IMPROVING DETERMINISM OF WIRELESS/WI-FI USING CRITICAL NETWORK PARAMETERS

Techniques are described herein for improving wireless determinism by enhancing the Access Point (AP) join and client association processes. The AP join process may be enhanced by considering several factors to improve the determinism of wireless service. These factors include reliability, controller availability, network availability, and value-added services. Similarly, the client association process may also be enhanced by considering these factors to select a better AP / Service Set Identifier (SSID)

MEDIA ACCESS CONTROL SECURITY KEY DISTRIBUTION USING BLOCKCHAIN AND PUBLIC KEY CRYPTOGRAPHY

Techniques are described herein for sophisticated authentication and encryption methods that do not require manual configuration or a centralized server. These techniques use blockchain and public key cryptography to exchange Media Access Control security (MACsec) keys securely between router links and thereby by avoid manual configuration for MACsec. This simplifies existing MACsec key configuration approaches, which use static security mode with manually-configured security keys and dynamic security mode with keys distributed from a centralized Authentication, Authorization, and Accounting (AAA) server over Extensible Authentication Protocol Transport Layer Security (EAP-TLS)

NODE AND SERVICE DISCOVERY IN WIRELESS LOCAL AREA NETWORK CONTROLLER CLUSTER ARCHITECTURES USING HYPERLEDGER

In the wireless cluster deployments, node discovery is a challenge. Further, it can be more challenging to discover the services running in such deployments. There are existing methods which use client side discovery and server side discovery that need a centralized Service Registry to maintain all available service instances. Presented herein are techniques that provide for the utilization of a private blockchain and HyperLedger in order to discover nodes and their services in wireless cluster deployments. Techniques of this proposal may provide for de‑centralizing node and service discovery in wireless cluster deployments without compromising authentication and security aspects. In one example, when a node comes up, it can authenticate itself with a Blockchain provider to be recognized as a legitimate node for a deployment. The node and services associated therewith would be added to the Ledger. The Ledger can be made available to all nodes in the deployment, which allows members to learn the node and service details and further communicate with the respective nodes for various services

SECURE INTERNET OF THINGS ONBOARDING USING PUBLIC KEY CRYPTOGRAPHY AND DIFFIE-HELLMAN INTEGRATED ENCRYPTION SCHEME

Techniques are described for using public key cryptography and blockchain methods to automatically and securely on-board Internet of Things (IOT) devices. This is an improvement over typical approaches in which IOT devices are on-boarded to Wi-Fi® networks with a pre-shared key that could be built-in or configured through out-of-band connectivity (e.g., Bluetooth®, Wi-Fi Protected Setup (WPS), etc.)

METHOD TO OPTIMISE DISTRIBUTION OF AUTHENTICATION INFORMATION FOR CLIENT RE-CONNECTIVITY

There are many customer deployments wherein the switches and WLCs authenticates the clients using 802.1X authentication methods which uses EAP to exchange messages during the authentication process. Here, AAA servers acts as Authenticator. Typically, AAA servers are deployed remotely and connected to enterprise over the WAN link. In short, client authenticates with the AAA server through Switch/WLC. In the scenarios such as, if AAA server(s) is/are down OR the respective link between Switch/WLC and AAA servers is down and in-turn servers are not reachable, clients will fail to connect, and service will be impacted. There are techniques which caches the authentication credentials locally on the Switch/WLC when client connects first time. Further when client connects to the same Switch/WLC next time, this local cache can be used to authenticate the client even when AAA server is not available. But there is no guarantee the next time client will connect to the same Switch/WLC. In such cases client connectivity will fail, even though Authentication Cache is available with the other Switch. The techniques presented here is one such method for the clients to re-connect to any Switch/WLC of a particular deployment, even when the link is down, or AAA server(s) is/are not reachable. As per this method, when client connects first time, authentication credentials are stored on any one of the Switch/WLC by hashing the client MAC address. Further if client re-connects to a different Switch/WLC and if AAA servers are not available or reachable, then Switch/WLC will calculate the hash using the client MAC address and find the right Switch/WLC to fetch the authentication details to proceed with client authentication and connectivity

Method to support iPSK for WPA3 clients as well as reduce Online Dictionary Attacks

WPA3 was developed with the backward compatibility into consideration, i.e., if WPA3 is enabled on WPA2+PSK SSID (also called mixed mode), then both WPA3 and WPA2-only clients can associate to same SSID. This will work as long as SSID is configured to use default-PSK. In other words, if SSID is configured with iPSK, then WPA2-only clients can associate to the SSID using iPSK, but WPA3 clients fails to associate to this SSID using iPSK, as current WPA3 SAE negotiation does not consider iPSK (unique PSK per client). Also, WPA3 was introduced to combat offline dictionary attacks on WPA2+PSK by using SAE protocol where-in an attacker would not be able to go through a word-list and compute a PMK that comes from the dragonfly handshake to test the MIC of a PTK off-line without interacting with the Authenticator. But still WPA3 is vulnerable to online dictionary attacks. The technique presented herein propose method to support iPSK even for the WPA3 clients and much more beneficial for the mixed-mode (i.e., supporting both WPA2 and WPA3 clients with iPSK) deployments. Also, this method decreases the attack surface of the WPA3 by aborting/breaking the SAE negotiation as early as possible

METHOD FOR THE EFFECTIVE UTILISATION OF THE TUNNEL BETWEEN SDWAN ROUTER AND SECURE INTERNET GATEWAY

With the integration of SD-WAN and third-party SIG, all the traffic from the enterprise client\u27s is forwarded to the SIG over the tunnel. The SD-WAN router at branch office is connected to the SIG over WAN link. Hence there are always bandwidth (aka throughput capacity) limitations for the traffic being routed over the tunnel. For the same reason, service providers would enforce limitations on throughput capacity per tunnel basis. In view of this fact, the effective usage of the link between SD-WAN router and SIG is essential. Also, SD-WAN has enabled customers to prioritize cloud applications and deliver better application performance to their branch network for an always-connected workplace. In fact, SD-WAN helps for the efficient use of the bandwidth from branch locations. As the number of clients and services are ever increasing, there is every need to further optimize the usage of the link between SD-WAN at branch location to the SIG and/or cloud services. The techniques presented herein propose method to consider optimizing the traffic flowing between SD-WAN router and SIG to efficiently utilize the limited tunnel bandwidth available using consolidation, compression, and aggregation methods

METHOD TO ADDRESS SECURITY VULNERABILITIES WITH RESPECT TO OFFLINE AND ONLINE DICTIONARY ATTACKS ON WPA2-PSK

The techniques presented herein is to enhance the security of the WPA2-PSK methods to combat both Offline and Online Dictionary Attacks by generating independent random keying parameters on both Supplicant and Authenticator, which are not exchanged explicitly or in any form between them. These parameters are used in conjunction with Password Key Element which is generated from PSK using known transformation. This would overcome the offline dictionary attacks faced by current WPA2-PSK method. Also, using Cookie Loop , where-in Cookie would be initially generated by Authentication Server (AAA Server) and later passed in encrypted form in all the transactions (M1-M4) between Authenticator (WLC) and Supplicant (Client), and also in Access-Request & Access-Accept messages. This would overcome the online dictionary attacks