Method and system for managing security keys for user and M2M devices in a wireless communication network environment

US 10,158,991 B2
Filed: 04/28/2016
Issued: 12/18/2018
Est. Priority Date: 03/17/2016
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

an identity module having;

a wireless network authentication algorithm input memory portion for storing network authentication inputs used to authenticate a wireless device that uses the identity module for communication over a wireless communication network;

an application authentication algorithm input memory portion for storing application authentication inputs used to authenticate one or more applications executed by the wireless device to a remote application server;

an authentication algorithm processing engine; and

wherein the authentication algorithm processing engine of the identity module is to;

use the network authentication inputs stored in the wireless network authentication algorithm input memory portion to authenticate the wireless device, and to separately use the application authentication inputs stored in the authentication algorithm input memory portion to authenticate one of the one or more applications to the remote application server.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Pre Shared Keys (“PSK”) for application and data session security are generated using application authentication secret values stored in a SIM device/card. The SIM internally uses the secret values as inputs to a security algorithm engine, but the secret values are not accessible outside of the SIM. The application authentication secret values cannot be used to authenticate the SIM, or a device that includes the SIM, to a communication network. Rather, symmetric keys and keying material are generated for use by applications outside of the standard and conventional wireless networking uses of a SIM device. Updated PSKs are generated at different network endpoints such that the PSKs are generated individually and separately at the endpoints; the ‘preshared’ keys are not actually shared. Thus, a client endpoint and a server endpoint, or an endpoint associated with the server, independently generate the same PSK without the PSK being transmitted between the endpoints.

Citations

20 Claims

1. A system, comprising:
- an identity module having;
  
  a wireless network authentication algorithm input memory portion for storing network authentication inputs used to authenticate a wireless device that uses the identity module for communication over a wireless communication network;
  
  an application authentication algorithm input memory portion for storing application authentication inputs used to authenticate one or more applications executed by the wireless device to a remote application server;
  
  an authentication algorithm processing engine; and
  
  wherein the authentication algorithm processing engine of the identity module is to;
  
  use the network authentication inputs stored in the wireless network authentication algorithm input memory portion to authenticate the wireless device, and to separately use the application authentication inputs stored in the authentication algorithm input memory portion to authenticate one of the one or more applications to the remote application server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1, wherein the authentication algorithm processing engine is a Milenage engine.
  - 3. The system of claim 1, wherein the remote application server has stored therein the application authentication inputs.
  - 4. The system of claim 1, wherein the identity module is a SIM card.
  - 5. The system of claim 3, wherein the remote application server includes mobile application middleware that facilitates accessibility between the wireless device that includes the identity module and a private network backend server.
  - 6. The system of claim 1, wherein the application authentication algorithm processing engine, substantially simultaneously with the remote application server that performs a similar application authentication algorithm, determines a working pre-shared key for use during a data session with the remote application server, wherein the application authentication inputs stored in the authentication algorithm input memory portion of the identity module are used to determine the working pre-shared key.
  - 7. The system of claim 6, wherein the pre-shared key is not shared with the remote application server.
  - 8. The system of claim 1, wherein the authentication algorithm processing engine of the identity module is further to generate a new pre-shared key for use in encrypting and decrypting data of a secure communication session between the one or more applications associated with a device that includes the identity module and the remote application server.
  - 9. The system of claim 8, wherein the authentication algorithm processing engine generates a new pre-shared key when a determination is made at either the remote application server or at the device that includes the identity module to generate a new pre-shared key for use by the remote application server and the device that includes the identity module for a data session there between.
  - 10. The system of claim 1, wherein the authentication of the one or more applications executed by the wireless device to a remote application server includes generating a value for use as a pre-shared key (PSK) for use in securely communicating data with the remote application server.

11. A method, comprising:
- transmitting from a first network endpoint to a second network endpoint over a communication network a message to request establishment of a secure session;
  
  receiving from the second network endpoint a message requesting that the first endpoint update an existing pre-shared key that is unique to the first endpoint for use for the secure session;
  
  transmitting a pre-shared key identifier (PSK-ID) from the first endpoint to the second network endpoint;
  
  receiving at the first endpoint a first random number, a second random number, and a remote endpoint authentication value from the second network endpoint, wherein the remote endpoint authentication value is based on secret data that is accessible only by the second endpoint and that is associated with the pre-shared key identifier (PSK-ID) and wherein the remote endpoint authentication value includes a network authentication code (MAC);
  
  generating, with an authentication algorithm processing engine of an identity module associated with the first endpoint, an expected network authentication code (XMAC) and a result value (RES) by processing secret data, which is associated in the identity module with the first endpoint, with the first random number if the received network authentication code (MAC) equals the expected network authentication code (XMAC),transmitting the result value RES from the first endpoint to the second endpoint; and
  
  generating at the first endpoint a new pre-shared key to replace the existing pre-shared key when the first endpoint receives a message from the second endpoint that the second endpoint has successfully generated a new pre-shared key for use for secure communication by the first endpoint, wherein the new pre-shared key generated by the first endpoint is based on the second random number, the secret data that is associated with the first endpoint in the identity module, and values included in the remote endpoint authentication value.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The method of claim 11, wherein the first endpoint is a SIM card of a wireless communication device.
  - 13. The method of claim 11, wherein the second endpoint is a pre-shared key generator.
  - 14. The method of claim 13, wherein the pre-shared key generator is part of a communication network that includes a remote application server with which the first endpoint seeks to establish the secure session.
  - 15. The method of claim 12, wherein the SIM card contains an application authentication algorithm input memory portion for storing application authentication inputs, including the secret data, used by an authentication algorithm processing engine that is to generate the pre-shared Key (PSK) that matches the new pre-shared key generated by the second endpoint;
    - wherein the pre-shared key is a combination of outputs generated from more than one execution of the algorithm processing engine;
      
      and wherein each of the more than one execution of the algorithm processing engine uses a different set of authentication algorithm inputs stored in the application authentication algorithm input memory portion.

16. A method, comprising:
- receiving from a first endpoint at a second endpoint over a communication network a message to request establishment of a secure session;
  
  determining that an existing pre-shared key that had been established for use with secure communications sessions with the first endpoint should be updated at the first and second endpoints;
  
  transmitting from the second endpoint a message requesting that the first endpoint update an existing pre-shared key for use for the secure session;
  
  receiving a pre-shared key identifier (PSK-ID) from the first network endpoint at the second network endpoint, wherein the PSK-ID is unique to the first endpoint;
  
  transmitting to the first network endpoint a first random number, a second random number, and a remote endpoint authentication value, wherein the remote endpoint authentication value is based on secret data that is accessible only by the second network device and that is associated with the pre-shared key identifier (PSK-ID) and wherein the remote endpoint authentication value includes a network authentication code (MAC);
  
  receiving from the first endpoint a result value RES;
  
  evaluating the result value (RES) received from the first endpoint; and
  
  transmitting, based on of the evaluation of the result value (RES), a message to the first endpoint that the second endpoint has successfully generated a new pre-shared key for use for secure communication with the first endpoint, wherein the new pre-shared key generated by the second network endpoint is based on the second random number, the secret data that is associated with the pre-shared key identifier (PSK-ID), and the result value (RES).
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method of claim 16, wherein the first endpoint is a SIM card of a wireless communication device;
    - and wherein the pre-shared key is unique to the first endpoint.
  - 18. The method of claim 17, wherein the SIM card contains an application authentication algorithm input memory portion for storing application authentication inputs used to authenticate one or more applications executed by the wireless device to a remote application server and an authentication algorithm processing engine that is to use the application authentication inputs stored in the authentication algorithm input memory portion to authenticate one of the one or more applications to the remote application server, wherein the authentication of the one or more applications to the remote application server includes generating at the SIM card a pre-shared Key (PSK) that matches the PSK generated by the second endpoint;
    - wherein the pre-shared key is a combination of outputs generated from more than one execution of the algorithm processing engine; and
      
      wherein each of the more than one execution of the algorithm processing engine uses a different set of authentication algorithm inputs stored in the application authentication algorithm input memory portion.
  - 19. The method of claim 16, wherein the determination that a new pre-shared Key (PSK) should be generated is based on predetermined trigger event logic, the trigger event logic being that a new PSK must be generated for every request for a new secure session.
  - 20. The method of claim 16, wherein the determination that a new pre-shared Key (PSK) should be generated is based on predetermined trigger event logic, the trigger event logic being that a new PSK must be generated after a predetermined period has elapsed since the existing pre-shared Key was established.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
M2MD Technologies, Inc.
Original Assignee
M2MD Technologies, Inc.
Inventors
Link, II, Charles M.
Primary Examiner(s)
Parsons, Theodore C
Assistant Examiner(s)
Wickramasuriya, Sameera

Application Number

US15/141,487
Publication Number

US 20170272944A1
Time in Patent Office

964 Days
Field of Search
US Class Current
CPC Class Codes

H04L 2209/80   Wireless

H04L 9/0841   involving Diffie-Hellman or...

H04L 9/3234   involving additional secure...

H04W 12/041   Key generation or derivation

H04W 12/069   using certificates or pre-s...

H04W 4/70   Services for machine-to-mac...

H04W 76/10   Connection setup

Method and system for managing security keys for user and M2M devices in a wireless communication network environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for managing security keys for user and M2M devices in a wireless communication network environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links