The present disclosure relates generally to authentication of services advertised by a network.
A Mobile Service Advertisement Protocol, such as a Concierge Service, creates some very interesting opportunities, allowing the next generation of devices, such as smart phones, to automatically present services provided by a Wireless Local Area Network (WLAN) without the need for a user to perform complex configuration of the device. For example, a WLAN employing a mobile Concierge Service can advertise network services along with a provider of the services. A mobile device receiving an advertisement may output (for example display and/or provide an audiovisual signal, etc.) the advertised service on the mobile device allowing a user associated with the mobile device to access the advertised service. It also creates, however, a potential for abuse, for example spoofed applications may be masquerading as legitimate applications, spoofed applications may be employed for luring potential victims and/or a potential vulnerability to spam attacks.
The accompanying drawings incorporated herein and forming a part of the specification illustrate the examples embodiments.
The following presents a simplified overview of the example embodiments in order to provide a basic understanding of some aspects of the example embodiments. This overview is not an extensive overview of the example embodiments. It is intended to neither identify key or critical elements of the example embodiments nor delineate the scope of the appended claims. Its sole purpose is to present some concepts of the example embodiments in a simplified form as a prelude to the more detailed description that is presented later.
In accordance with an example embodiment, there is disclosed herein an apparatus comprising a transceiver configured to send and receive data, and logic coupled to the transceiver. The logic is configured to determine from a signal received by the transceiver whether an associated device sending the signal supports a protocol for advertising available services available from the associated device. The logic is configured to send a request for available services from the associated device via the transceiver responsive to determining the associated device supports the protocol. The logic is configured to receive a response to the request via the transceiver, the response comprising a signature. The logic is configured to validate the response by confirming the signature comprises network data cryptographically bound with service data.
In accordance with an example embodiment, there is disclosed herein an apparatus comprising an interface configured to send and receive data and logic coupled to the interface. The logic is configured to receive a get advertising services request from the interface. The logic is configured to generate a response to the get advertising request, the response comprising a signature that comprises network data cryptographically bound with service data. The logic is configured to send the response to the get advertising request via the interface.
In accordance with an example embodiment, there is disclosed herein a method comprising receiving a signal, such as a beacon or probe response, from an access network provider. The method further comprises determining from the signal whether the access network provider supports a protocol for advertising available services. A list of available services is requested from the access network provider. A response to the request is received, the response comprises a signature. The response is validated, wherein validating the response comprises confirming the signature comprises network data cryptographically bound with service data.
This description provides examples not intended to limit the scope of the appended claims. The figures generally indicate the features of the examples, where it is understood and appreciated that like reference numerals are used to refer to like elements. Reference in the specification to “one embodiment” or “an embodiment” or “an example embodiment” means that a particular feature, structure, or characteristic described is included in at least one embodiment described herein and does not imply that the feature, structure, or characteristic is present in all embodiments described herein.
In an example embodiment, pre-association service advertisements are delivered to a non-access point (AP) wireless station (STA) when the wireless station is within range of an AP. Each service is described by a service descriptor that defines a type of service, a network entry point (for example a Service Set Identifier or “SSID”), a queue for the end user (for example an icon), a uniform resource locator (URL) for acquiring the service, etc. In an example embodiment, the layer 2 identifier (SSID) is bound to a layer 7 element (for example the URL) to authenticate the source of the advertisement. As used herein, a layer comports the Open Systems Interconnection (OSI) model. For example, layer 1 is the physical layer, layer 2 is the data link layer which manages the interaction of devices with a shared medium (the Media Access Control (MAC) layer is a sub-layer of layer 2), layer 3 is the network layer (the best known example of a layer 3 protocol is the Internet Protocol “IP”), and layer 7 is the application layer.
In particular embodiments, when a non-AP STA makes a request for a list of services, the STA includes a nonce to identify this particular request. A node in the infrastructure network creates a response comprising a list of services, includes the nonce from the non-AP STA (for replay protection) and signs the response with a private key.
Any suitable trusted signing entity may be used in the example embodiments described herein. For example the trusted signing entity may be rooted in a public certificate authority (CA) such as Verisign, Thawte, etc. As another example, the trusted signing entity may be rooted in a private certificate authority such as Cisco (the assignee of the present application), IBM, etc. As yet another example, the trusted signing entity may be the network access provider such as T-Mobile, AT&T, Boingo, etc. Still another example, the trusted signing entity may be the application service provider (for example Target, Westfield, Best Buy, Frys, etc.).
The validation of service descriptors allows STAs and APs to validate all broadcasted services and optionally report spoofed services prior to a STA joining a network. With a secure concierge capability in place, APs and STAs can report on spoofed services they detect in their environments. Icons (services) which cannot be validated are not presented to the end user and can optionally be silently flagged to the network.
In an example embodiment, AP 104 sends signals, such as beacons and responses to probes, advertising that it supports an advertisement (such as IEEE 802.11u Get Advertising Services “GAS”, MSAP or similar type of) protocol for advertising available services from network 102 accessible through AP 104. Mobile device 108 receives the beacons (or probe response) and can determine that AP 104 (also referred to herein as an Access Network Provider or “ANP”) supports an advertisement protocol. In response, mobile device 108 can send a request for services (for example a “GAS” request) to AP 104. AP 104 forwards the request to MSAP server 106.
MSAP server 106 generates a response to the request. The response includes network data and service data. MSAP server 106 also generates a signature that cryptographically binds the network data and service data, and the signature is included with the response. For example, MSAP may construct an authenticated response including a nonce, service data, network data and a Message Integrity Check (MIC) defined as RSA (MSAP-Server-private-key, SHA-256 (Nonce|Service Data|Network Data)), where RSA is Rivest, Shamir, & Adleman algorithm and SHA-256 is a Secure Hashing Algorithm, 256 bits. The response is sent to AP 104. The response is forwarded from AP 104 to mobile device 108.
Mobile device 108, upon receiving the response validates the response. In an example embodiment, mobile device 108 is configured to validate the response by confirming the signature comprises network data cryptographically bound with service data. In accordance with an aspect of an example embodiment, if the response is validated as authentic, then mobile device 108 will allow communications with AP 104. For example, in a MSAP application, if the response is valid, mobile device 108 will allow an advertisement sent by AP 104 to be processed. For example, an icon may be displayed on a user interface or an audio signal may be output.
In particular embodiments, mobile device 108 can decide whether to associate can choose a Service Set Identifier (SSID) on AP 104 (as there may be more than one service provided by the AP) that maps to the service the mobile device 108 is seeking. Validation of the signature (there may also a signature in the service-data included by the service provider that validates the service) helps provide further proof of the service validation and mitigation of phishing attack. The combination of both signatures can provide “full confirmation” against phishing attack. For example, the first signature provided by the service provider is the primary proof, and the second signature provided by the ANP (e.g. AP 104 in this example) serves to prove that the ANP is authorized to provide the service and has bound its response to the request by including the authenticated nonce provided by the requester.
If, however, the response sent by AP 104 is not valid, mobile device will discontinue communicating with AP 104. For example, mobile device 108 will suppress displaying an icon to the user interface. This protects against phishing attacks and against spam.
In an example embodiment, the request for available services sent by mobile node 108 to AP 104 comprises a nonce. MSAP server 108 is further configured to include the nonce in the signature. In validating the response, mobile node 108 verifies the signature includes the nonce.
In an example embodiment, the network data comprises a basic service set identifier (BSSID). In another example embodiment, the network data comprises a service set identifier (SSID) corresponding to an advertised service. In still another example embodiment, the network data comprises a plurality of service set identifiers (SSIDs) corresponding to a plurality of advertised services. In yet another example embodiment, the network data comprises a domain name. In still yet another example embodiment, the network data comprises a network access identifier (NAI). In yet still another example embodiment, the network data comprises a homogeneous extended service set identifier HESSID). In still yet another example embodiment the network data comprises 802.11 association capabilities such as Extensible Authentication Protocol (EAP) method and/or credential types. Other example embodiments include combinations of the aforementioned data.
In an example embodiment, the service data comprises an icon image and/or a reference for acquiring an icon image. In another example embodiment, the service data comprises a service provider identity. In still another example embodiment, the service data comprises a service Uniform Resource Locator (URL). In yet another example embodiment, the service data comprises a public key. In an example embodiment, the service data comprises a certificate signed by a certificate authority. In another example embodiment, the service data comprises a certificate signed by a registration authority. Other example embodiments include combinations of the aforementioned data.
In an example embodiment, where the service data comprises a certificate signed by a certificate authority, mobile device 108 is further configured to validate the certificate. In another example embodiment where the service data comprises a certificate signed by a registration authority, mobile device 108 is further configured to validate the certificate.
Signal 306 sent by AP 104 forwards request 304 to MSAP server 106. In this example, signal 306 is a Get MSAP Services request, with a nonce sent by mobile device 108.
MSAP server 106 generates a response to the request to obtain available services from mobile device 108 and forwarded by AP 104. In this example, the response comprises a Basic Service Set Identifier (BSSID), the nonce sent by mobile device 108 in the original request, a SSID list corresponding to available services, additional network data and service data (for example a Binary Large Object “BLOB”-list), and a signature. The signature binds the network data and service data. For example, the signature may bind the BSSID, SSID list, nonce, and additional network data and service data. For example the signature may be generate by RSA (MSAP-Server_Private-Key, (SHA-256 (Nonce|Service data|network data)). The response (in this example MSAP Services Response that includes the BSSID, nonce, SSID-list, Service-BLOB-list, and signature) is forwarded to AP 104 as illustrated by signal 308. AP then forwards the response from MSAP server 106 response (in this as a GAS response) to mobile device 108 as illustrated by signal 310.
Mobile device 308 validates signal 310. If signal 310 is authentic, then mobile device may continue communicating with AP 104. For example, mobile device 108 may Associate with AP 104 as illustrated by signal 312 with the SSID indicated in the MSAP Services Response. As another example, mobile device may provide an output on a user interface (not shown) and if an input is received indicating a service has been selected, then mobile device 108 may associate with AP 104 using a SSID corresponding to the selected service. If, however, signal 308 cannot be validated, then mobile device 108 may discontinue communicating with AP 104.
In an example embodiment, logic 604 is configured to receive configuration and/or update data from a service provider via interface 602. The configuration and/or update data can be received out of band at any time.
In an example embodiment, logic 604 is further configured to respond to requests for advertising services. For example a Get MSAP services request as described in
Computer system 700 includes a bus 702 or other communication mechanism for communicating information and a processor 704 coupled with bus 702 for processing information. Computer system 700 also includes a main memory 706, such as random access memory (RAM) or other dynamic storage device coupled to bus 702 for storing information and instructions to be executed by processor 704. Main memory 706 also may be used for storing temporary variable or other intermediate information during execution of instructions to be executed by processor 704. Computer system 700 further includes a read only memory (ROM) 708 or other static storage device coupled to bus 702 for storing static information and instructions for processor 704. A storage device 710, such as a magnetic disk or optical disk, is provided and coupled to bus 702 for storing information and instructions.
In an example embodiment, for example when computer system 700 is being employed to implement mobile device 108, computer system 700 may be coupled via bus 702 to a display 712 such as a cathode ray tube (CRT) or liquid crystal display (LCD), for displaying information to a computer user. An input device 714, such as a keyboard including alphanumeric and other keys is coupled to bus 702 for communicating information and command selections to processor 704. Another type of user input device is cursor control 716, such as a mouse, a trackball, touch screen, or cursor direction keys for communicating direction information and command selections to processor 704 and for controlling cursor movement on display 712. This input device typically has two degrees of freedom in two axes, a first axis (e.g. x) and a second axis (e.g. y) that allows the device to specify positions in a plane.
An aspect of the example embodiment is related to the use of computer system 700 for authenticating mobile device advertisements. According to an example embodiment, authenticating mobile device advertisements is provided by computer system 700 in response to processor 704 executing one or more sequences of one or more instructions contained in main memory 706. Such instructions may be read into main memory 706 from another computer-readable medium, such as storage device 710. Execution of the sequence of instructions contained in main memory 706 causes processor 704 to perform the process steps described herein. One or more processors in a multi-processing arrangement may also be employed to execute the sequences of instructions contained in main memory 706. In alternative embodiments, hard-wired circuitry may be used in place of or in combination with software instructions to implement an example embodiment. Thus, embodiments described herein are not limited to any specific combination of hardware circuitry and software.
The term “computer-readable medium” as used herein refers to any medium that participates in providing instructions to processor 704 for execution. Such a medium may take many forms, including but not limited to non-volatile media, and volatile media. Non-volatile media include for example optical or magnetic disks, such as storage device 710. Volatile media include dynamic memory such as main memory 706. Common forms of computer-readable media include for example floppy disk, a flexible disk, hard disk, magnetic cards, paper tape, any other physical medium with patterns of holes, a RAM, a PROM, an EPROM, a FLASHPROM, CD, DVD or any other memory chip or cartridge, or any other medium from which a computer can read.
Various forms of computer-readable media may be involved in carrying one or more sequences of one or more instructions to processor 704 for execution. For example, the instructions may initially be borne on a magnetic disk of a remote computer. The remote computer can load the instructions into its dynamic memory and send the instructions over a telephone line using a modem. A modem local to computer system 700 can receive the data on the telephone line and use an infrared transmitter to convert the data to an infrared signal. An infrared detector coupled to bus 702 can receive the data carried in the infrared signal and place the data on bus 702. Bus 702 carries the data to main memory 706 from which processor 704 retrieves and executes the instructions. The instructions received by main memory 706 may optionally be stored on storage device 710 either before or after execution by processor 704.
Computer system 700 also includes a communication interface 718 coupled to bus 702. Communication interface 718 provides a two-way data communication coupling computer system 700 to a network link 720 that is connected to a local network 720. This allows computer system 700 to communicate with other devices.
For example, communication interface 718 may be a local area network (LAN) card to provide a data communication connection to a compatible LAN. As another example, communication interface 718 may be an integrated services digital network (ISDN) card or a modem to provide a data communication connection to a corresponding type of telephone line. Wireless links may also be implemented. In any such implementation, communication interface 718 sends and receives electrical, electromagnetic, or optical signals that carry digital data streams representing various types of information.
In view of the foregoing structural and functional features described above, a methodologies in accordance with example embodiments will be better appreciated with reference to
At 802, a signal is received that comprises data indicating that the source of the signal (for example an ANP or AP) has mobile service (such as Concierge) advertising capabilities for advertising available network services. The signal may be a beacon, or a response sent to a probe signal.
At 804, a request for available services is sent to the source of the beacon (for example an ANP or AP). The request may be a Generic Advertising Service request. In particular embodiments, the request includes a nonce.
At 806, a response to the request is received. In an example embodiment, the response includes the BSSID of the ANP, nonce, network data, service data and a signature. The network data and service data may include many different types of data as described herein. For example network data may include a domain name for the service provider and the service data may include a URL, icon, and/or a reference to an icon.
At 808, the device receiving the response validates the signature. In an example embodiment, the signature is validated using a public key for the source of the response (for example a server such as a MSAP server). In an example embodiment, the device receiving the response determines whether the signature comprises network data cryptographically bound to service data. In particular embodiments, the receiving device verifies the signature comprises a nonce that was sent in the request for available service.
If at 808, the response is determined to be invalid, at 810 communications is terminated (aborted). In a Concierge environment, this prevents rogue devices from presenting icons and advertising services on a mobile device. This can also prevent phishing attacks and/or spam.
If at 810, the response is determined to be valid, at 812 communications for determining network selection may continue. For example, in a concierge environment, an icon or other output (such as video, audio, audiovisual, etc.) may be output via a user interface. If an input is received indicating a selection of a particular service, a mobile device may associate with the ANP by using the BSSID and SSID for the selected service.
At 902, the server configures an ANP to advertise available services. For example, an AP may be provided with data to include in beacons sent by the AP for advertising that the network supports an advertising protocol (such as MSAP). In particular embodiments, the ANP may is updated.
AT 904, the server receives a request for available services. For example, the request may be a Generic Advertising Service request. In particular embodiments, the request further comprises a nonce.
At 906, a response to the request is generated. The response generally includes a list of available services. The list may include service set identifiers where a service set identifier is associated with each available service. In addition the response may include the BSSID of the ANP that originally received the request. The request may also include other service data such as an icon (or a reference for getting an icon), service provider identity, service URL, a public key, MSAP server identity, a certificate signed by a CA/RA. Network data may include the BSSID, SSID list of SSID's that can provide the advertised service, network identity such as a domain name, NAI, and/or HESSID, and/or 802.11 association capabilities such as Extensible Authentication Protocol (EAP) method, credential type, etc. In an example embodiment, the server constructs an authenticated response that includes the nonce, service data, network data and a MIC that can be defined as RSA (Server-Private-Key, SHA-#bits (Nonce|service data|network data)).
At 908, the response is forwarded. For example, the response may be forwarded to an AP for forwarding to a mobile device that sent the request.
Described above are example embodiments. It is, of course, not possible to describe every conceivable combination of components or methodologies, but one of ordinary skill in the art will recognize that many further combinations and permutations of the example embodiments are possible. Although the above description describes a wireless network, those skilled in the art should readily appreciate that wireless network was described merely for ease of illustration and that the principles described herein are also suitably adaptable to wired networks. Accordingly, this application is intended to embrace all such alterations, modifications and variations that fall within the spirit and scope of the appended claims interpreted in accordance with the breadth to which they are fairly, legally and equitably entitled.