Method and system for managing security keys for user and M2M devices in a wireless communication network environment
First Claim
1. A system, comprising:
- an identity module having;
a wireless network authentication algorithm input memory portion for storing network authentication inputs used to authenticate a wireless device that uses the identity module for communication over a wireless communication network;
an application authentication algorithm input memory portion for storing application authentication inputs used to authenticate one or more applications executed by the wireless device to a remote application server;
an authentication algorithm processing engine; and
wherein the authentication algorithm processing engine of the identity module is to;
use the network authentication inputs stored in the wireless network authentication algorithm input memory portion to authenticate the wireless device, and to separately use the application authentication inputs stored in the authentication algorithm input memory portion to authenticate one of the one or more applications to the remote application server.
1 Assignment
0 Petitions
Accused Products
Abstract
Pre Shared Keys (“PSK”) for application and data session security are generated using application authentication secret values stored in a SIM device/card. The SIM internally uses the secret values as inputs to a security algorithm engine, but the secret values are not accessible outside of the SIM. The application authentication secret values cannot be used to authenticate the SIM, or a device that includes the SIM, to a communication network. Rather, symmetric keys and keying material are generated for use by applications outside of the standard and conventional wireless networking uses of a SIM device. Updated PSKs are generated at different network endpoints such that the PSKs are generated individually and separately at the endpoints; the ‘preshared’ keys are not actually shared. Thus, a client endpoint and a server endpoint, or an endpoint associated with the server, independently generate the same PSK without the PSK being transmitted between the endpoints.
-
Citations
20 Claims
-
1. A system, comprising:
an identity module having; a wireless network authentication algorithm input memory portion for storing network authentication inputs used to authenticate a wireless device that uses the identity module for communication over a wireless communication network; an application authentication algorithm input memory portion for storing application authentication inputs used to authenticate one or more applications executed by the wireless device to a remote application server; an authentication algorithm processing engine; and wherein the authentication algorithm processing engine of the identity module is to;
use the network authentication inputs stored in the wireless network authentication algorithm input memory portion to authenticate the wireless device, and to separately use the application authentication inputs stored in the authentication algorithm input memory portion to authenticate one of the one or more applications to the remote application server.- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
11. A method, comprising:
-
transmitting from a first network endpoint to a second network endpoint over a communication network a message to request establishment of a secure session; receiving from the second network endpoint a message requesting that the first endpoint update an existing pre-shared key that is unique to the first endpoint for use for the secure session; transmitting a pre-shared key identifier (PSK-ID) from the first endpoint to the second network endpoint; receiving at the first endpoint a first random number, a second random number, and a remote endpoint authentication value from the second network endpoint, wherein the remote endpoint authentication value is based on secret data that is accessible only by the second endpoint and that is associated with the pre-shared key identifier (PSK-ID) and wherein the remote endpoint authentication value includes a network authentication code (MAC); generating, with an authentication algorithm processing engine of an identity module associated with the first endpoint, an expected network authentication code (XMAC) and a result value (RES) by processing secret data, which is associated in the identity module with the first endpoint, with the first random number if the received network authentication code (MAC) equals the expected network authentication code (XMAC),transmitting the result value RES from the first endpoint to the second endpoint; and generating at the first endpoint a new pre-shared key to replace the existing pre-shared key when the first endpoint receives a message from the second endpoint that the second endpoint has successfully generated a new pre-shared key for use for secure communication by the first endpoint, wherein the new pre-shared key generated by the first endpoint is based on the second random number, the secret data that is associated with the first endpoint in the identity module, and values included in the remote endpoint authentication value. - View Dependent Claims (12, 13, 14, 15)
-
-
16. A method, comprising:
-
receiving from a first endpoint at a second endpoint over a communication network a message to request establishment of a secure session; determining that an existing pre-shared key that had been established for use with secure communications sessions with the first endpoint should be updated at the first and second endpoints; transmitting from the second endpoint a message requesting that the first endpoint update an existing pre-shared key for use for the secure session; receiving a pre-shared key identifier (PSK-ID) from the first network endpoint at the second network endpoint, wherein the PSK-ID is unique to the first endpoint; transmitting to the first network endpoint a first random number, a second random number, and a remote endpoint authentication value, wherein the remote endpoint authentication value is based on secret data that is accessible only by the second network device and that is associated with the pre-shared key identifier (PSK-ID) and wherein the remote endpoint authentication value includes a network authentication code (MAC); receiving from the first endpoint a result value RES; evaluating the result value (RES) received from the first endpoint; and transmitting, based on of the evaluation of the result value (RES), a message to the first endpoint that the second endpoint has successfully generated a new pre-shared key for use for secure communication with the first endpoint, wherein the new pre-shared key generated by the second network endpoint is based on the second random number, the secret data that is associated with the pre-shared key identifier (PSK-ID), and the result value (RES). - View Dependent Claims (17, 18, 19, 20)
-
Specification