Method and system for establishing a secure communication channel

US 10,356,090 B2
Filed: 10/08/2015
Issued: 07/16/2019
Est. Priority Date: 10/09/2014
Status: Active Grant

First Claim

Patent Images

1. A system comprising a first terminal and a second terminal, whereinthe first terminal having a first hardware processor configured to initiate a communication session with the second terminal by:

sending a first session request to a server for initiating a communication channel with the second terminal;

receiving a first session response from the server, said first response including an identifier for a session channel and a combination of key data for the first terminal and key data for the second terminal;

sending a second session request to the second terminal including an identifier and a key encryption seed for the first terminal;

receiving a third session response from the second terminal, said third session response including a key encryption seed for the second terminal; and

establishing a connection over the session channel, and whereinthe first terminal is further configured to authenticate the server by;

generating a first authentication token (AT), being a data structure to be used for authenticating a first computing device, such as a terminal to a second computing device, such as a server; and

sending the first authentication token (AT) to the server;

wherein the second terminal has a second processor and is configured to perform;

receiving the second session request from the first terminal;

sending a third session request to the server for initiating a communication channel with said first terminal;

receiving a second session response from the server, said second response including the identifier for the session channel and a combination of key data for the first terminal and key data for the second terminal;

sending said third session response to the first terminal; and

establishing a connection over the session channel, whereby a communication channel is established between the first and the second terminal over the session channel, and whereinthe server is configured to perform;

receiving the first authentication token (AT) and authenticate it;

generating a second authentication token for the first terminal; and

send the second authentication token (AT) to the first terminal,whereby the first terminal is further configured to perform;

receiving the second authentication token (AT) and authenticate it, thereby performing a mutual authentication of the first terminal and the server, and wherein the server is further configured to generate a third authentication token for the second terminal and send it to the first terminal, wherein the first terminal is further configured to perform receiving the third authentication token (AT) and sending it to the second terminal, wherein the second terminal is configured to perform receiving and authenticating the third authentication token thereby performing an authentication of the server and the first terminal, and whereinthe first terminal is further configured to generate a same symmetric encryption key based on the key encryption seed for the first terminal and the combination of key data for the first terminal and key data for the second terminal in combination with the key encryption seed for the second terminal and the combination of key data for the first terminal and key data for the second terminal, andthe second terminal is further configured to generate a symmetric encryption key based on the key encryption seed for the second terminal and the combination of key data for the first terminal and key data for the second terminal in combination with and the key encryption seed for the first terminal and the combination of key data for the first terminal and key data for the second terminal,whereby the same symmetric encryption key is generated for the first terminal and the second terminal.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A first terminal initiates a communication session with a second terminal by sending a first session request to a server for initiating a communication channel with the second terminal, receiving a first session response from the server, said first response including an identifier for a session channel and data relevant to the second terminal, sending a second session request to the second terminal including an identifier for the first terminal, receiving a third session response from the second terminal, and establishing a connection over the session channel.

Citations

10 Claims

1. A system comprising a first terminal and a second terminal, whereinthe first terminal having a first hardware processor configured to initiate a communication session with the second terminal by:
- sending a first session request to a server for initiating a communication channel with the second terminal;
  
  receiving a first session response from the server, said first response including an identifier for a session channel and a combination of key data for the first terminal and key data for the second terminal;
  
  sending a second session request to the second terminal including an identifier and a key encryption seed for the first terminal;
  
  receiving a third session response from the second terminal, said third session response including a key encryption seed for the second terminal; and
  
  establishing a connection over the session channel, and whereinthe first terminal is further configured to authenticate the server by;
  
  generating a first authentication token (AT), being a data structure to be used for authenticating a first computing device, such as a terminal to a second computing device, such as a server; and
  
  sending the first authentication token (AT) to the server;
  
  wherein the second terminal has a second processor and is configured to perform;
  
  receiving the second session request from the first terminal;
  
  sending a third session request to the server for initiating a communication channel with said first terminal;
  
  receiving a second session response from the server, said second response including the identifier for the session channel and a combination of key data for the first terminal and key data for the second terminal;
  
  sending said third session response to the first terminal; and
  
  establishing a connection over the session channel, whereby a communication channel is established between the first and the second terminal over the session channel, and whereinthe server is configured to perform;
  
  receiving the first authentication token (AT) and authenticate it;
  
  generating a second authentication token for the first terminal; and
  
  send the second authentication token (AT) to the first terminal,whereby the first terminal is further configured to perform;
  
  receiving the second authentication token (AT) and authenticate it, thereby performing a mutual authentication of the first terminal and the server, and wherein the server is further configured to generate a third authentication token for the second terminal and send it to the first terminal, wherein the first terminal is further configured to perform receiving the third authentication token (AT) and sending it to the second terminal, wherein the second terminal is configured to perform receiving and authenticating the third authentication token thereby performing an authentication of the server and the first terminal, and whereinthe first terminal is further configured to generate a same symmetric encryption key based on the key encryption seed for the first terminal and the combination of key data for the first terminal and key data for the second terminal in combination with the key encryption seed for the second terminal and the combination of key data for the first terminal and key data for the second terminal, andthe second terminal is further configured to generate a symmetric encryption key based on the key encryption seed for the second terminal and the combination of key data for the first terminal and key data for the second terminal in combination with and the key encryption seed for the first terminal and the combination of key data for the first terminal and key data for the second terminal,whereby the same symmetric encryption key is generated for the first terminal and the second terminal.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system according to claim 1, wherein the first terminal is configured to be installed in the system by the server being configured to:
    - identify the first terminal;
      
      generate key generation data comprising at least one data seed;
      
      distribute the at least one data seed to the first terminal;
      
      generate key data and meta data based on said at least one data seed and a function, such as a cryptographic hash function;
      
      store an identifier for the first terminal along with the key data and the meta data for the first terminal, wherein the first terminal is arranged to;
      
      receive the at least one data seed from the server;
      
      generate key data and meta data based on said at least one data seed and the same function; and
      
      store the key data and the meta data, wherein the key data and the meta data stored in the first terminal are the same as the key data and the meta data stored in the server.
  - 3. The system according to claim 1, wherein the server is configured to:
    - generate a first processing file (PF1) for the first terminal based on the key data for the first terminal (KD1) and a combination (CKD) of key data for the first terminal (KD1) and key data for the second terminal (KD2);
      
      generate a second processing file (PF2) for the second terminal based on the key data for the second terminal (KD2) and a combination (CKD) of key data for the first terminal (KD1) and key data for the second terminal (KD2); and
      
      send the first processing file (PF1) to the first terminal and the second processing file to the second terminal;
      
      wherein the first terminal is configured to;
      
      receive the first processing file (PF1);
      
      extract combined key data (CKD) from the first processing file (PF1);
      
      generate a first random key seed and send it to the second terminal;
      
      receive a second random key seed from the second terminal;
      
      wherein the second terminal is configured to;
      
      receive the second processing file (PF2);
      
      extract combined key data (CKD) from the second processing file (PF2);
      
      generate the second random key seed and send it to the first terminal;
      
      receive the first random key seed from the first terminal;
      
      whereby the first terminal and the second terminal are each configured to;
      
      input the combined key data (CKD) and the first random seed into a function;
      
      input the combined key data (CKD) and the second random seed into the same function; and
      
      concatenate the results of the functions into the symmetric encryption key, each terminal thereby generating each copy of the symmetric encryption key.
  - 4. The system according to claim 1, wherein the first terminal the second terminal and/or the server are arranged to generate an authentication token (AT) being a data structure to be used for authenticating a first computing device, such as a terminal to a second computing device, such as a server, wherein the first terminal, the second terminal and/or the server are configured to:
    - generate at least one index;
      
      retrieve a portion of the meta data (MTS), the portion being a portion of the data set starting at a position in the data set given by the index; and
      
      include the portion in the authentication token (AT).
  - 5. The system according to claim 1, wherein the first terminal the second terminal and/or the server are arranged to authenticate an authentication token being a data structure to be used for authenticating one of the first terminal, the second terminal and/or the server to another one of the first terminal, the second terminal and/or the server, wherein the first terminal, the second terminal and/or the server are configured to:
    - receive an authentication token from another of the first terminal, the second terminal and/or the server;
      
      retrieve at least one index;
      
      retrieve corresponding portion(s) from the meta data (MTS);
      
      compare the corresponding portion(s) to portion(s) in the authentication token; and
      
      authenticate the other of the first terminal, the second terminal and/or the server if the corresponding portion(s) match(es) the portion(s) of the authentication token.
  - 6. The system according to claim 1, wherein the system is an apparatus comprising at least one second terminal and the first terminal is an external device to be connected to the second terminal.
  - 7. The system according to claim 6, wherein said apparatus is configured for executing a server application.
  - 8. The system according to claim 6, wherein said apparatus is configured for communicating with the server.

9. A method for establishing a secure communication channel in a system comprising a first terminal and a second terminal, wherein the method comprises:
- the first terminal sending a first session request to a server for initiating a communication channel with the second terminal;
  
  the first terminal receiving a first session response from the server, said first response including an identifier for a session channel and a combination of key data for the first terminal and key data for the second terminal;
  
  the first terminal sending a second session request to the second terminal including an identifier and a key encryption seed for the first terminal;
  
  the first terminal generating a first authentication token (AT), being a data structure to be used for authenticating a first computing device, such as a terminal to a second computing device, such as a server;
  
  the first terminal sending the first authentication token (AT) to the server;
  
  the second terminal receiving the second session request from the first terminal;
  
  the second terminal sending a third session request to the server for initiating a communication channel with said first terminal;
  
  the second terminal receiving a second session response from the server, said second response including the identifier for the session channel and a combination of key data for the first terminal and key data for the second terminal;
  
  the second terminal sending a third session response to the first terminal, said third session response including a key encryption seed for the second terminal;
  
  the first terminal receiving said third session response from the second terminal;
  
  the first terminal establishing a connection over the session channel and the second terminal establishing a connection over the session channel, whereby a communication channel is established between the first and the second terminal over the session channel;
  
  the server receiving the first authentication token (AT) and authenticate it;
  
  the server generating a second authentication token for the first terminal;
  
  the server sending the second authentication token (AT) to the first terminal;
  
  the first terminal receiving the second authentication token (AT) and authenticate it, thereby performing a mutual authentication of the first terminal and the server;
  
  the server generating a third authentication token (AT) for the second terminal;
  
  the server sending the third authentication token (AT) to the first terminal,the first terminal receiving the third authentication token (AT) and sending it to the second terminal, andthe second terminal receiving and authenticating the third authentication token (AT) thereby performing an authentication of the server and the first terminal and wherein the method further comprises;
  
  the first terminal generating the same symmetric encryption key based on the key encryption seed for the first terminal and the combination of key data for the first terminal and key data for the second terminal in combination with the key encryption seed for the second terminal and the combination of key data for the first terminal and key data for the second terminal, andthe second terminal generating a symmetric encryption key based on the key encryption seed for the second terminal and the combination of key data for the first terminal and key data for the second terminal in combination with the key encryption seed for the first terminal and the combination of key data for the first terminal and key data for the second terminal,whereby the same symmetric encryption key is generated for the first terminal and the second terminal, andwherein the first terminal and second terminal have at least one hardware processor.

10. A non-transitory computer readable storage medium encoded with instructions that, when executed on by one or more processors, cause the one or more processors to perform:
- sending, by a first terminal, a first session request to a server for initiating a communication channel with the second terminal;
  
  receiving, by the first terminal a first session response from the server, said first response including an identifier for a session channel and a combination of key data for the first terminal and key data for the second terminal;
  
  sending, by the first terminal, a second session request to the second terminal including an identifier and a key encryption seed for the first terminal;
  
  generating, by the first terminal, a first authentication token (AT), being a data structure to be used for authenticating a first computing device such as a terminal to a second computing device, such as a server;
  
  sending, by the first terminal, the first authentication token (AT) to the server;
  
  receiving, by the second terminal, the second session request from the first terminal;
  
  sending, by the second terminal, a third session request to the server for initiating a communication channel with said first terminal;
  
  receiving, by the second terminal, a second session response from the server, said second response including the identifier for the session channel and a combination of key data for the first terminal and key data for the second terminal;
  
  sending, by the second terminal, a third session response to the first terminal, said third session response including a key encryption seed for the second terminal;
  
  receiving, by the first terminal, said third session response from the second terminal;
  
  establishing, by the first terminal, a connection over the session channel and the second terminal establishing a connection over the session channel, whereby a communication channel is established between the first and the second terminal over the session channel;
  
  receiving, by the server, the first authentication token (AT) and authenticate it;
  
  generating, by the server, a second authentication token for the first terminal;
  
  sending, by the server, the second authentication token (AT) to the first terminal;
  
  receiving, by the first terminal, the second authentication token (AT) and authenticate it, thereby performing a mutual authentication of the first terminal and the server;
  
  generating, by the server, a third authentication token (AT) for the second terminal;
  
  sending, by the server, the third authentication token (AT) to the first terminal, receiving, by the first terminal, the third authentication token (AT) and sending it to the second terminal, andreceiving and authenticating, by the second terminal, the third authentication token (AT) thereby performing an authentication of the server and the first terminaland wherein the method further comprises;
  
  generating, by the first terminal, the same symmetric encryption key based on the key encryption seed for the first terminal and the combination of key data for the first terminal and key data for the second terminal in combination with the key encryption seed for the second terminal and the combination of key data for the first terminal and key data for the second terminal, andgenerating, by the second terminal, a symmetric encryption key based on the key encryption seed for the second terminal and the combination of key data for the first terminal and key data for the second terminal in combination with the key encryption seed for the first terminal and the combination of key data for the first terminal and key data for the second terminal,whereby the same symmetric encryption key is generated for the first terminal and the second terminal.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kelisec AB
Original Assignee
Kelisec AB
Inventors
Revell, Elise
Primary Examiner(s)
Rahim, Monjur

Application Number

US15/516,946
Publication Number

US 20170310665A1
Time in Patent Office

1,377 Days
Field of Search

380279
US Class Current
CPC Class Codes

G06F 21/445   by mutual authentication, e...

H04L 63/0435   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0869   for achieving mutual authen...

H04L 9/0643   Hash functions, e.g. MD5, S...

H04L 9/0819   Key transport or distributi...

H04L 9/0838   Key agreement, i.e. key est...

H04L 9/0869   involving random numbers or...

H04L 9/14   using a plurality of keys o...

H04L 9/3226   using a predetermined code,...

H04L 9/3273   for mutual authentication n...

Method and system for establishing a secure communication channel

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

10 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for establishing a secure communication channel

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

10 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links