Communication between a communication device and a network device

US 10,659,447 B2
Filed: 07/24/2018
Issued: 05/19/2020
Est. Priority Date: 02/27/2015
Status: Active Grant

First Claim

Patent Images

1. A communication device for communicating with a network device of a communication network, the communication device comprising:

at least one processor circuit; and

at least one memory connected to the at least one processor circuit and storing program instructions that are executed by the at least one processor to perform operations comprising;

receiving, via a network, an authentication request from the network device, the authentication request comprising a challenge, a challenge verification code, a first Diffie-Hellman (DH) parameter, and a first verification code for the first DH parameter;

forwarding said challenge and said challenge verification code to an identity module used by the communication device to provide authentication request challenge responses for the communication device to connect to the communication network, wherein the identity module is hardware based and is physically connected to the communication device;

receiving at least one result parameter as a response from the identity module, the at least one result parameter having been generated by the identity module and being one of a ciphering key (CK), an integrity key (1K) and a response parameter (RES);

determining, based on said result parameter and said first verification code, whether said first DH parameter is authentic; and

responsive to determining that the first DH parameter is authentic, generating a second DH parameter and a second verification code that is based on the second DH parameter and sending, through the network, the second DH parameter, the second verification code, and the response parameter in an authentication response message to the network device for the network device to generate a session key for communication with the communication device.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A communication device of a communication network receives, via a network, a challenge, generates a first Diffie Hellman, DH, parameter, a first verification code for the first DH parameter, forwards the challenge or a derivative thereof to an identity module, receives at least one result parameter as response from the identity module, determines, based on the result parameter, whether the first DH parameter is authentic, and if the first DH parameter is authentic, generates and sends a second DH parameter to the network device for session key generation based on the first DH parameter and the second DH parameter.

45 Citations

View as Search Results

28 Claims

1. A communication device for communicating with a network device of a communication network, the communication device comprising:
- at least one processor circuit; and
  
  at least one memory connected to the at least one processor circuit and storing program instructions that are executed by the at least one processor to perform operations comprising;
  
  receiving, via a network, an authentication request from the network device, the authentication request comprising a challenge, a challenge verification code, a first Diffie-Hellman (DH) parameter, and a first verification code for the first DH parameter;
  
  forwarding said challenge and said challenge verification code to an identity module used by the communication device to provide authentication request challenge responses for the communication device to connect to the communication network, wherein the identity module is hardware based and is physically connected to the communication device;
  
  receiving at least one result parameter as a response from the identity module, the at least one result parameter having been generated by the identity module and being one of a ciphering key (CK), an integrity key (1K) and a response parameter (RES);
  
  determining, based on said result parameter and said first verification code, whether said first DH parameter is authentic; and
  
  responsive to determining that the first DH parameter is authentic, generating a second DH parameter and a second verification code that is based on the second DH parameter and sending, through the network, the second DH parameter, the second verification code, and the response parameter in an authentication response message to the network device for the network device to generate a session key for communication with the communication device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 18, 21, 22, 23, 24, 25)
- - 2. The communication device of claim 1, being further operative to generate a session key for communication between the communication device and the network device, said session key being based on values used for generating the first DH parameter and the second DH parameter.
  - 3. The communication device of claim 2, wherein the session key is based on the first DH parameter and an exponent of the second DH parameter.
  - 4. The communication device according to claim 3, wherein said session key being further based on values used for generating the first DH parameter and the second DH parameter.
  - 5. The communication device according to claim 1, wherein the communication device comprises a mobile equipment comprising the at least one processor circuit and the at least one memory, the mobile equipment configured to receive the challenge from the network, perform said forwarding, receive the at least one result parameter, determine whether the first DH parameter is authentic and generate and send the second DH parameter and the second verification code that is based on the second DH parameter.
  - 6. The communication device according to claim 1, wherein the communication device contains an interface to releasably retain and electrically communicate with the identity module, wherein said identity module is configured to perform key and cryptographic processing operations.
  - 7. The communication device according to claim 1, wherein the first verification code comprises a message authentication code based on at least the first DH parameter.
  - 8. The communication device according to claim 7, wherein said message authentication code is based on HMAC/SHA-256.
  - 9. The communication device according to claim 1, wherein to forward said challenge to an identity module, the at least one processor circuit is configured to send a derivative of the challenge to the identity module.
  - 10. The communication device according to claim 9, wherein the derivative is a hash of the challenge.
  - 11. The communication device according to claim 1, wherein the authentication request comprises an authentication request message comprising the first verification code in a corresponding separate information element of the authentication request message and the at least one processor circuit of the communication device determines the authenticity of the first DH parameter based on the first verification code.
  - 12. The communication device according to claim 1, wherein the first verification code is provided as at least part of the challenge verification code and the at least one processor circuit of the communication device determines the authenticity of the first DH parameter based on the identity module providing said at least one result parameter.
  - 13. The communication device according to claim 12, wherein the challenge is based on the first DH parameter.
  - 14. The communication device according to claim 1, the at least one processor circuit being further configured to generate the second verification code based on at least one of the at least one result parameters and when being configured to send the authentication response message is operative to send the second verification code in an information element assigned to the response parameter.
  - 15. The communication device according to claim 1, wherein the second verification code is generated as a message authentication code based on at least the second DH parameter.
  - 16. The communication device of claim 1 wherein the second verification code is a hash of the second DH parameter.
  - 18. The method according to claim 16, comprising generating a session key for communication between the communication device and the network device, said session key being based on values used for generating the first DH parameter and the second DH parameter.
  - 21. The method according to claim 16, wherein the authentication request comprises an authentication request message comprising the first verification code in a corresponding separate information element of the authentication request message and the determination of the authenticity of the first DH parameter is made using the first verification code.
  - 22. The method according to claim 16, wherein the first verification code is provided as at least a part of the challenge verification code and the determination of the authenticity of the first DH parameter comprises determining the authenticity based on the identity module providing said at least one result parameter.
  - 23. The method according to claim 16, further comprising basing the second verification code on the response parameter and the sending of the authentication response comprises sending the second verification code in an information element of the authentication response message assigned to the response parameter.
  - 24. The method according to claim 16, wherein forwarding said challenge to an identity module comprises forwarding a derivative of the challenge to the identity module.
  - 25. The method device according to claim 24, wherein the derivative is a hash of the challenge.

17. A method for a communication device in communication with a network device of a communication network, the method being performed by the communication device and comprising:
- receiving, via a network, an authentication request from the network device, the authentication request comprising a challenge, a challenge verification code, a first Diffie-Hellman (DH) parameter, and a first verification code for the first DH parameter;
  
  forwarding said challenge and said challenge verification code to an identity module used by the communication device to provide authentication request challenge responses for the communication device to connect to the communication network, wherein the identity module is hardware based and is physically connected to the communication device;
  
  receiving at least one result parameter as a response from the identity module, the at least one result parameter having been generated by the identity module and being one of a ciphering key (CK), an integrity key (IK) and a response parameter (RES);
  
  determining, based on said result parameter and said first verification code, whether said first DH parameter is authentic; and
  
  responsive to determining that the first DH parameter is authentic, generating a second DH parameter and a second verification code that is based on the secon DH parameter, and sending, through the network, the second DH parameter, the second verification code, and the response parameter in an authentication response message to the network device for the network device to generate a session key for communication with the communication device.
- View Dependent Claims (19, 20, 26)
- - 19. The method according to claim 17, wherein the session key is based on the first DH parameter and an exponent of the second DH parameter.
  - 20. The method according to claim 17, wherein said session key being at least further based on values used for generating the first DH parameter and the second DH parameter.
  - 26. The method of claim 17 wherein the second verification code is a hash of the second DH parameter.

27. A computer program product comprising a non-transitory computer-readable storage medium storing program code for a communication device in communication with a network device of a communication network, the program code, which when run in the communication device, causes the communication device to:
- receive, via a network, an authentication request from the network device, the authentication request comprising a challenge, a challenge verification code, a first Diffie-Hellman (DH) parameter, and a first verification code for the first DH parameter;
  
  forward said challenge and said challenge verification code to an identity module used by the communication device to provide authentication request challenge responses for the communication device to connect to the communication network, wherein the identity module is hardware based and is physically connected to the communication device;
  
  receive at least one result parameter as a response from the identity module, the at least one result parameter having been generated by the identity module and being one of a ciphering key (CK), an integrity key (IK) and a response parameter (RES);
  
  determine, based on said result parameter and said first verification code, whether said first DH parameter is authentic; and
  
  responsive to determining the first DH parameter is authentic, generate a second DH parameter and a second verification code and send, through the network, the second DH parameter, the second verification code, and the response parameter in an authentication response message to the network device for session key generation based on the first DH parameter and the second DH parameter.
- View Dependent Claims (28)
- - 28. The computer program product of claim 27 wherein the second verification code is a hash of the second DH parameter.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Telefonaktiebolaget LM Ericsson
Original Assignee
Telefonaktiebolaget LM Ericsson
Inventors
Naslund, Mats, Sahlin, Bengt, Norrman, Karl, Arkko, Jari
Primary Examiner(s)
Lwin, Maung T

Application Number

US16/043,842
Publication Number

US 20180332021A1
Time in Patent Office

665 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/602   Providing cryptographic fac...

H04L 2463/082   applying multi-factor authe...

H04L 63/0428   wherein the data content is...

H04L 63/06   for supporting key manageme...

H04L 63/08   for authentication of entit...

H04L 63/0853   using an additional device,...

H04L 63/0869   for achieving mutual authen...

H04L 63/123   received data contents, e.g...

H04L 9/0816   Key establishment, i.e. cry...

H04L 9/0844   with user authentication or...

H04L 9/3271   using challenge-response

H04W 12/041   Key generation or derivation

H04W 12/0431   Key distribution or pre-dis...

H04W 12/069   using certificates or pre-s...

H04W 12/10   Integrity

Communication between a communication device and a network device

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

45 Citations

28 Claims

Specification

Use Cases

Quick Links

Others

Communication between a communication device and a network device

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

45 Citations

28 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others