System and method for secure roaming in wireless local area networks

摘要

A wireless data network process and system is provided including a mobile node with a wireless transceiver, a serving GPRS support node (SGPRS) a radio access network and a gateway GPRS including a packet gateway node (PGN) with an internet connection. The PGN acts as a mobile IP home agent (HA) with authentication of a MN handled by the GPRS/UMTS network before the PGN ever sees data traffic to establish a Mobile IP authentication key. An unauthenticated key exchange method such as Diffie-Hellman, the MVQ protocol or its one-pass variant (without certificates), or the Key Exchange Algorithm can be used to establish the shared key. The process may include performing a key exchange between the MN and the PGN via radio waves, the GPRS support node and the connection to establish a shared secret key and to establish an IPsec Security Association (SA) between the MN and the PGN. A hash of the key is performed at the PGN to obtain an authentication value for use in a Mobile IP protocol and using a security parameters index obtained from the SA as the Mobile IP for identifying the MN for authentication purposes. A Mobile IP registration request is sent from the MN to a Home Agent (HA) hosted in the PGN using the authentication value established. The Mobile IP registration request is received at the PGN. The message is authenticated using the authentication value and sending a Mobile IP registration reply to the MN.