one-time ie. single use password, using a number of parameters, typically one of the parameters includes time.
  • the hash result together with a client identifier, e.g. user identifier, are included in the tag or security code to be transferred.
  • the security code is modulated (step 207) onto wireless transmission from client transceiver 105 only when tagging device 103 is placed in the vicinity of client transceiver antenna 109, typically less than one wavelength, on the order of half a wavelength e.g. 6cm. for a 2.4Ghz. communications signal.
  • An energy detector 31 is optionally used to detect wireless communications activity. If wireless communications activity is detected (step 205), tagging device 103 is triggered to operate. Alternatively, tagging device 103 operates continuously and periodically.
  • Tagging device 103 achieves modulation (step 207) of the signal transmitted from client transceiver 105 with the use of a terminating load 301 operatively connected, by e.g. coaxial cable or transmission line, to radiative element 113.
  • Terminating load 301 includes an electronic component, e.g. diode, inductor, capacitor, resistor or transistor, in which the matching impedance to radiative element 113 is varied.
  • terminating load 301 including a diode changes matching impedance to radiative element 113 when bias current through the diode is varied.
  • an inductor, e.g. coil changes its matching impedance to radiative element 113 when the coil is shorted with a switch.
  • Modulation is achieved therefore when radiative element 113 is placed in the vicinity of client transceiver antenna 109.
  • the radiative properties of client transceiver antenna 109 is modified e.g. by multipath modulation, by the presence of radiative element 113 with terminating load 301 under modulation by changing the amount of energy emitted from antenna 109 and reflected by radiative element 113.
  • the communications signal transmitted from antenna 109 is modulated (step 207) by the presence of tagging device 103.
  • Tagging device 103 further includes a security code generator 303.
  • Security code generator is operatively connected to a modulator 305.
  • Modulator 305 modulates terminating load 301 for example by varying bias current through a diode.
  • Periodic triggering of the modulator is provided by a timer/clock 307, alternatively or in addition a trigger is provided to modulator 305 through timer/clock 307 from energy detector 31.
  • Energy detector 31 detects independently different frequency bands commonly used in wireless LANs. For instance, connected to energy-detect antenna 309 is a band pass filter 313a centered at 2.4 Ghz and used to isolate the ISM band. Energy in the 2.4 Ghz band is detected with detector 311. A band pass filter 313b centered at 5 Ghz. is similarly connected to energy-detect antenna 309 and the energy in this band is detected with a second detector 311. The outputs of energy detectors 311 are used to trigger timer/clock 307.
  • Tag receiver 101 includes security receiver 401 that extracts (step 209) a security signal 411 from received signals 405 output from a conventional access point receivers 115 and input to security receiver 401.
  • Channels estimations signals 407, signals proportional to channel characteristics and behavior received in each antenna of array 107 are also typically available as output from access point receivers 115 and input to security receiver 401.
  • Security signal 411 includes the extracted security code divided into a number of data packets.
  • Security de-framer block 403 sequences the data packets containing the security data into a single frame, e.g. medium access control (MAC) frame.
  • Security de-framer block 403 also receives from access point receivers 115 a MAC address for each received data packet.
  • Security de-framer block 403 performs decoding and error correction while assembling and decoding the frame containing the security data.
  • a signal to noise ratio (SNR) estimation of received signals 405 is optionally available as output from security receiver and is used by security de-framer to improve the performance by correcting errors in the extracted security code.
  • the security code after decoding and error correction is output from security de-framer block 403.
  • Figure 5 shows security receiver 401 in detail.
  • Security receiver 401 includes a combiner 503 combining an inverted received signal 405 output from access point receiver 115 and a reconstructed signal 509 proportional to a known standard signal 505, e.g. a Wi-fi preamble signal, transmitted from client transceiver 805 as received but without a security signal modulated onto it.
  • Reconstructed signal 509 is proportional to a signal 505 and channel estimation 407.
  • Output of combiner 503 is a signal 511 proportional to the modulated security signal plus noise.
  • Signal 511 is iteratively phase shifted by a phase shifter 507 and demodulated by demodulator 501.
  • Security signal 411 output includes packets of security data.
  • FIG. 6 illustrates in more detail the function of de-framer block 403.
  • Security signal 411 includes individual packets. Each packet includes, for example a serial number indicating the order of the packets and identification and a cyclic redundancy check (CRC) on the client identifier.
  • Decoder 601 inputs security signal 411 and decodes the serial number and CRC.
  • Reassembler 603 assembles a MAC frame from the individual packets and associates the MAC frame with the MAC identification 413 from access point receiver 115.
  • the MAC frame is decoded, preferably with redundancy and error correction, with decoder 605 e.g. Reed Solomon decoder, one or more times to output the security code and client identifier.
  • Figure 7 shows a drawing of a IEEE802.i l a PHY Layer Convergence Procedure
  • the PPDU includes a preamble 701 of 8 microseconds including 10 symbols used for system tuning, ie. signal detection, automatic gain control, diversity selection, coarse frequency adjustment and timing synchronization. Wireless data is carried in the remainder 703 of the PPDU
  • the security code is modulated solely during the PPDU preamble while the system is being tuned and not during actual data transfer. This is advantageous to minimize bit errors during data communications.
  • Figure 8 illustrates system 80 for achieving wireless authentication in a wireless network, a client transceiver 805 including client transceiver antenna 109 in wireless communication with wireless access point 111 including antenna array 107 and multiple receivers 115.
  • An active tagging device 803 including a radiative element 113 is placed in proximity to client transceiver antenna 109.
  • Authentication process begins with a standard association protocol 901 between access point 111 and client transceiver 805.
  • Tagging device 803 is placed in proximity to client transceiver antenna 109.
  • An active tagging device 803 sends (step 903) a management data frame, e.g. IEEE 802.11 beacon frame including a security code for instance in the Service Set Identifier (SSID) field.
  • Client transceiver 805 transmits a command intended for access point 111 requesting authentication (step 905) from access point 111.
  • SSID Service Set Identifier
  • Access point 111 either grants authentication (step 909), ie. success, or does not grant authentication, ie. fail. If authentication is granted (step 909) then data transfer (step 913) to and from client transceiver 805 proceeds. Meanwhile, tagging device 803 repeats transmission (step 903) of management data frames e.g. IEEE 802.11 beacon frame including a security code for instance in the Service Set Identifier (SSID) field.
  • SSID Service Set Identifier
  • the operating distance between active tagging device 803 and client transceiver 805 depends on the strength of the output signal of step 903.
  • a block diagram of active tagging device 803, according to an embodiment of the present invention is illustrated in Figure 10. Active tagging device 803 includes security code generator 303.
  • a security code is input to a wireless message modulator 125. Triggering is provided to message modulator 125 by a timer 127. A message including a security code is output to digital to analog converter 123 and transmitted using an RF converter 121 radiative element 113. A battery 129 is shown to indicate that as active tagging device 803 emits RF power and therefore consumes more electrical power than, for instance tagging device 103. Yet another configuration of the present invention includes active tag device 803 further including a receiver for an acknowledge message sent by client transceiver 805.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Small-Scale Networks (AREA)

Abstract

A system for authenticating a client wireless transceiver (105) in communication with a wireless access point (111), in a wireless data communications network, the system including: a wireless tagging device (103) modulating a security code onto a communications signal transmitted from an antenna (113) operatively connected to the client wireless transceiver (105) thereby transmitting a tagged communications signal; and a tag receiver (101), operatively connected to the wireless access point (111), the tag receiver (101) including a demodulator which demodulates the tagged communications signal and outputs a security signal including the security code. Preferably, the wireless tagging device includes a terminating load operatively connected to a tagging radiative element and the modulating is performed by changing matching impedance between the terminating load and the tagging radiative element.

Description

WIRELESS SIGNAL CODING AND AUTHENTICATION FIELD AND BACKGROUND OF THE INVENTION The present invention relates to a system and method of improving security in wireless communications and, more particularly, to a method of authenticating clients in a wireless data network. A wireless data network is useful to provide all the functionality of a wired network but without using a physical connection, e.g. cable. Typically, data is modulated onto a radio frequency carrier, transmitted, demodulated and received using wireless modems. A wireless network is connected to a wired local area network with a device known as an access point. The access point generally includes one or more receivers and transmitters for wireless communication to client transceivers connected to computers of the wireless local area data network. The access point generally has a wired connection to a wired local area network. 802.11 is a set of specifications developed by the IEEE for wireless LANs. 802.11 provides transmission in the 2.4 GHz. ISM (Industrial Scientific and Medical) unlicensed band and 5Ghz transmission band. Wireless network technology based on 802.11 standards is known as "Wi-Fi". 802.11 specifications are incorporated by reference for all purposes as if fully set forth herein. Local area networks are secured to prevent unauthorized users from gaining access to tlie network, from acquiring sensitive or proprietary information, or from causing damage to network resources. Since wireless data networks broadcast signals, unauthorized access is more easily achieved than in wired networks if the transmissions are not sufficiently secure. According to IEEE 802.11, Wi-Fi networks are secured with a system known as Wired Equivalent Privacy (WEP), an encryption system for the data that 802.11 broadcasts through the air. A casual user, therefore, requires a WEP key in order to decrypt the transmitted data. However, the WEP encryption system can be and has been broken or a WEP key may be acquired illegitimately. Some of these weaknesses were addressed by the development of WPA (WiFi Protected Access). WPA uses the TKIP protocol (Temporal Key Integrity Protocol) which can change the encryption key for each packet of data, thus significantly increasing security. Before a decryption key is distributed to a user allowing the user access to network resources, the user must be authenticated. In wired networks, authentication is often achieved with, the possession of a token. The token typically generates a single use or one time password by hashing parameters such as a user identification number and time. The passwords are periodically keyed in by hand into the client computer or alternatively use a separate computer input port, e.g. USB to periodically input the passwords. There is thus a need for, and it would be highly advantageous to have, a system and method for periodically authenticating clients of wireless networks using the protocol of the wireless network thereby avoiding keying of passwords by hand or using an additional computer port.
SUMMARY OF THE INVENTION According to the present invention there is provided a system for authenticating a client wireless transceiver in communication with a wireless access point, in a wireless data communications network, the system including: a wireless tagging device modulating a security code onto a communications signal transmitted from an antenna operatively connected to the client wireless transceiver thereby transmitting a tagged communications signal; and a tag receiver, operatively connected to the wireless access point, the tag receiver including a demodulator which demodulates the tagged communications signal and outputs a security signal including the security code. Preferably, the wireless tagging device includes a terminating load operatively connected to a tagging radiative element and the modulating is performed by changing the amount of energy contained in the communications signal reflected from the radiative element. Preferably, the terminating load includes an electronic component such as a diode, an inductor, a capacitor, a resistor or a transistor. Preferably, the wireless tagging device further includes an energy detector which detects the communications signal and triggers a timer when there is communications activity. Preferably, the wireless tagging device is placed in the proximity of the antenna within one wavelength of the communications signal. Preferably, the tag receiver further includes a de- framer which inputs the security signal and extracts the security code. According to the present invention there is provided a method for authenticating a client wireless transceiver in communication with a wireless access point, in a wireless data communications network, the method including: modulating a security code onto a communications signal transmitted from an antenna operatively connected to the client wireless transceiver thereby transmitting a tagged communications signal; and demodulating the tagged communications signal thereby outputting a security signal including the security code. Preferably, the modulating is performed by changing the amount of energy contained in the communications signal reflected from said radiative element. Preferably, the modulating is during a portion of a physical layer frame used solely for system tuning. Preferably the method includes, prior to the modulating: hashing a one time password included in the security code. Preferably, the method further includes de-framing the security signal and extracting the security code. According to the present invention there is provided, a wireless tagging system for authenticating a communications with a wireless access point, in a wireless data communications network, the system comprising: a message modulator which modulates a security code onto a wireless communications signal to produce a tagged communications signal including the security code; an antenna operatively connected to the message modulator which transmits the tagged communications signal; and a client wireless transceiver which receives the tagged communications signal and produces and transmits a second tagged communications signal including the security code, the second tagged communications signal received by the wireless access point. Preferably, the wireless tagging system further includes: a password generator for generating tl e security code as input to the message modulator. According to the present invention there is provided a method for authenticating communications from a client wireless transceiver to a wireless access point, in a wireless data communications network, the method including modulating a security code onto a wireless communications signal to produce a tagged communications signal including the security code; transmitting the tagged commumcations signal; receiving the tagged communications signal by the client wireless transceiver; and responding to the tagged communications signal by producing, transmitting a second tagged communications signal including the security code and receiving of the second tagged communications signal by at least one receiver of the wireless access point. Preferably, the method includes extracting tlie security code from the second tagged communications signal. Preferably, the modulating and the transmitting are performed by a wireless tagging device at a distance from the client wireless transceiver, the said distance controlled by the strength of the said tagged communications signal. BRIEF DESCRIPTION OF THE DRAWINGS The invention is herein described, by way of example only, with reference to the accompanying drawings, wherein: FIG. 1 is a simplified system drawing, according to an embodiment of the present invention, for authenticating a client in a wireless data network; FIG. 2 is simplified flow diagram of a method of authentication according to an embodiment of the present invention; FIG. 3 is a simplified block diagram of a tagging device, according to an embodiment of the present invention; FIG. 4 is a simplified block diagram of a tag receiver, according to an embodiment of the present invention; FIG. 5 is a simplified block diagram of a security receiver block, a part of a tag receiver, according to an embodiment of the present invention; FIG. 6 is a simplified block diagram of a de-framer block, a part of a tag receiver, according to an embodiment of the present invention; FIG. 7 is a drawing of a physical layer protocol frame for 802.11 a wireless standard . FIG. 8 is a simplified system drawing, according to a second embodiment of the present invention, for authenticating a client in a wireless data network; FIG. 9 is simplified flow diagram of a method of authentication according to the second embodiment of the present invention; FIG. 10 is a simplified block diagram of a tagging device, according to the second embodiment of the present invention.
DESCRIPTION OF THE PREFERRED EMBODIMENTS The present invention is of a system and method for authenticating clients in a wireless data network. Specifically, the system generates a sequence of one-time (single use) passwords based on a secret pass phrase. A tagging device is placed in the proximity of a client transceiver. Passwords are periodically modulated onto a communications signal. The tagged communications signal is transmitted by a client transmitter and received by an access point. The receiver at the access point demodulates and extracts the security code from the tagged communications signal and authenticates the client transceiver for example, by contacting an authentication server. The term "authentication" when referring to a client transceiver refers herein to authentication of a user who is using a computer equipped with the client transceiver, authentication of the computer and/or authentication of an application installed on the computer equipped with the client transceiver. The principles and operation of a system and method for authenticating clients in a wireless local area data network, according to the present invention may be better understood with reference to the drawings and the accompanying description. Before explaining embodiments of the invention in detail, it is to be understood that the invention is not limited in its application to the details of construction and the arrangement of the components set forth in the following description or illustrated in the drawings. The invention is capable of other embodiments or of being practiced or carried out in various ways. Also, it is to be understood that the phraseology and terminology employed herein is for the purpose of description and should not be regarded as limiting. As such, those skilled in the art will appreciate that the conception, upon which this disclosure is based, may readily be utilized as a basis for the designing of other methods and systems for carrying out the several purposes of the present invention. It is important, therefore, that the claims be regarded as including such equivalent constructions insofar as they do not depart from the spirit and scope of the present invention. By way of introduction, principal intentions of the present invention are to: (1) provide a device that adds a security code to a signal transmitted from a client transceiver when the device is placed in the vicinity of the client transceiver and (2) extract the code with a wireless receiver in a standard access point or provide a modified access point receiver that extracts the security code from the communications signal for authentication purposes. It should be noted that while the discussion herein is directed to wireless local area networks, the principles of the present invention may be adapted for use in, and provide benefit for other wireless data networks such as a data network over a cellular mobile telephone network, e.g. GPRS over GSM, and access networks such as 802.16 and 802.20, and UWB Furthermore, the modulation type may be of any such mechanisms known in the art, including frequency division multiplexing, phase shift keying, spread spectrum, code division multiple access, frequency and amplitude modulation. The terms "security code" and "tag" are used herein interchangeably. Referring now to the drawings, Figure 1 illustrates system 10 for achieving wireless authentication in a wireless network, a client transceiver 105 including a client transceiver antenna 109 in wireless communication with a wireless access point 111 including an antenna array 107 and multiple receivers 115. A tagging device 103 including a radiative element 113 is placed in proximity to client transceiver antenna 109. System 10 further includes a tag receiver 101 operatively connected to access point receivers 115. Referring also to Figure 2, a wireless authentication method is shown using system 10. Tagging device 103 typically includes memory and a processor. Software instructions are downloaded (step 201) into tagging device 103, and optionally a unique private key is downloaded as well during the manufacturing and issuing process of tagging device 103. Tagging device 103 hashes (step 203) a one-time ie. single use password, using a number of parameters, typically one of the parameters includes time. The hash result together with a client identifier, e.g. user identifier, are included in the tag or security code to be transferred. The security code is modulated (step 207) onto wireless transmission from client transceiver 105 only when tagging device 103 is placed in the vicinity of client transceiver antenna 109, typically less than one wavelength, on the order of half a wavelength e.g. 6cm. for a 2.4Ghz. communications signal. Referring now also to Figure 3 a block diagram of tagging device 103 is shown. An energy detector 31 is optionally used to detect wireless communications activity. If wireless communications activity is detected (step 205), tagging device 103 is triggered to operate. Alternatively, tagging device 103 operates continuously and periodically. Tagging device 103 achieves modulation (step 207) of the signal transmitted from client transceiver 105 with the use of a terminating load 301 operatively connected, by e.g. coaxial cable or transmission line, to radiative element 113. Terminating load 301 includes an electronic component, e.g. diode, inductor, capacitor, resistor or transistor, in which the matching impedance to radiative element 113 is varied. For instance, terminating load 301 including a diode changes matching impedance to radiative element 113 when bias current through the diode is varied. Similarly, an inductor, e.g. coil changes its matching impedance to radiative element 113 when the coil is shorted with a switch. Modulation (step 207) is achieved therefore when radiative element 113 is placed in the vicinity of client transceiver antenna 109. The radiative properties of client transceiver antenna 109 is modified e.g. by multipath modulation, by the presence of radiative element 113 with terminating load 301 under modulation by changing the amount of energy emitted from antenna 109 and reflected by radiative element 113. Hence, the communications signal transmitted from antenna 109 is modulated (step 207) by the presence of tagging device 103. Tagging device 103 further includes a security code generator 303. Security code generator is operatively connected to a modulator 305. Modulator 305 modulates terminating load 301 for example by varying bias current through a diode. Periodic triggering of the modulator is provided by a timer/clock 307, alternatively or in addition a trigger is provided to modulator 305 through timer/clock 307 from energy detector 31. Energy detector 31 detects independently different frequency bands commonly used in wireless LANs. For instance, connected to energy-detect antenna 309 is a band pass filter 313a centered at 2.4 Ghz and used to isolate the ISM band. Energy in the 2.4 Ghz band is detected with detector 311. A band pass filter 313b centered at 5 Ghz. is similarly connected to energy-detect antenna 309 and the energy in this band is detected with a second detector 311. The outputs of energy detectors 311 are used to trigger timer/clock 307. A tagged signal transmitted from client transceiver 105 propagates and is received by access point receiver 115 of access point 111. Referring back to Figure 2, tag receiver 101 extracts (step 209) the security code of the tagged communications signal received by access point receiver 115. Referring now to Figure 4, a simplified block diagram of tag receiver 101 is shown. Tag receiver 101 includes security receiver 401 that extracts (step 209) a security signal 411 from received signals 405 output from a conventional access point receivers 115 and input to security receiver 401. Channels estimations signals 407, signals proportional to channel characteristics and behavior received in each antenna of array 107 are also typically available as output from access point receivers 115 and input to security receiver 401. Security signal 411 includes the extracted security code divided into a number of data packets. Security de-framer block 403 sequences the data packets containing the security data into a single frame, e.g. medium access control (MAC) frame. Security de-framer block 403 also receives from access point receivers 115 a MAC address for each received data packet. Security de-framer block 403 performs decoding and error correction while assembling and decoding the frame containing the security data. A signal to noise ratio (SNR) estimation of received signals 405 is optionally available as output from security receiver and is used by security de-framer to improve the performance by correcting errors in the extracted security code. The security code after decoding and error correction is output from security de-framer block 403. Figure 5 shows security receiver 401 in detail. Two receiver equivalent paths are shown in Figure 5 because multiple receiver diversity is used for eliminating detrimental multi-path effects. Security receiver 401 includes a combiner 503 combining an inverted received signal 405 output from access point receiver 115 and a reconstructed signal 509 proportional to a known standard signal 505, e.g. a Wi-fi preamble signal, transmitted from client transceiver 805 as received but without a security signal modulated onto it. Reconstructed signal 509 is proportional to a signal 505 and channel estimation 407. Output of combiner 503 is a signal 511 proportional to the modulated security signal plus noise. Signal 511 is iteratively phase shifted by a phase shifter 507 and demodulated by demodulator 501. Security signal 411 output includes packets of security data. Figure 6 illustrates in more detail the function of de-framer block 403. Security signal 411 includes individual packets. Each packet includes, for example a serial number indicating the order of the packets and identification and a cyclic redundancy check (CRC) on the client identifier. Decoder 601 inputs security signal 411 and decodes the serial number and CRC. Reassembler 603 assembles a MAC frame from the individual packets and associates the MAC frame with the MAC identification 413 from access point receiver 115. The MAC frame is decoded, preferably with redundancy and error correction, with decoder 605 e.g. Reed Solomon decoder, one or more times to output the security code and client identifier. Figure 7 shows a drawing of a IEEE802.i l a PHY Layer Convergence Procedure
(PLCP) data unit (PPDU). The PPDU includes a preamble 701 of 8 microseconds including 10 symbols used for system tuning, ie. signal detection, automatic gain control, diversity selection, coarse frequency adjustment and timing synchronization. Wireless data is carried in the remainder 703 of the PPDU According to some embodiments of the present invention, the security code is modulated solely during the PPDU preamble while the system is being tuned and not during actual data transfer. This is advantageous to minimize bit errors during data communications. Another possible configuration of the present invention is shown in Figure 8. Figure 8 illustrates system 80 for achieving wireless authentication in a wireless network, a client transceiver 805 including client transceiver antenna 109 in wireless communication with wireless access point 111 including antenna array 107 and multiple receivers 115. An active tagging device 803 including a radiative element 113 is placed in proximity to client transceiver antenna 109. Referring also to Figure 9, a flow diagram of an authentication process 90 is shown, according to an embodiment of the present invention. Authentication process begins with a standard association protocol 901 between access point 111 and client transceiver 805. Tagging device 803 is placed in proximity to client transceiver antenna 109. An active tagging device 803 sends (step 903) a management data frame, e.g. IEEE 802.11 beacon frame including a security code for instance in the Service Set Identifier (SSID) field. Client transceiver 805 transmits a command intended for access point 111 requesting authentication (step 905) from access point 111. Access point 111 either grants authentication (step 909), ie. success, or does not grant authentication, ie. fail. If authentication is granted (step 909) then data transfer (step 913) to and from client transceiver 805 proceeds. Meanwhile, tagging device 803 repeats transmission (step 903) of management data frames e.g. IEEE 802.11 beacon frame including a security code for instance in the Service Set Identifier (SSID) field. Referring back to Figure 8, the operating distance between active tagging device 803 and client transceiver 805 depends on the strength of the output signal of step 903. A block diagram of active tagging device 803, according to an embodiment of the present invention is illustrated in Figure 10. Active tagging device 803 includes security code generator 303. A security code is input to a wireless message modulator 125. Triggering is provided to message modulator 125 by a timer 127. A message including a security code is output to digital to analog converter 123 and transmitted using an RF converter 121 radiative element 113. A battery 129 is shown to indicate that as active tagging device 803 emits RF power and therefore consumes more electrical power than, for instance tagging device 103. Yet another configuration of the present invention includes active tag device 803 further including a receiver for an acknowledge message sent by client transceiver 805. With respect to the above description then, it is to be realized that the optimum dimensional relationships for the parts of the invention, to include variations in size, materials, shape, form, function and manner of operation, assembly and use, are deemed readily apparent and obvious to one skilled in the art, and all equivalent relationships to those illustrated in the drawings and described in the specification are intended to be encompassed by the present invention. Therefore, the foregoing is considered as illustrative only of the principles of the invention. Further, since numerous modifications and changes will readily occur to those skilled i the art, it is not desired to limit the invention to the exact construction and operation shown and described, and accordingly, all suitable modifications and equivalents may be resorted to, falling within the scope of the invention. While the invention has been described with respect to a limited number of embodiments, it will be appreciated that many variations, modifications and other applications of the invention may be made.

Claims

WHAT IS CLAIMED IS
1. A system for authenticating a client wireless transceiver in communication with a wireless access point, in a wireless data commumcations network, the system comprising: (a) a wireless tagging device modulating a security code onto a communications signal transmitted from an antenna operatively connected to the client wireless transceiver thereby transmitting a tagged communications signal; and (b) a tag receiver, operatively connected to the wireless access point, said tag receiver including a demodulator which demodulates said tagged communications signal and outputs a security signal including said security code.
2. The system, according to claim 1, wherein said wireless tagging device includes a terminating load operatively connected to a tagging radiative element and said modulating is performed by changing the amount of energy contained in said communications signal reflected from said radiative element.
3. The system, according to claim 2, wherein said terminating load includes an electronic component selected from the group consisting of diode, inductor, capacitor, resistor and transistor.
4. The system, according to claim 1, wherein said wireless tagging device further includes an energy detector which detects said communications signal and triggers a timer when there is communications activity.
5. The system, according to claim 1, wherein said wireless tagging device is placed in the proximity of said antenna within one wavelength of said communications signal.
6. The system, according to claim 1, wherein said tag receiver further includes a de-framer which inputs said security signal and extracts said security code.
7. A method for authenticating a client wireless transceiver in communication with a wireless access point, in a wireless data communications network, the method comprising: (a) modulating a security code onto a communications signal transmitted from an antenna operatively connected to the client wireless transceiver thereby transmitting a tagged communications signal; and (b) demodulating said tagged communications signal thereby outputting a security signal including said security code.
8. The method, according to claim 7, wherein said modulating is performed by changing the amount of energy contained in said communications signal reflected from said radiative element.
9. The method, according to claim 7, wherein said modulating is during a portion of a physical layer frame used solely for system tuning.
10. The method, according to claim 7, further comprising the step of, prior to said modulating: (c) hashing a one time password included in said security code.
11. The method, according to claim 7, further comprising the step of: (c) deframing said security signal and extracting said security code.
12. A wireless tagging system for authenticating a communications with a wireless access point, in a wireless data communications network, the system comprising: (a) a message modulator which modulates a security code onto a wireless communications signal to produce a tagged communications signal including said security code; (b) an antenna operatively connected to said message modulator which transmits said tagged communications signal; and (c) a client wireless transceiver which receives said tagged communications signal and produces and transmits a second tagged communications signal including said security code, said second tagged communications signal received by the wireless access point.
13. The wireless tagging system, according to claim 12, wherein said tagged communications signal and said second tagged communications signal are of the same wireless protocol.
14. The wireless tagging system, according to claim 12, further comprising: (d) a password generator for generating said security code as input to said message modulaor.
15. A method for authenticating communications from a client wireless transceiver to a wireless access point, in a wireless data communications network, the method comprising the steps of: (a) modulating a security code onto a wireless communications signal to produce a tagged communications signal including said security code; (b) transmitting said tagged communications signal; (c) receiving said tagged communications signal by the client wireless transceiver; (d) responding to said tagged communications signal by producing and transmitting a second tagged communications signal including said security code; and (e) receiving said second tagged communications by at least one receiver of the wireless access point.
16. The method, according to claim 15, further comprising the step of: (f) extracting said security code from said second tagged communications signal.
17. The method, according to claim 15, wherein said modulating and said transmitting are performed by a wireless tagging device at a distance from the client wireless transceiver, said distance controlled by the strength of said tagged communications signal.
PCT/IL2004/000645 2003-07-15 2004-07-15 Wireless signal coding and authentication WO2005008901A2 (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US48689203P 2003-07-15 2003-07-15
US60/486,892 2003-07-15
US49946403P 2003-09-03 2003-09-03
US60/499,464 2003-09-03

Publications (2)

Publication Number Publication Date
WO2005008901A2 true WO2005008901A2 (en) 2005-01-27
WO2005008901A3 WO2005008901A3 (en) 2005-05-12

Family

ID=34083395

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IL2004/000645 WO2005008901A2 (en) 2003-07-15 2004-07-15 Wireless signal coding and authentication

Country Status (1)

Country Link
WO (1) WO2005008901A2 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007097601A1 (en) * 2006-02-27 2007-08-30 Ubridge Co., Ltd Wireless-data certification system for communication
US11895493B1 (en) * 2021-02-18 2024-02-06 Amazon Technologies, Inc. Controlling a device that operates in a monitor mode

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5311186A (en) * 1989-09-27 1994-05-10 Nippon Soken, Inc. Transponder for vehicle identification device
US6084512A (en) * 1998-10-02 2000-07-04 Lucent Technologies, Inc. Method and apparatus for electronic labeling and localizing
US6101428A (en) * 1999-05-28 2000-08-08 Jon Snyder, Inc. Auto remote control with signal strength discrimination

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5311186A (en) * 1989-09-27 1994-05-10 Nippon Soken, Inc. Transponder for vehicle identification device
US6084512A (en) * 1998-10-02 2000-07-04 Lucent Technologies, Inc. Method and apparatus for electronic labeling and localizing
US6101428A (en) * 1999-05-28 2000-08-08 Jon Snyder, Inc. Auto remote control with signal strength discrimination

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007097601A1 (en) * 2006-02-27 2007-08-30 Ubridge Co., Ltd Wireless-data certification system for communication
KR100755025B1 (en) 2006-02-27 2007-09-06 (주)유브릿지 Wireless-data certification system for communication
US11895493B1 (en) * 2021-02-18 2024-02-06 Amazon Technologies, Inc. Controlling a device that operates in a monitor mode

Also Published As

Publication number Publication date
WO2005008901A3 (en) 2005-05-12

Similar Documents

Publication Publication Date Title
Holt et al. 802.11 wireless networks: security and analysis
Ergen IEEE 802.11 Tutorial
US9408147B2 (en) Enhanced rate physical layer for Bluetooth™ low energy
Wood et al. DEEJAM: Defeating energy-efficient jamming in IEEE 802.15. 4-based wireless networks
RU2395913C2 (en) Method and device for distribution of beacon information
Elahi et al. ZigBee wireless sensor and control network
US10728758B2 (en) Method of secured transmission and reception of discovery message in a D2D communication system
US20090147837A1 (en) Wireless system synchronization using frequency shift modulation and on-off keying modulation
EP2195999A2 (en) Authentication method and framework
US20200044844A1 (en) Authentication of wireless communications
Wang et al. Rapidrider: Efficient wifi backscatter with uncontrolled ambient signals
WO2007024434A1 (en) Wireless communication device and methods for protecting broadcasted management control messages in wireless networks
Fette et al. RF and Wireless Technologies: know it all
WO2005094474A2 (en) System and method for authenticating devices in a wireless network
Jeong et al. SDR receiver using commodity wifi via physical-layer signal reconstruction
Chen et al. Reliable and practical bluetooth backscatter with commodity devices
KR20180091005A (en) Privacy Protection in Wireless Networks
US20130121492A1 (en) Method and apparatus for securing communication between wireless devices
WO2005008901A2 (en) Wireless signal coding and authentication
Held Securing wireless LANs: a practical guide for network managers, LAN administrators and the home office user
CN111989942A (en) Apparatus and method for information security in wireless communication
Reaz et al. Compass: Proximity aware common passphrase agreement protocol for wi-fi devices using physical layer security
US20230098093A1 (en) Variable authentication identifier (aid) for access point (ap) privacy
CN117256165A (en) Secure link establishment
WO2022026045A1 (en) Mitigating fake cell imprisonment

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
122 Ep: pct application non-entry in european phase