摘要 |
Methods and apparatus to authenticate base and subscriber stations and secure sessions for broadband wireless networks, such as IEEE P802.16-based networks. The apparatus employs a trusted platform module (TPM) to generate security keys, including attestation identity keys (AIKs). A subscriber station (SS) generates an AIK key pair for a specific authentication server (AS) operated by a broadband wireless network, and sends the public AIK key to the AS during a one-time service signup process. In response to an access request, the SS sends authentication information including a manifest signed with the SS's private AIK key. The SS may then be authenticated by the AS via use of the SS's public AIK key. The AS may be authenticated by the SS using a similar process, thus supporting mutual authentication via AIK keys. The TPM may also be used to verify a current configuration of a subscriber station platform is an authorized configuration. Integrity measurements are made via the TPM, and corresponding configuration identifiers are sealed to the TPM and sent to the authentication server during the signup process. During a subsequent access request, an attempt is made to unseal a configuration identifier, which can only proceed if a corresponding configuration has not changed.
|