[go: up one dir, main page]

HK1145754A - Security for a heterogeneous ad hoc mobile broadband network - Google Patents

Security for a heterogeneous ad hoc mobile broadband network Download PDF

Info

Publication number
HK1145754A
HK1145754A HK10112246.5A HK10112246A HK1145754A HK 1145754 A HK1145754 A HK 1145754A HK 10112246 A HK10112246 A HK 10112246A HK 1145754 A HK1145754 A HK 1145754A
Authority
HK
Hong Kong
Prior art keywords
service provider
mobile client
hoc service
server
session
Prior art date
Application number
HK10112246.5A
Other languages
Chinese (zh)
Inventor
D‧克里希纳斯瓦米
Original Assignee
高通股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 高通股份有限公司 filed Critical 高通股份有限公司
Publication of HK1145754A publication Critical patent/HK1145754A/en

Links

Description

Security protection for heterogeneous ad hoc mobile broadband networks
Cross Reference to Related Applications
This application is based on 35U.S.C. § 119 a priority of provisional application No.60/956,658 entitled "Method for a heterologous Wireless Ad Hoc Mobile Service Provider" filed 8/17 of 2007.
Technical Field
The present disclosure relates generally to telecommunications and more specifically to handover in an ad hoc mobile broadband network.
Background
Wireless telecommunication systems are widely deployed to provide various services to consumers such as telephony, data, video, audio, messaging, broadcasting, and so on. These systems continue to evolve as market forces drive wireless communications to new heights. Today, wireless networks provide broadband internet access to mobile users on a regional scale, national scale, or even worldwide. Such networks are sometimes referred to as Wireless Wide Area Networks (WWANs). WWAN operators typically provide their subscribers with a wireless access plan, e.g., a monthly flat-rate subscription plan.
Accessing the WWAN from all mobile devices may not be feasible. Some mobile devices may not have a WWAN radio. Other mobile devices with WWAN radios may not have a valid subscription plan. Ad hoc networks allow mobile devices to dynamically connect over a wireless interface using protocols such as WLAN, bluetooth, UWB, or other protocols. There is a need in the art for a method that allows a user of a mobile device without WWAN access to dynamically subscribe to wireless access services provided by a user of a WWAN-capable mobile device, wherein the subscription is made using wireless ad hoc networking between the mobile devices belonging to both users.
Disclosure of Invention
In one aspect disclosed herein, a server includes a processing system configured to maintain an encrypted control session with an ad hoc service provider and a mobile client while allowing the mobile client to support an encrypted data tunnel via the ad hoc service provider.
In another aspect disclosed herein, a server includes: means for allowing the mobile client to support an encrypted data tunnel via the ad hoc service provider; and a cryptographic control session module for maintaining a cryptographic control session with an ad hoc service provider and a mobile client while allowing the mobile client to support the cryptographic data tunnel via the ad hoc service provider.
In another aspect disclosed herein, a method for providing security protection for a network from a server includes: allowing the mobile client to support an encrypted data tunnel via the ad hoc service provider; and maintaining an encrypted control session with the ad hoc service provider and the mobile client while allowing the mobile client to support the encrypted data tunnel via the ad hoc service provider.
In another aspect disclosed herein, a machine-readable medium includes instructions executable by a processing system in a server. The instructions include: code for allowing the mobile client to support an encrypted data tunnel via the ad hoc service provider; and code for maintaining an encrypted control session with the ad hoc service provider and the mobile client while allowing the mobile client to support the encrypted data tunnel via the ad hoc service provider.
It is to be understood that other aspects disclosed herein will become readily apparent to those skilled in the art from the following detailed description, wherein various aspects of the ad hoc mobile broadband network are shown and described by way of illustration. As will be recognized, the aspects disclosed herein can be implemented in other different configurations and its numerous details can be modified in numerous other aspects. Accordingly, the drawings and detailed description are to be regarded as illustrative in nature and not as restrictive.
Drawings
Fig. 1 is a conceptual block diagram illustrating an example of a telecommunications system.
Fig. 2 is a conceptual block diagram illustrating an example of a hardware configuration for a server.
Fig. 3 is a conceptual block diagram illustrating an example of a hardware configuration for a processing system in a server.
Fig. 4A is a flow diagram illustrating an example of the functionality of a server for supporting connections with ad hoc service providers.
Fig. 4B is a flow chart illustrating an example of the functionality of a server for supporting mobile clients.
Fig. 5 is a conceptual block diagram of an example of the functionality of an ad hoc service provider.
Detailed Description
The detailed description set forth below in connection with the appended drawings is intended as a description of various aspects of an ad hoc mobile broadband network and is not intended to represent the only few aspects covered by the claims. Specific details are included in the detailed description for the purpose of providing a thorough understanding of such aspects. However, it will be apparent to one of ordinary skill in the art that aspects of the ad hoc mobile broadband network may be practiced without these specific details. In some instances, well-known structures and components are shown in block diagram form in order to avoid obscuring the various concepts presented throughout this disclosure.
Fig. 1 is a conceptual block diagram illustrating an example of a telecommunications system. The telecommunications system 100 is shown with multiple WWANs for providing broadband access to the network 102 for mobile users. Network 102 may be a packet-based network, such as the Internet, or some other suitable network. For clarity of presentation, two WWANs 104 are shown with backhaul connections to the internet 102. Each WWAN104 may be implemented with a plurality of fixed-location base stations (not shown) dispersed throughout a geographic area. The geographical area can generally be subdivided into smaller areas called cells. Each base station may be configured to serve all mobile users in its respective cell. A base station controller (not shown) may be used to manage and coordinate the base stations in the WWAN104 and support the backhaul connection to the internet 102.
Each WWAN104 may support radio communication with mobile users using one of many different wireless access protocols. For example, one of the WWANs 104 may support evolution-data optimized (EV-DO) while another WWAN104 may support Ultra Mobile Broadband (UMB). EV-DO and UMB are air interface standards promulgated by the third generation partnership project 2(3GPP2) as part of the CDMA2000 family of standards and applying multiple access techniques such as Code Division Multiple Access (CDMA) to provide broadband internet access to mobile users. Alternatively, one of the WWANs 104 may support Long Term Evolution (LTE), which is a project within 3GPP2 that improves the Universal Mobile Telecommunications System (UMTS) mobile phone standard primarily based on a wideband CDMA (W-CDMA) air interface. One of the WWANs 104 may also support the WiMAX standard developed by the WiMAX forum. The actual wireless access protocol employed by the WWAN for any particular telecommunications system will depend on the particular application and the overall design constraints imposed on the system. The various techniques presented throughout this disclosure are equally applicable to any combination of heterogeneous or homogeneous WWANs, regardless of the wireless access protocol used.
Each WWAN104 has multiple mobile subscribers. Each user may have a mobile node 106 that is able to access the internet 102 directly through the WWAN 104. In the telecommunication system shown in FIG. 1, the mobile nodes 106 access the WWAN104 using EV-DO, UMB, or LTE wireless access protocols; in actual implementations, however, these mobile nodes 106 may be configured to support any wireless access protocol.
One or more of these mobile nodes 106 may be configured to create an ad hoc network in its vicinity based on a wireless access protocol that is the same as or different from the wireless access protocol used to access the WWAN 104. For example, the mobile node 106 may support a UMB wireless access protocol with a WWAN while providing an IEEE 802.11 access point for mobile nodes 108 that cannot directly access the WWAN. IEEE 802.11 represents a set of Wireless Local Access Network (WLAN) standards developed by the IEEE 802.11 association for short-range communications (e.g., tens to hundreds of meters). While IEEE 802.11 is a public WLAN wireless access protocol, other suitable protocols may be used.
A mobile node 106 that may be used to provide an access point for another mobile node 108 will be referred to herein as an "ad hoc service provider". Mobile nodes 108 that may use the access points of ad hoc service providers 106 will be referred to herein as "mobile clients". The mobile node, whether an ad hoc service provider 106 or a mobile client 108, may be a laptop, a mobile phone, a Personal Digital Assistant (PDA), a mobile digital audio player, a mobile gaming device, a digital camera, a digital video camera, a mobile audio device, a mobile video device, a mobile multimedia device, or any other device capable of supporting at least one wireless access protocol.
Ad hoc service provider 106 may extend its wireless broadband internet access service to mobile client 108, otherwise mobile client 108 would not have internet access. The server 110 may be used as a "switch" to allow the mobile client 108 to purchase unused bandwidth from the ad hoc service provider 106 to access the internet 102, for example, through the WWAN 104. In one configuration of the telecommunications system 100, the server 110 charges the mobile client 108 based on usage. For temporary users of mobile internet services, this may be an attractive alternative to monthly flat-rate wireless access plans. Revenue generated from usage charges may be distributed to various entities in the telecommunications system 100 in a manner that tends to make the switch always efficient. For example, a portion of the revenue may be distributed to ad hoc service providers, thereby providing a incentive for benefits to make mobile users become ad hoc service providers. Another portion of the revenue may be allocated to the WWAN operators to compensate them for bandwidth that would otherwise not be used. Another portion of the revenue may be distributed to the manufacturer of the mobile node.
The ad hoc service provider 106, the server 110, and the one or more mobile clients 108 may establish a network that is an ad hoc heterogeneous wireless network. By way of example, the heterogeneous wireless networks may include at least two types of wireless networks (e.g., WWAN and WLAN). For example, an ad hoc network may be one whose particular configuration may change over time or as one network forms to the next. The network configuration is not planned in advance before the network is established. Examples of the configuration of an ad hoc network may include configurations about which members of the network will be (e.g., which ad hoc service provider, which server, and/or which mobile client will be included in the network), configurations about the geographic locations of the ad hoc service provider and the mobile client, and configurations about when and for how long the network is to be established.
Fig. 2 shows an example diagram of a hardware implementation of a server. The server 110 may be a centralized server or a distributed server. The centralized server may be a dedicated server or integrated into another network-related entity such as a desktop or laptop computer or a host computer or other suitable entity. A distributed server may be distributed among multiple servers and/or one or more other network-related entities such as laptops or desktops or hosts, or some other suitable entity. In at least one configuration, the server may be fully or partially integrated into one or more ad hoc service providers.
Server 110 is shown with a network interface 202, network interface 202 may support wired and/or wireless connections to internet 102. Network interface 202 may be used to implement the physical layer by providing a module that transmits raw data bits according to the physical and electrical specifications required for the interface to the transmission medium. The network interface 202 may also be configured to implement a lower portion of the data link layer by managing access to the transport layer.
The server 110 is also shown with a processing system 204, the processing system 204 providing various functions including enrollment and authentication of ad hoc service providers and mobile clients, management of control sessions by ad hoc service providers and mobile clients, handoff support between ad hoc service providers, tunneling of data for mobile clients, and various services to mobile clients. The processing system 204 is shown separate from the network interface 202, but the network interface 202, or any portion thereof, may be integrated into the processing system 204, as will be readily understood by those skilled in the art.
Fig. 3 is an example of a hardware implementation showing a processing system in a server. In this example, the processing system 204 may be implemented with a bus architecture, represented generally by the bus 302. The bus 302 includes any number of interconnecting buses and bridges depending on the specific specification of the processing system 204 and the overall design constraints. The bus links together various circuits including the processor 304 and the machine-readable medium 306. The bus 302 may also link various other circuits such as timing resources, peripherals, voltage regulators, power management circuits, and the like, which are also well known in the art, and therefore, will not be described any further. A network adapter 308 provides an interface between the network interface 202 (see fig. 2) and the bus 302.
The processor 304 is responsible for managing the bus and general processing, including the execution of software stored on the machine-readable medium 306. Processor 304 may be implemented with one or more general and/or special purpose processors. Examples include microprocessors, microcontrollers, DSP processors, and other circuits that can execute software. Software should be construed broadly to mean instructions, data, or any combination thereof, whether referred to as software, firmware, middleware, microcode, hardware description language, or otherwise. The machine-readable medium may include, for example, RAM (random access memory), flash memory, ROM (read only memory), PROM (programmable read only memory), EPROM (erasable programmable read only memory), EEPROM (electrically erasable programmable read only memory), registers, a magnetic disk, an optical disk, a hard disk drive, or any other suitable storage medium or any combination thereof.
In the hardware implementation shown in fig. 3, the machine-readable medium 306 is shown as being part of the processing system 204 separate from the processor 304. One of ordinary skill in the art will readily appreciate that the machine-readable medium 306, or any portion thereof, may be external to the processing system 204. By way of example, the machine-readable medium 306 may include a transmission line, a carrier waveform modulated with data, and/or a computer product separate from the server, which the processor 304 may access through the network interface 308. Alternatively or in addition, the machine-readable medium 306, or any portion thereof, may be integrated into the processor 304, such as with a cache memory and/or a general register file.
The processing system 204 may be configured as a general purpose processing system having one or more microprocessors that provide processor functionality and an external memory that provides at least a portion of the machine-readable medium 306, which are linked together with other supporting circuitry through an external bus architecture. Alternatively, the processor system 204 may be implemented with an ASIC (application specific integrated circuit) having the processor 304, the network interface 308, support circuits (not shown), and at least a portion of the machine-readable medium 306 integrated into a single chip, or with an FPGA (field programmable gate array), a PLD (programmable logic device), a controller, a state machine, gated logic, discrete hardware components, or any other suitable circuit or combination of circuits that may perform the various functions described throughout this disclosure. Those skilled in the art will recognize that the described functionality of the processing system 204 is best implemented depending on the particular application and the overall design constraints imposed on the overall system.
The machine-readable medium 306 is shown having a plurality of software modules. Each module includes a set of instructions that, when executed by the processor 304, cause the processing system 204 to perform various functions described below. The software module comprises: a protocol stack module 309, a security module 310, a service provider control session management module 312, a mobile client control session management module 314, a tunneling/routing module 316, a handoff module 318, and a service module 320. Each software module may be located in a single storage device or distributed across multiple storage devices. For example, when a triggering event occurs (e.g., the mobile node decides to become an ad hoc service provider), a software module may be loaded into RAM from a hardware driver. During execution of the software modules, the processor 304 may load some of the instructions into cache memory to increase access speed. One or more cache lines may then be loaded into the general register file for execution by the processor 304. When reference is made below to the functionality of a software module, it is understood that the functionality is implemented by the processor 304 executing instructions from the software module.
The protocol stack module 309 may be used to implement the protocol architecture for the server or any portion thereof. In the presently described implementation, the protocol stack module 309 is responsible for implementing several protocol layers that run above the data link layer implemented by the network interface 202 (see fig. 2). For example, protocol stack module 309 may be used to implement the upper portion of the data link layer by providing flow control, acknowledgement, and error recovery. The protocol stack module 309 may also be used to implement the network layer by managing source-to-destination packet data transfers, and the transport layer by providing transparent transfers of data between end users. Although described as part of a processing system, the protocol stack module 309 or any portion thereof may be implemented by the network adapter 202.
The security module 310 may be used for enrollment. The registration of an ad hoc service provider or mobile client may be static (non-mobile) or dynamic (mobile). The server certificate may be provided to a mobile client or an ad hoc service provider. The certificate includes the server's public key, signed with the external certificate authority's private key. The mobile client and the ad hoc service provider are provided with the public key of the certificate authority and are therefore able to verify the signature of the certificate authority and then use the public key to communicate privately with the server. The mobile client and ad hoc service provider may register with the server to establish a username and password with payment information. Similarly, an ad hoc service provider may register by establishing a username and password with a server. The username and password are established by the security module 310 and may be stored in the authentication database 322.
After enrollment, when an ad hoc service provider wishes to go to othersThe security module 310 may authenticate the ad hoc service provider when the mobile client provides a wireless access point. In one example, the ad hoc service provider requests a certificate from the server, which is forwarded by the security module 310. After receiving the certificate and after checking the server certificate, the ad hoc service provider proposes a session key (K) encrypted with the server's public keySP,S). Which is received by the server and provided to the security module 310 for use with the session key KSP,STo encrypt all subsequent messages. Providing a session key K by an ad hoc service providerSP,SIts username and password encrypted. The security module 310 authenticates the ad hoc service provider based on information stored in the authentication database 322.
The security module 310 may also be used to authenticate mobile clients that have registered with the server. Authentication will typically require a connection over an ad hoc wireless link between the mobile client and the ad hoc service provider, but may in some cases be performed directly between the mobile client and the server. A connection between a mobile client and a server is established using an existing connection between an ad hoc service provider and the server. In this example, the mobile client is the requestor, the ad hoc service provider is the authenticator, and the server is the authentication server. The mobile client requests a certificate from the server. The ad hoc service provider forwards the request to the server, receives the certificate from the security module 310 and forwards the certificate to the mobile client. The mobile client receives the certificate. After validating the server certificate, the mobile client proposes a session key (K) encrypted with the server's public keyC,S). Which is received by the server and provided to the security module 310 so that all subsequent messages between the server and the mobile client can be passed using the session key KC,STo be encrypted. Mobile client providing session key K to serverC,SIts username and password encrypted. The security module 310 authenticates the mobile client based on information stored in the authentication database 322. After verification is complete, the security module 310 notifies the ad hoc service provider and the mobile clientThe mobile client is now authenticated and can receive the service.
After the ad hoc service provider is authenticated, the control session management module 312 uses the key KSP,SEstablishing and maintaining a secure session X between an ad hoc service provider and a serverSP,S. Similarly, after authenticating the mobile client, the control session management module 314 uses the key KC,SEstablishing and maintaining a secure session X between a mobile client and a serverC,S. The key K may be generated at the mobile clientSP,CAnd in session XC,SIt is sent to the control session management module 314 of the server. The session X may then be processed via the control session management module 312SP,SThe key KSP,CAnd providing the self-organizing service provider. This allows the use of the key KSP,CFrom establishing and maintaining a secure session X between an ad hoc service provider and a mobile clientSP,,C. In an alternative configuration, the key K may be generated by the security module 310 in the server or by the ad hoc service providerSP,C
Exchanging at the application layer the session key K as described so farSP,S、KC,SAnd KSP,C. The IP header and information about the message type may be exposed. To prevent any visibility of information flowing over an ad hoc wireless link between a mobile client and an ad hoc service provider, security protection of transmissions over the wireless link may be performed. The mobile client and the ad hoc service provider may negotiate a data link encryption key, WK, for the wireless linkSP,C. The key may be generated in a security module 310 in the mobile client, ad hoc service provider, or server. After the mobile client and the ad hoc service provider agree to use the data link encryption key, the key may be used to transmit all transmissions between them.
Can be in a secure session XC,SExchange messages between the mobile client and the control session management module 314 in the server to establishAnd establishing an encrypted VPN tunnel to transmit data to the Internet through the server. In at least one configuration of the telecommunications system, all data sent from the mobile client to any location on the internet is tunneled through the tunnel/routing module 316 in the server. This is done to ensure that the ad hoc service provider does not see the data associated with the mobile client, and thus ensures the privacy of the mobile client. The tunneling also provides security to the ad hoc service provider by ensuring that all data associated with the mobile client flows through the tunnel/routing module 316, leaving the responsibility for traffic handling for the mobile client to the server and the mobile client, and that the ad hoc service provider acts only as a transmitter to allow data associated with the mobile client to reach the server. The tunnel/routing module 316 is depicted with a short dashed line to emphasize that it may be located in a server or anywhere else in the telecommunications system.
After the tunnel is established between the mobile client 108 and the tunnel/routing module 316 in the server, the services module 320 may be used to provide various services to the mobile client. By way of example, the service module 320 may support audio or video services to the mobile client 108. The service module 320 may also support advertisement services to the mobile client 108. Other functions of the service module 320 may include routing of mobile client data to and from the internet and providing network address translation for the mobile client to and from the internet.
The handoff module may provide for handoff of the mobile client from one ad hoc service provider to another ad hoc service provider based on any factor. These factors may include, for example, the quality of service (QoS) required by the mobile client, the duration of the session required by the mobile client, and the load, link conditions, and energy level (e.g., battery life) at the ad hoc service provider.
An example will now be given in which a mobile client connected to a pass-through "serving ad hoc service provider" (SP1) is handed over to a "target ad hoc serviceService provider "(SP 2). Initially, there is a separate use of the session key KSP1,S、KC,SAnd KSP1,C3 secure sessions XSP1,S、XC,SAnd XSP1,C. When the target ad hoc service provider SP2 becomes available, the session key K negotiated between the target ad hoc service provider SP2 and the security module 310 may be used by controlling the session management module 312SP2,SEstablishing a secure session XSP2,S. In secure session XSP2,SThe handover request may be initiated by the mobile client or the serving ad hoc service provider SP1 or the handover module 318. The security module 310 may provide the target ad hoc service provider SP2 with information indicating that the mobile client has been authenticated. In secure session XC,SIn this regard, the security module 310 may notify the mobile client that the mobile client has been authenticated by the target ad hoc service provider SP 2. The session key K may be generated by the security module 310 in the mobile client, the target ad hoc service provider SP2 or the serverSP2,CTo establish and maintain a secure session XSP2,C. The mobile client is disassociated from the serving ad hoc service provider SP1 and associated with the target ad hoc service provider SP 2. The session key K can be usedSP2,CSecure session X for mobile client and target ad hoc service provider SP2SP2,CThe target ad hoc service provider SP2 has now become the serving ad hoc service provider. Information (e.g., residual packets associated with the mobile client) may be exchanged between the two service providers by the server with the assistance of the handoff module 318 for the two service providers. A session key K may be establishedSP1,SP2For secure exchange of messages between the two service providers. Alternatively, if the two service providers can get through to each other over a local wireless link, the message exchange can take place over a direct wireless link between the two service providers. A multi-hop wireless path between the two service providers (if such a path is available) may be used in a wireless mesh network topology. The same information (e.g., control flow information) may be cutWhile other information (e.g., data flow information) may be communicated over the direct wireless link/path between the two service providers, with the assistance of module 318.
The function of the processing system in the server will now be described with reference to fig. 4A and 4B. Fig. 4A is a flow diagram illustrating an example of a process implemented by a server for supporting ad hoc service providers. Fig. 4B is a flow chart illustrating an example of a process implemented by a server for supporting a mobile client.
Referring to fig. 4A, in block 402A, a server may allow an ad hoc service provider to register to enable it to provide a mobile client with an access point to a wireless broadband network. When the ad hoc service provider actually wishes to provide an access point, the server may authenticate the ad hoc service provider in block 404A based on the information obtained during the registration process. The authentication process may include a session key K between the server and the ad hoc service providerSP,SAnd (4) generating. After authentication, the server uses the session key K in block 406ASP,SA secure control session is established and managed with an ad hoc service provider. The server continues to manage the security control session until the connection is terminated, as shown in block 412A. After the connection is terminated, the server closes the control session with the ad hoc service provider in block 414A. Since the ad hoc service provider still remains registered, it may later act again as an access point by invoking the authentication process of the server in block 404A.
Turning to fig. 4B, the server may allow the mobile client to register in block 402B to enable it to receive services for wireless broadband access to the network from the ad hoc service provider. When the mobile client actually wishes to connect to the ad hoc service provider, the server may authenticate the mobile client in block 404B based on the information obtained during enrollment. The authentication process may include a session key K between the server and the mobile clientC,SIs created. Is being authenticatedThe server then uses the session key KC,STo establish and manage a security control session with the mobile client. The server also establishes and maintains an encrypted data tunnel for transmitting data through the server to the network in block 408B. After the tunnel is established, the server may provide various services to the mobile client in block 410B. If a handoff of the mobile client to another ad hoc service provider is required in step 412B, the server may support the handoff in block 414B and continue to provide service to the mobile client during and after the handoff in step 410B. The server may provide these services until the connection is terminated, as shown in block 416B. After the connection is terminated, the server closes the control session and tunnel with the mobile client, block 418B. Since the mobile client remains registered, it may later connect to the ad hoc service provider by invoking the authentication process of the server in block 404B.
FIG. 5 is a conceptual block diagram illustrating an example of the functionality of an ad hoc service provider. Ad hoc service providers 106 have the ability to bridge wireless links based on homogeneous or heterogeneous wireless access protocols. This may be accomplished with a WWAN network interface 502 and a WLAN network adapter 504, where the WWAN network adapter 502 supports a wireless access protocol for a WWAN to the internet 102 and the WLAN network adapter 504 provides a wireless access point for the mobile client 108. By way of example, the WWAN network adapter 502 may include transceiver functionality that supports EV-DO for Internet access over a WWAN, and the WLAN network adapter 504 may include transceiver functionality that provides an 802.11 access point for the mobile client 108. Each of the network adapter 502 and the network adapter 504 may be configured to implement the physical layer by demodulating wireless signals and performing other Radio Frequency (RF) front-end processing. Each of the network adapter 502 and the network adapter 504 may also be configured to implement the link layer by managing data transfers at the physical layer, and the network layer by managing packet transfers from the source to the destination.
The ad hoc service provider 106 is shown with a filtering interconnection and session monitoring module 506. The module 506 provides filtering for content from the mobile clients 108 so that the interconnection between the ad hoc wireless link to WWAN network adapter 502 is provided only to mobile clients 108 that have been authenticated by the server and licensed to use the WWAN network. The module 506 also maintains a tunnel connection between the server and the authenticated mobile client 108.
The ad hoc service provider 106 also includes a service provider application 508 that (1) allows the module 506 to provide ad hoc services to the mobile client 108, and (2) supports WWAN or internet access to mobile users or subscribers of the ad hoc service provider 106. The latter functionality is supported through a user interface 512, which user interface 512 communicates with the WWAN network adapter 502 under control of a service provider application 508 through module 506. The user interface 512 may include any other combination of keypads, displays, speakers, microphones, joysticks, and/or user interface devices that allow a mobile user or user to access the WWAN104 or internet 102 (see fig. 1).
As discussed above, the service provider application 508 allows the module 506 to provide ad hoc services to the mobile client 108. The service provider application 508 maintains a control session with the server in order to exchange custom messages with the server. In addition, the service provider application 508 also maintains a separate control session with each mobile client 108 for the exchange of custom messages between the service provider application 508 and that mobile client 108. The service provider application 508 provides information about authenticated and licensed clients to the filtered interconnection and session monitoring module 506. The filtering interconnection and session monitoring module 506 only allows content flow for authenticated and licensed mobile clients 108. The filtered interconnection and session monitoring module 506 also optionally monitors information about the content flow associated with the mobile client 108, such as the amount of content sent out and to the mobile client, as well as information about WWAN and WLAN network resource utilization and available bandwidth on the wireless channel. The filtered interconnection and session monitoring module 506 may additionally and optionally provide this information to the service provider application 508. The service provider application 508 may optionally process the information and take appropriate action, such as determining whether to continue to maintain a connection with the mobile client 108 and with the server, or whether to continue to provide service. It should be noted that the various functions described in connection with modules 506 and 508 may be implemented in one or more sets of modules cooperating with each other to provide these functions at the ad hoc service provider 106 in any given platform.
When the ad hoc service provider 106 decides to provide these services, the service provider application 508 sends a request to the server for approval. The service provider application 508 requests authentication by the server and approval from the service to provide the service to one or more mobile clients 108. The server may authenticate the ad hoc service provider 106 and then determine whether it approves the ad hoc service provider's request. As previously described, the request may be rejected if the number of ad hoc service providers within the same geographic area is too large or if the WWAN operator imposes certain constraints on the ad hoc service provider 106.
After authenticating the ad hoc service provider 106, the service provider application 508 may advertise an ad hoc WLAN Service Set Identifier (SSID). Interested mobile clients 108 may associate with the SSID to access the ad hoc service provider 106. The service provider application 508 may then authenticate the mobile client 108 with the server and then configure the filtered interconnection and session monitoring module 506 to connect the mobile client 108 to the server. During authentication of the mobile client 108, the service provider application 508 may use an unsecured wireless link.
After authenticating the mobile client 108, the service provider application 508 may optionally choose to move the mobile client 108 to a new SSID with a secure link. In this case, the service provider application 508 may allocate the time spent in each SSID according to the load that needs to be supported for the existing session with the mobile client 108.
The service provider application 508 can also determine whether it can support the mobile client 108 before allowing the mobile client 108 access to the network. Resource intelligence can be used to estimate the depletion of battery power and other processing resources that may result from accepting a mobile client 108 and can help determine whether the service provider application 508 should consider supporting a new mobile client 108 or accepting a handoff of the mobile client 108 from another ad hoc service provider.
The service provider application 508 may grant the mobile clients 108 and provide them with certain QoS guarantees, such as average bandwidth expected during the session. The average throughput provided to each mobile client 108 over a time window may be monitored. The service provider application 508 may monitor the throughput of all flows that flow through it to ensure that the resource utilization of the mobile client 108 is below a certain threshold and that it meets the QoS requirements that it agrees to provide to the mobile client 108 during the establishment of the session.
The service provider application 508 may also provide a particular level of security to the wireless access point by routing the content through the filtered interconnection and session monitoring module 506 without being able to decipher the content. Similarly, the service provider application 508 may be configured to ensure that content routed between the user interface 510 and the WWAN104 via the module 506 is not deciphered by the mobile client 108. The service provider application 508 may use any suitable encryption technique to implement this functionality.
The service provider application 508 may also maintain a period of time for the mobile client 108 to access the network. The time period may be agreed upon between the ad hoc service provider 508 and the mobile client 108 during session initiation. If the service provider application 508 determines that it cannot provide mobile client 108 with access to the network within the agreed-upon period of time, it may notify the server and mobile client 108 of its invalidity. This may occur due to energy constraints (e.g., low battery) or other unforeseen events. The server may then consider handing off the client to another ad hoc service provider as long as such ad hoc service provider exists in the vicinity of the mobile client 108. The service provider application 508 may support this handoff of the mobile client 108.
The service provider application 508 may also contribute processing resources to maintain wireless links or limited sessions with mobile clients 108 served by other ad hoc service providers. This may facilitate handoff of the mobile client 108 to the ad hoc service provider 106.
The service provider application 508 may manage the mobile client 108 as a whole and the session in particular, through the user interface 512. Alternatively, the service provider application 508 may support a seamless mode of operation with processing resources that are dedicated to serving the mobile client 108. In this way, the mobile client 108 is managed in a manner that is transparent to the mobile user. This seamless mode of operation is desirable when a mobile user does not want to manage the mobile client 108 but wants to continue to generate revenue by sharing bandwidth with the mobile client 108.
Turning now to the mobile client, the mobile client 108 may use the session to register with the server 110. After registration, the mobile client 108 may search for available ad hoc service providers 106. When the mobile client 108 detects the presence of one or more ad hoc service providers 106, it may initiate a session with the ad hoc service provider 106 based on parameters such as available bandwidth that the ad hoc service provider 106 may support, QoS metrics of the ad hoc service provider 106, and prices of advertised services. As previously described, a link encryption key may be established between the mobile client 108 and the ad hoc service provider 106 during session establishment. A session may be established between mobile client 108 and server 110 so that all traffic between the two may be encrypted. The transport layer port may remain open and unencrypted to provide visibility for the network address translation function at the ad hoc service provider 106.
The handoff of the mobile client 108 may be performed in various ways. In one configuration, the mobile client 108 may maintain restricted sessions with multiple ad hoc service providers 106 while using one ad hoc service provider 106 to access the internet. As previously mentioned, this approach may facilitate the handover procedure. In an alternative configuration, the mobile client 108 may only consider handover when necessary. In this configuration, the mobile client 108 may maintain a valid list of the various ad hoc service providers 106 in its vicinity for use in handoff. When the current ad hoc service provider 106 needs to stop its service, the mobile client 108 may select one ad hoc service provider 106 from the active list to handoff. When handoff is not feasible, the mobile client 108 may need to reconnect through a different ad hoc service provider 106 to access the internet. The persistence of the channel between the mobile client and the server may allow the mobile client to soft handoff from one service provider to another.
If the bandwidth requirements of the mobile client 108 are greater than the capabilities of the available ad hoc service providers 106, the mobile client 108 may access multiple ad hoc service providers 106 simultaneously. A mobile client 108 with multiple transceivers may potentially access multiple ad hoc service providers 106 simultaneously, using a different transceiver for each ad hoc service provider 106. Different channels may be used if multiple ad hoc service providers 106 may be accessed using the same wireless access protocol. If the mobile client 108 has only one transceiver available, it may allocate the time it takes to access each ad hoc service provider 106.
Those of ordinary skill in the art will appreciate that the various illustrative blocks, modules, elements, components, methods, and algorithms described herein may be implemented as electronic hardware, computer software, or combinations of both. To illustrate this interchangeability of hardware and software, various illustrative blocks, modules, elements, components, methods, and algorithms have been described above generally in terms of their functionality. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the overall system. Skilled artisans may implement the described functionality in varying ways for each particular application.
It is to be understood that the specific order or hierarchy of steps in the processes disclosed is merely an example of exemplary approaches. It should be understood that the specific order or hierarchy of steps in the processes may be rearranged based on design preferences. The accompanying method claims present elements of the various steps in a sample order, and are not meant to be limited to the specific order or hierarchy presented.
The previous description is provided to enable any person skilled in the art to practice the various aspects described herein. Various modifications to these aspects will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other aspects. Thus, the claims are not intended to be limited to the versions shown herein, but are to be accorded the full scope consistent with the language claims, wherein reference to an element in the singular is not intended to mean "one and only one" but rather "one or more" unless specifically so stated. The term "some" means one or more unless otherwise specified. Pronouns in the male (e.g., his) include female and neutral (e.g., her or it) and vice versa. All structural and functional equivalents to the elements of the various aspects described throughout this disclosure that are known or later come to be known to those of ordinary skill in the art are expressly incorporated herein by reference and are intended to be encompassed by the claims. Moreover, nothing disclosed herein is intended to be dedicated to the public regardless of whether such disclosure is explicitly recited in the claims. Elements in the claims cannot be construed with the provisions of chapter six of 35u.s.c. § 112 unless the element is explicitly recited with the phrase "module for … …", or in the case of method claims the element is recited with the phrase "step for … …".

Claims (76)

1. A server, comprising:
a processing system configured to maintain an encryption control session with an ad hoc service provider and a mobile client while allowing the mobile client to support an encrypted data tunnel via the ad hoc service provider.
2. The server of claim 1, wherein the processing system is further configured to: allowing the mobile client to support the encrypted data tunnel to the server via the ad hoc service provider.
3. The server of claim 1, wherein the processing system is further configured to: using a first session key for the encrypted control session with the ad hoc service provider and a second session key for the encrypted control session with the mobile client, wherein the first session key is different from the second session key.
4. The server of claim 3, wherein the processing system is further configured to: receiving the first session key encrypted with the server's public key from the ad hoc service provider and receiving the second session key encrypted with the server's public key from the mobile client.
5. The server of claim 1, wherein the processing system is further configured to: authenticating the ad hoc service provider to establish the encrypted control session with the ad hoc service provider.
6. The server of claim 1, wherein the processing system is further configured to: authenticating the mobile client to establish the encrypted control session with the mobile client.
7. The server of claim 6, wherein the processing system is further configured to: authenticating the mobile client via the ad hoc service provider.
8. The server of claim 7, wherein the processing system is further configured to: notifying the ad hoc service provider and the mobile client that the mobile client has been authenticated.
9. The server of claim 1, wherein the processing system is further configured to: facilitating establishment of an encrypted control session between the ad hoc service provider and the mobile client.
10. The server of claim 9, wherein the processing system is further configured to: facilitating establishment of the encrypted control session between the ad hoc service provider and the mobile client by receiving a session key from one of the ad hoc service provider and the mobile client and providing the session key to the other of the ad hoc service provider and the mobile client.
11. The server of claim 9, wherein the processing system is further configured to: facilitating establishment of the encrypted control session between the ad hoc service provider and the mobile client by generating a session key and providing the session key to the ad hoc service provider and the mobile client.
12. The server of claim 1, wherein the processing system is further configured to: facilitating establishment of an encrypted wireless link between the ad hoc service provider and the mobile client.
13. The server of claim 12, wherein the processing system is further configured to: facilitating establishment of the encrypted wireless link between the ad hoc service provider and the mobile client by generating a wireless link encryption key and providing the wireless link encryption key to the ad hoc service provider and the mobile client.
14. The server of claim 1, wherein the processing system is further configured to: supporting handoff of the mobile client from the ad hoc service provider to another ad hoc service provider.
15. The server of claim 14, wherein the processing system is further configured to: supporting the handoff by establishing an encrypted control session with the other ad hoc service provider.
16. The server of claim 14, wherein the processing system is further configured to: authenticating the mobile client with the other ad hoc service provider.
17. The server of claim 16, wherein the processing system is further configured to: notifying the mobile client that the mobile client has been authenticated with the other ad hoc service provider.
18. The server of claim 14, wherein the processing system is further configured to: supporting the handoff by facilitating establishment of an encrypted control session between the another ad hoc service provider and the mobile client.
19. The server of claim 18, wherein the processing system is further configured to: facilitating establishment of the encrypted control session between the other ad hoc service provider and the mobile client by generating a session key and providing the session key to the other ad hoc service provider and the mobile client.
20. A server, comprising:
means for allowing the mobile client to support an encrypted data tunnel via the ad hoc service provider; and
means for maintaining an encrypted control session with the ad hoc service provider and the mobile client while allowing the mobile client to support the encrypted data tunnel via the ad hoc service provider.
21. The server of claim 20, wherein the means for allowing the mobile client to support encrypted data tunneling is configured to: allowing the mobile client to support the encrypted data tunnel to the server via the ad hoc service provider.
22. The server of claim 20, wherein the means for maintaining a cryptographic control session with an ad hoc service provider and a mobile client comprises: means for using a first session key for the encrypted control session with the ad hoc service provider and means for using a second session key for the encrypted control session with the mobile client, wherein the first session key is different from the second session key.
23. The server of claim 22, further comprising: means for receiving the first session key encrypted with the server's public key from the ad hoc service provider, and means for receiving the second session key encrypted with the server's public key from the mobile client.
24. The server of claim 20, further comprising: means for authenticating the ad hoc service provider to establish the encrypted control session with the ad hoc service provider.
25. The server of claim 20, further comprising: means for authenticating the mobile client to establish the encrypted control session with the mobile client.
26. The server of claim 25, wherein the means for authenticating the mobile client is configured to: authenticating the mobile client via the ad hoc service provider.
27. The server of claim 26, further comprising: means for notifying the ad hoc service provider and the mobile client that the mobile client has been authenticated.
28. The server of claim 20, further comprising: means for facilitating establishment of a cryptographic control session between the ad hoc service provider and the mobile client.
29. The server of claim 28, wherein the means for facilitating establishment of a cryptographic control session between the ad hoc service provider and the mobile client comprises: means for receiving a session key from one of the ad hoc service provider and the mobile client and means for providing the session key to the other of the ad hoc service provider and the mobile client.
30. The server of claim 28, wherein the means for facilitating establishment of a cryptographic control session between the ad hoc service provider and the mobile client comprises: means for generating a session key and means for providing the session key to the ad hoc service provider and the mobile client.
31. The server of claim 20, further comprising: means for facilitating establishment of an encrypted wireless link between the ad hoc service provider and the mobile client.
32. The server of claim 31, wherein the means for facilitating establishment of an encrypted wireless link between the ad hoc service provider and the mobile client comprises: means for generating a wireless link encryption key and means for providing the wireless link encryption key to the ad hoc service provider and the mobile client.
33. The server of claim 20, further comprising: means for supporting handoff of the mobile client from the ad hoc service provider to another ad hoc service provider.
34. The server of claim 33, wherein the means for supporting handover is configured to: supporting the handoff by establishing an encrypted control session with the other ad hoc service provider.
35. The server of claim 33, further comprising: means for authenticating the mobile client with the other ad hoc service provider.
36. The server of claim 35, further comprising: means for notifying the mobile client that the mobile client has been authenticated with the other ad hoc service provider.
37. The server of claim 33, wherein the means for supporting handover is configured to: supporting the handoff by facilitating establishment of an encrypted control session between the another ad hoc service provider and the mobile client.
38. The server of claim 37, wherein the means for supporting handover is further configured to: facilitating establishment of the encrypted control session between the other ad hoc service provider and the mobile client by generating a session key and providing the session key to the other ad hoc service provider and the mobile client.
39. A method for providing security protection from a server to a network, comprising:
allowing the mobile client to support an encrypted data tunnel via the ad hoc service provider; and is
Maintaining an encrypted control session with an ad hoc service provider and a mobile client while allowing the mobile client to support the encrypted data tunnel via the ad hoc service provider.
40. The method of claim 39, wherein the mobile client is allowed to support the encrypted data tunnel to the server via the ad hoc service provider.
41. The method of claim 39, wherein the encrypted control sessions with the ad hoc service provider and the mobile client are maintained by using a first session key for the encrypted control session with the ad hoc service provider and a second session key for the encrypted control session with the mobile client, wherein the first session key is different from the second session key.
42. The method of claim 41, further comprising: receiving the first session key encrypted with the server's public key from the ad hoc service provider and receiving the second session key encrypted with the server's public key from the mobile client.
43. The method of claim 39, further comprising: authenticating the ad hoc service provider to establish the encrypted control session with the ad hoc service provider.
44. The method of claim 39, further comprising: authenticating the mobile client to establish the encrypted control session with the mobile client.
45. The method of claim 44, wherein the mobile client is authenticated via the ad hoc service provider.
46. The method of claim 45, further comprising: notifying the ad hoc service provider and the mobile client that the mobile client has been authenticated.
47. The method of claim 39, further comprising: facilitating establishment of an encrypted control session between the ad hoc service provider and the mobile client.
48. The method of claim 47 wherein establishing the encrypted control session between the ad hoc service provider and the mobile client is facilitated by receiving a session key from one of the ad hoc service provider and the mobile client and providing the session key to the other of the ad hoc service provider and the mobile client.
49. The method of claim 47 wherein establishing the cryptographic control session between the ad hoc service provider and the mobile client is facilitated by generating a session key and providing the session key to the ad hoc service provider and the mobile client.
50. The method of claim 39, further comprising: facilitating establishment of an encrypted wireless link between the ad hoc service provider and the mobile client.
51. The method of claim 50, wherein establishing the encrypted wireless link between the ad hoc service provider and the mobile client is facilitated by generating a wireless link encryption key and providing the wireless link encryption key to the ad hoc service provider and the mobile client.
52. The method of claim 39, further comprising: supporting handoff of the mobile client from the ad hoc service provider to another ad hoc service provider.
53. The method of claim 52, wherein the handoff is supported by establishing a cryptographic control session with the other ad hoc service provider.
54. The method of claim 52, further comprising: authenticating the mobile client with the other ad hoc service provider.
55. The method of claim 54, further comprising: notifying the mobile client that the mobile client has been authenticated with the other ad hoc service provider.
56. The method of claim 52, wherein the handoff is supported by facilitating establishment of a cryptographic control session between the other ad hoc service provider and the mobile client.
57. The method of claim 56, wherein the handoff is supported by facilitating establishment of the encrypted control session between the other ad hoc service provider and the mobile client by generating a session key and providing the session key to the other ad hoc service provider and the mobile client.
58. A machine-readable medium comprising instructions executable by a processing system in a server, the instructions comprising:
code for allowing the mobile client to support an encrypted data tunnel via the ad hoc service provider; and
code for maintaining an encrypted control session with an ad hoc service provider and a mobile client while allowing the mobile client to support the encrypted data tunnel via the ad hoc service pass-through.
59. The machine-readable medium of claim 58, wherein the code for allowing the mobile client to support encrypted data tunneling is configured to: allowing the mobile client to support the encrypted data tunnel to the server via the ad hoc service provider.
60. The machine-readable medium of claim 58, wherein the code for maintaining a cryptographic control session with an ad hoc service provider and a mobile client comprises: code for using a first session key for the encrypted control session with the ad hoc service provider, and code for using a second session key for the encrypted control session with the mobile client, wherein the first session key is different from the second session key.
61. The machine-readable medium of claim 60, wherein the instructions further comprise: code for receiving, from the ad hoc service provider, the first session key encrypted with the server's public key, and code for receiving, from the mobile client, the second session key encrypted with the server's public key.
62. The machine-readable medium of claim 20, wherein the instructions further comprise: code for authenticating the ad hoc service provider to establish the encrypted control session with the ad hoc service provider.
63. The machine-readable medium of claim 58, wherein the instructions further comprise: code for authenticating the mobile client to establish the encrypted control session with the mobile client.
64. The machine-readable medium of claim 63, wherein the code for authenticating the mobile client is configured to: authenticating the mobile client via the ad hoc service provider.
65. The machine-readable medium of claim 64, wherein the instructions further comprise: code for notifying the ad hoc service provider and the mobile client that the mobile client has been authenticated.
66. The machine-readable medium of claim 58, wherein the instructions further comprise: code for facilitating establishment of an encrypted control session between the ad hoc service provider and the mobile client.
67. The machine-readable medium of claim 66, wherein the code for facilitating establishment of a cryptographic control session between the ad hoc service provider and the mobile client comprises: code for receiving a session key from one of the ad hoc service provider and the mobile client, and code for providing the session key to the other of the ad hoc service provider and the mobile client.
68. The machine-readable medium of claim 66, wherein the code for facilitating establishment of a cryptographic control session between the ad hoc service provider and the mobile client comprises: code for generating a session key, and code for providing the session key to the ad hoc service provider and the mobile client.
69. The machine-readable medium of claim 58, wherein the instructions further comprise: code for facilitating establishment of an encrypted wireless link between the ad hoc service provider and the mobile client.
70. The machine-readable medium of claim 69, wherein the code for facilitating establishing an encrypted wireless link between the ad hoc service provider and the mobile client comprises: code for generating a wireless link encryption key, and code for providing the wireless link encryption key to the ad hoc service provider and the mobile client.
71. The machine-readable medium of claim 58, wherein the instructions further comprise: code for supporting handoff of the mobile client from the ad hoc service provider to another ad hoc service provider.
72. The machine-readable medium of claim 71, wherein the code for supporting handover is configured to: supporting the handoff by establishing an encrypted control session with the other ad hoc service provider.
73. The machine-readable medium of claim 71, wherein the instructions further comprise: code for authenticating the mobile client with the other ad hoc service provider.
74. The machine-readable medium of claim 73, wherein the instructions further comprise: code for notifying the mobile client that the mobile client has been authenticated with the other ad hoc service provider.
75. The machine-readable medium of claim 71, wherein the code for supporting handover is configured to: supporting the handoff by facilitating establishment of an encrypted control session between the another ad hoc service provider and the mobile client.
76. The machine-readable medium of claim 75, wherein the code for supporting handover is further configured to: facilitating establishment of the encrypted control session between the other ad hoc service provider and the mobile client by generating a session key and providing the session key to the other ad hoc service provider and the mobile client.
HK10112246.5A 2007-08-17 2008-08-15 Security for a heterogeneous ad hoc mobile broadband network HK1145754A (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US60/956,658 2007-08-17
US12/189,008 2008-08-08

Publications (1)

Publication Number Publication Date
HK1145754A true HK1145754A (en) 2011-04-29

Family

ID=

Similar Documents

Publication Publication Date Title
CN101785358B (en) Heterogeneous wireless ad hoc network
KR101163001B1 (en) Ad hoc service provider's ability to provide service for a wireless network
US20090047964A1 (en) Handoff in ad-hoc mobile broadband networks
CN101779479A (en) Method for a heterogeneous wireless ad hoc mobile internet access service
EP2031919B1 (en) Ad hoc service provider's ability to provide service for a wireless network
HK1145754A (en) Security for a heterogeneous ad hoc mobile broadband network
HK1146442A (en) Heterogeneous wireless ad hoc network
HK1145764A (en) Ad hoc service provider's ability to provide service for a wireless network
HK1145758A (en) Handoff at an ad-hoc mobile service provider
HK1145762A (en) Method for a heterogeneous wireless ad hoc mobile internet access service
HK1145765A (en) Ad hoc service provider configuration for broadcasting service information
HK1146444A (en) Handoff in ad-hoc mobile broadband networks
HK1146443A (en) Service set manager for ad hoc mobile service provider
HK1146432A (en) Method for a heterogeneous wireless ad hoc mobile service provider