Session protocol for backward security between paired devices

US 10,271,209 B2
Filed: 09/23/2016
Issued: 04/23/2019
Est. Priority Date: 06/12/2016
Status: Active Grant

First Claim

Patent Images

1. A non-transitory machine readable medium storing a program which when executed by a set of processing units of a first device establishes a secured session with a second device, the program comprising sets of instructions for:

establishing a communication session between the first and second devices using first and second shared keys stored at the first and second devices, respectively, the establishing comprising applying a one-way function to the first shared key to update the first shared key to match the second shared key when a local value corresponding to the first shared key differs from a received remote value corresponding to the second shared key;

exchanging encrypted data between the first and second devices as a part of the communication session;

upon completion of the communication session, deriving, using the one-way function, a modified first shared key from the first shared key at the first device, wherein a modified second shared key is derived from the second shared key at the second device using the one-way function; and

storing the modified first shared key at the first device, wherein the encrypted data of the completed communication session and previous communication sessions are undecryptable using the first shared key.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Some embodiments provide a method for establishing a secured session with backward security between a first device and a second device. In some embodiments, the method establishes a communication session between the first and second devices using shared keys stored at the first and second devices. The method exchanges encrypted data between the first and second devices as a part of the communication session. The method, upon completion of the communication session, modifies the shared key at the first device in a predictable way. The shared key is modified at the second device in the same predictable way. The method then stores the modified shared key at the first device. The modified shared key cannot be used to decrypt any portion of the encrypted data of the current and previous communication sessions.

Citations

33 Claims

1. A non-transitory machine readable medium storing a program which when executed by a set of processing units of a first device establishes a secured session with a second device, the program comprising sets of instructions for:
- establishing a communication session between the first and second devices using first and second shared keys stored at the first and second devices, respectively, the establishing comprising applying a one-way function to the first shared key to update the first shared key to match the second shared key when a local value corresponding to the first shared key differs from a received remote value corresponding to the second shared key;
  
  exchanging encrypted data between the first and second devices as a part of the communication session;
  
  upon completion of the communication session, deriving, using the one-way function, a modified first shared key from the first shared key at the first device, wherein a modified second shared key is derived from the second shared key at the second device using the one-way function; and
  
  storing the modified first shared key at the first device, wherein the encrypted data of the completed communication session and previous communication sessions are undecryptable using the first shared key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The non-transitory machine readable medium of claim 1, wherein the set of instructions for establishing a communication session comprises a set of instructions for sending a message to the second device, the message comprising a key identifier, wherein the second device uses the key identifier to identify the second shared key at the second device.
  - 3. The non-transitory machine readable medium of claim 2, wherein the first device is associated with a user account, wherein the key identifier is associated with the user account.
  - 4. The non-transitory machine readable medium of claim 3, wherein a plurality of devices is associated with the user account and each device of the plurality of devices uses the same key identifier.
  - 5. The non-transitory machine readable medium of claim 1, wherein the set of instructions for establishing a communication session comprises sets of instructions for:
    - sending a message to the second device, the message comprising a verification value;
      
      receiving a response comprising the verification value; and
      
      verifying that the verification value has not been modified.
  - 6. The non-transitory machine readable medium of claim 1, wherein the set of instructions for establishing a communication session comprises sets of instructions for:
    - identifying the local value for the first shared key;
      
      receiving a first message from the second device comprising the remote value for the second shared key.
  - 7. The non-transitory machine readable medium of claim 6, wherein the first message further comprises an encrypted portion, wherein the set of instructions for establishing the communication session further comprises a set of instructions for decrypting the encrypted portion of the first message based on a derived key that is derived using the updated shared key.
  - 8. The non-transitory machine readable medium of claim 6, wherein the set of instructions for establishing a communication session further comprises:
    - based on a local entropy value generated at the first device and a remote entropy value received in the first message from the second device, generating a session key; and
      
      sending a second message to the second device, wherein the second message comprises the local entropy value, wherein the second device uses the local entropy value and the remote entropy value to generate the session key, wherein the generated session keys are used to encrypt and decrypt the encrypted data exchanged between the first and second devices.
  - 9. The non-transitory machine readable medium of claim 8, wherein the second message is encrypted based on the derived key.
  - 10. The non-transitory machine readable medium of claim 6, wherein the set of instructions for identifying the local value comprises a set of instructions for, when the device is connected to a cloud service, receiving the local value and the first shared key from the cloud service.
  - 11. The non-transitory machine readable medium of claim 10, wherein the set of instructions for storing the modified shared key at the first device comprises storing the updated shared key and an updated local value with the cloud service.
  - 12. The non-transitory machine readable medium of claim 1, wherein the set of instructions for deriving the modified first shared key from the first shared key at the first device comprises a set of instructions for applying a one-way function to the first shared key at the first device to derive the modified first shared key from the first shared key.
  - 13. The non-transitory machine readable medium of claim 1, wherein the set of instructions for establishing a communication session comprises sets of instructions for:
    - receiving a message from the second device, wherein the message comprising a key identifier; and
      
      identifying the shared key and a local count at the first device based on the key identifier.
  - 14. The non-transitory machine readable medium of claim 1, wherein the program further comprises a set of instructions for pairing the devices, which comprises sets of instructions for:
    - communicating with the second device to generate the first and second shared keys at the first and second devices; and
      
      storing the generated first shared key at a cloud service associated with the first device, wherein the second device stores the generated second shared key at a storage of the second device.

15. A method of a first device for establishing a secured session with a second device, the method comprising:
- establishing a communication session between the first and second devices using first and second shared keys stored at the first and second devices, the establishing comprising applying a one-way function to the first shared key to update the first shared key to match the second shared key when a local value corresponding to the first shared key differs from a received remote value corresponding to the second shared key;
  
  exchanging encrypted data between the first and second devices as a part of the communication session;
  
  upon completion of the communication session, modifying, using the one-way function, the shared key at the first device, wherein the shared key is modified at the second device using the one-way function independent of the first device; and
  
  storing the modified shared key at the first device, wherein the modified shared key cannot be used to decrypt any portion of the encrypted data of the completed communication session and previous communication sessions.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The method of claim 15, wherein establishing a communication session comprises sending a message to the second device, the message comprising a key identifier, wherein the second device uses the key identifier to identify the second shared key at the second device.
  - 17. The method of claim 16, wherein the first device is associated with a user account, wherein the key identifier is associated with the user account.
  - 18. The method of claim 17, wherein a plurality of devices is associated with the user account and each device of the plurality of devices uses the same key identifier.
  - 19. The method of claim 15, wherein establishing a communication session comprises:
    - receiving a first message from the second device comprising the remote value for the second shared key.

20. A device comprising:
- a memory; and
  
  at least one processor configured to;
  
  establish a communication session between first and second devices using first and second shared keys stored at the first and second devices, the establishing comprising applying a one-way function to the first shared key to update the first shared key to match the second shared key when a local value corresponding to the first shared key differs from a received remote value corresponding to the second shared key;
  
  exchanging encrypted data between the first and second devices as a part of the communication session;
  
  upon completion of the communication session, modify, using the one-way function, the shared key at the first device, wherein the shared key is modified at the second device using the one-way function; and
  
  store the modified shared key at the first device, wherein the modified shared key cannot be used to decrypt any portion of the encrypted data of the completed communication session and previous communication sessions.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 21. The device of claim 20, wherein the at least one processor is configured to establish the communication session by:
    - sending a message to the second device, the message comprising a key identifier, wherein the second device uses the key identifier to identify the second shared key at the second device.
  - 22. The device of claim 21, wherein the first device is associated with a user account, wherein the key identifier is associated with the user account.
  - 23. The device of claim 22, wherein a plurality of devices are associated with the user account and each device of the plurality of devices uses the same key identifier.
  - 24. The device of claim 20, wherein the at least one processor is configured to establish the communication session by:
    - sending a message to the second device, the message comprising a verification value;
      
      receiving a response comprising the verification value; and
      
      verifying that the verification value has not been modified.
  - 25. The device of claim 20, wherein the at least one processor is configured to establish the communication session by:
    - identifying the local value for the first shared key;
      
      receiving a first message from the second device comprising the remote value for the second shared key.
  - 26. The device of claim 25, wherein the first message further comprises an encrypted portion, and the at least one processor is configured to establish the communication session by decrypting the encrypted portion of the first message based on a derived key that is derived using the updated shared key.
  - 27. The device of claim 26, wherein the second message is encrypted based on the derived key.
  - 28. The device of claim 25, wherein the at least one processor is configured to establish the communication session by:
    - based on a local entropy value generated at the first device and a remote entropy value received in the first message from the second device, generating a session key; and
      
      sending a second message to the second device, wherein the second message comprises the local entropy value, wherein the second device uses the local entropy value and the remote entropy value to generate the session key, wherein the generated session keys are used to encrypt and decrypt the encrypted data exchanged between the first and second devices.
  - 29. The device of claim 25, wherein the at least one processor is configured to identify the local value by, when the device is connected to a cloud service, receiving the local value and the first shared key from the cloud service.
  - 30. The device of claim 29, wherein the at least one processor is configured to store the modified shared key at the first device by storing the updated shared key and an updated local value with the cloud service.
  - 31. The device of claim 20, wherein the at least one processor is configured to derive the modified first shared key from the first shared key at the first device by applying a one-way function to the first shared key at the first device to derive the modified first shared key from the first shared key.
  - 32. The device of claim 20, wherein the at least one processor is configured to establish a communication session by:
    - receiving a message from the second device, wherein the message comprising a key identifier; and
      
      identifying the shared key and a local count at the first device based on the key identifier.
  - 33. The device of claim 20, wherein the at least one processor is further configured to:
    - communicate with the second device to generate the first and second shared keys at the first and second devices; and
      
      store the generated first shared key at a cloud service associated with the first device, wherein the second device stores the generated second shared key at a storage of the second device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Apple Inc.
Original Assignee
Apple Inc.
Inventors
Adler, Mitchell D., Sierra, Yannick L., Batta, Ganesha A. G., Giles, Michael, Srivatsa, Akshay M., Dooley, Craig P., Hariharan, Sriram, Watson, Robert D.
Primary Examiner(s)
Cribbs, Malcolm

Application Number

US15/275,231
Publication Number

US 20170359717A1
Time in Patent Office

942 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 2209/80   Wireless

H04L 2463/061   applying further key deriva...

H04L 63/0435   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 9/0891   Revocation or update of sec...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/14   using a plurality of keys o...

H04W 12/03   Protecting confidentiality,...

H04W 12/041   Key generation or derivation

H04W 12/0471   Key exchange

H04W 12/42   using virtual identity modules

H04W 84/18   Self-organising networks, e...

Session protocol for backward security between paired devices

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Session protocol for backward security between paired devices

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links